Scanner Licensing and Safe Defaults

Default customer path

Pipeline quickstarts run Trivy, Syft, and TruffleHog by default.

Semgrep remains supported when you provide local or customer-owned rules with SEMGREP_CONFIG.

Registry-style Semgrep configs such as unset, auto, or p/... remain compatible but log a warning.

VM host IDS ingestion defaults to existing Wazuh or OSSEC alert files.

Managed OSSEC local installation requires explicit BLACKSHIELD_OSSEC_MODE=managed-local.

Permissive scanner components

Trivy, Syft, and Prowler are tracked as Apache-2.0 components. Preserve license text, copyright notices, and NOTICE files when redistributing scanner images.

Copyleft scanner components

Semgrep CE is LGPL-2.1; OSSEC and Wazuh are GPLv2. BlackShield treats them as separate tools or alert producers and keeps customer-facing defaults explicit.

Rules, feeds, and benchmarks

Scanner rules, vulnerability feeds, and compliance benchmark content can carry terms separate from scanner code. Use local/customer-owned Semgrep rules and avoid implying third-party certification.

Customer responsibility

Customers remain responsible for authorizing scan targets, approving scanner installation choices inside their environments, and validating third-party license obligations for their own redistribution model.

BlackShield normalizes scanner output into tenant findings. It does not grant trademark rights or imply endorsement by scanner vendors, cloud providers, CIS, MITRE, NIST, or other framework owners.