semgrep != open source in a classic sense
priv-kweihmann opened this issue · comments
It might be worth noting that semgrep itself is LGPL2.x, which is totally fine, but the referenced semgrep.dev is using rules that originate from https://github.com/returntocorp/semgrep-rules that are licensed under "Common Clause" (that actually prohibits the usage in a corporate environment) (see https://github.com/returntocorp/semgrep-rules/blob/develop/LICENSE).
So it might be worth mentioning that the tool is fine to use, but only if you apply your very own ruleset.
The usage of semgrep.dev is legally a gray zone when working in a corporate environment
Thank you Konrad, that's very insightful issue. I will add note regarding the rules licensing. This library is not only for corporate environments. After I will write some understandable note regarding semgrep, I will close this issue.
I added the note about semgrep rules. Closing the issue.