devsecops-orchestrator
Copyright 2026 Jaric

This product is licensed under the Apache License, Version 2.0.
See the LICENSE file for full terms.

This product invokes the following third-party open-source tools as
external subprocesses or library dependencies. Their source code is not
bundled or redistributed as part of this project; each tool remains
subject to its own license.

  Bandit
    https://github.com/PyCQA/bandit
    License: Apache License 2.0

  pip-audit
    https://github.com/pypa/pip-audit
    License: Apache License 2.0

  gitleaks
    https://github.com/gitleaks/gitleaks
    License: MIT License

  Trivy
    https://github.com/aquasecurity/trivy
    License: Apache License 2.0

  Semgrep
    https://github.com/semgrep/semgrep
    License: LGPL-2.1 (semgrep-core), GNU GPL v2 (some rules)

  Checkov
    https://github.com/bridgecrewio/checkov
    License: Apache License 2.0

  Open Policy Agent (OPA)
    https://github.com/open-policy-agent/opa
    License: Apache License 2.0

  Syft
    https://github.com/anchore/syft
    License: Apache License 2.0

Notes:
  - Semgrep's core scanning engine and default rule sets carry mixed
    licensing (LGPL/GPL). Confirm license compatibility before bundling
    any Semgrep rule packs directly into this project's distribution;
    invoking Semgrep as an external subprocess (as this project does)
    does not create a derivative-work obligation, but redistributing
    rule files would need separate review.
  - This NOTICE file should be updated whenever a new external tool is
    added as a scanner or dependency in src/orchestrator/scanners/ or
    src/orchestrator/policy/.
