Aqua Blog

Simplifying Our Open Source Contributor License Agreement

Simplifying Our Open Source Contributor License Agreement

At Aqua, we develop leading open source security tools, which are widely adopted by the cloud native community and industry at large. To us, open sourcing our technology is more than just making its source code available, it’s about making the project widely used and encouraging people to participate. Beyond using a permissive Apache 2.0 license for this purpose, we are now changing our contributor license agreement (CLA) to make the contributing process available for everyone.

What is an open source contributor license agreement?

In the open source world, a project’s license covers the terms under which the software is made available to users. The license facilitates one way the software flows: from the project to its users. But what about the other way: from contributors to the project? This is where the CLA comes into play – to facilitate the terms under which contributions are made to the project.

Not every open source project has a CLA. In this case, the actual terms of contributions are left open for interpretation, which might depend on how and where the contribution was made, the license of the project, and other factors. CLAs aim to clarify this process by defining the terms under which intellectual property (IP) has been contributed to a project.

CLA at Aqua

Previously, Trivy and CloudSploit were the only Aqua projects that had a CLA. We’ve received feedback that the specific terms of the CLA made it harder to contribute in some cases. Additionally, the former CLA was not corporate-friendly, so developers working for organizations that protect their employees’ IP found it difficult to contribute.

Further, our other projects (for example, Tracee and Starboard) didn’t have any CLAs, which was confusing for people who were contributing to several our projects.

Today, we are resolving these issues by simplifying our CLA, introducing a corporate CLA, and uniformly enforcing these changes across our open source portfolio.

  • Simplifying our CLA: We have replaced our previous contract with a new one based on the Apache CLA, which is straightforward and widely adopted in the industry.
  • Introducing corporate agreements: Sometimes contributors can’t sign a CLA on their own because of the conflicting IP agreements with their employer. For this reason, we’re now providing companies the opportunity to sign a CLA with us, which will cover their employees’ contributions. To request joining our Corporate CLA, please email Aqua’s open source team.
  • Uniformly enforcing changes: We will apply the new CLA across our open source projects. This means that if you sign it once, the CLA will cover all our projects.

Join Aqua’s open source community

We’d like to extend a huge thank you to all our open source contributors, and we hope that the changes in our CLA will be easy for new contributors who join. You’re welcome to check out our open source projects on GitHub.

Itay Shakury
Itay Shakury is VP Open Source at Aqua Security, where he leads engineering for open source, cloud native security solutions. Itay has some 20 years of professional experience in various software development, architecture and product management roles. Itay is also a CNCF Cloud Native Ambassador and is leading community initiatives such as the CNCF Tel Aviv group.