More than ten competing security companies have banded together to launch Opengrep, a collaborative fork of Semgrep’s code analysis engine. This unprecedented alliance follows Semgrep’s December 13 decision to restrict its previously open-source project by changing its license and moving critical features behind a commercial paywall. Widely used by developers worldwide, Semgrep’s changes have sent shockwaves through the open-source community, prompting an industry-wide response.
The coalition behind Opengrep includes prominent players such as Aikido Security, Arnica, Amplify Security, Endor Labs, Jit, Kodem, Legit Security, Mobb, and Orca Security.
Spanning Silicon Valley, Europe, and Israel, the consortium marks the first time competitors in the security industry have united to safeguard open-source infrastructure. Inspired by prior open-source forks like OpenSearch (ElasticSearch) and OpenTofu (Terraform), Opengrep’s launch underscores the collective commitment to preserving community-driven development against creeping commercialization.
The Catalyst: Semgrep’s License Shift
Semgrep, known for its smart pattern-matching engine and extensive rules registry, has been a pillar of open-source code security since its launch in 2017. However, its recent rebranding and license changes signal a pivot toward a commercial focus. Key features—including tracking ignores, lines of code, fingerprint, and meta-variables—were moved behind a commercial license, sparking outcry among contributors and end-users.
According to the Opengrep manifesto, “Open-source license changes by private vendors are no small matter, often leading to disruption and uncertainty for contributors that help build them. In such cases, the future of the community hangs in doubt as community members must work to continue and protect an open future.”
The decision also locks community-contributed rules behind Semgrep’s paywall, further eroding trust within the open-source ecosystem. This shift has left many organizations scrambling to adopt new standards, while developers question the long-term viability of investing in open-source projects vulnerable to similar commercial pivots.
Opengrep: A Unified Solution
Opengrep aims to restore stability and trust by providing a fully open-source alternative with long-term protections against vendor lock-in. By pooling resources and expertise, the consortium has committed to advancing code security analysis for the free use of all developers. Significant financial and technical resources have already been pledged, and the project will be managed under a foundation to ensure impartial oversight.
Key Benefits for Developers:
Decentralized Governance: A foundation-led structure eliminates the risk of single-vendor dominance.
Restored Features: Critical capabilities locked behind Semgrep’s commercial license, such as fingerprinting and SARIF outputs, are fully supported in Opengrep.
Enhanced Scanning Capabilities: Advanced functionality without commercial restrictions.
Community Trust: Contributions are vendor-independent and merit-based, with community-contributed rules remaining accessible to all.
Rule Portability: No risk of commercial exclusivity locking down user-contributed content.
The Industry Speaks Out
“This sort of change harms all similar open-source projects,” stated the Opengrep sponsors. “The development ecosystem now needs to think twice about investing in open-source.”
By offering an open and transparent alternative, Opengrep’s backers hope to set a new standard for open-source projects in the security domain. “Democratizing static code analysis isn’t just a technical goal,” the collective emphasizes. “The evolving landscape of open-source security highlights the importance of preserving access, innovation, and trust for the developer community. With Opengrep, we can make secure software development a shared standard for all.”
A Path Forward for Open Source
Opengrep’s launch represents more than just a response to Semgrep’s changes; it’s a rallying cry for the open-source community to stand firm against commercial encroachments. As developers and organizations look for reliable, transparent solutions, Opengrep’s decentralized model offers a hopeful path forward. By uniting competitors for the common good, this initiative underscores the enduring power of collaboration in the face of adversity.