A consortium of software companies, including JIT and Orca Security, has launched Opengrep, a fork of Semgrep’s open-source software, in response to licensing changes for rules provided in the OSS version.
Semgrep CE (formerly Semgrep OSS) itself was forked in 2019 from an earlier project written by Facebook. It is a Static Application Security Testing (SAST) tool for analysing source code or compiled code to find security flaws, with over 11,000 stars on its GitHub repository.
The key motivation behind the new Opengrep fork is the change to the license for rules submitted to Semgrep CE, via the semgrep/semgrep-rules repository. This license now prevents rules submitted to the project from being used in other commercial products unless explicitly authorised by Semgrep.
The stated goals of the forked project are to keep the engine and rules for the project open and transparent, with an open merit-based contribution system, and to restore access to features that are now restricted to the paid versions of Semgrep, with community commentary from Reddit users “confusedcrib” and “darrenpmeyer” suggesting that functionality such as fingerprints and meta-variables have been moved from the OSS version to the paid-for version.
The Opengrep manifesto points to parallels between Semgrep’s license change and that of others in recent history. Explaining how the community responded by forking the projects, the manifesto explains: “When Elasticsearch switched its licensing strategy, halting new open-source versions of Elasticsearch and Kibana, AWS stepped up to launch OpenSearch. When Hashicorp pulled the plug on Terraform open-source, the community came together with Opentofu”.
Semgrep’s founder and CPO Luke O’Malley has responded to this criticism, clarifying that Semgrep OSS itself remains open source, under the LGPL 2.1 license, and the change in the license for the rules repository was in response to several companies redistributing the rules repository, contravening the existing license. O’Malley goes on to explain that end users and companies using Semgrep OSS for their own purposes are unlikely to be affected by the new license.
TL;DR: If you’re using Semgrep without bundling and reselling it, you should be unaffected by our recent changes.
– Luke O’Malley
A blog post by Mark Curphey on crashoverride.com is critical of the forking. Curphey defends Semgrep, arguing that the fork wasn’t justified and represents opportunistic behaviour from companies that haven’t historically contributed to the project.
[…] a consortium is an organization of several businesses or banks joining together as a group for a shared purpose. Seems accurate, but I don’t think the shared purpose is for the good of the community or altruistic open-source value.
– Mark Curphey
He disputes claims that Semgrep performed an “open-source rug-pull”, and supports Semgrep’s open-core business model, where the core scanner is free while additional features are monetised. Other commentators are similarly unconvinced; writing on Reddit, Gullible-Chemist1794 says “I just don’t see this succeeding because all the companies supporting opengrep are competitors of each other, and most of them are VC invested companies, sooner or later there will be conflict of interests”.
Writing on BlueSky, Josh Grossman hopes for collaboration between the two camps: “Personally I really hope that Opengrep and Semgrep can work together on a community maintained engine with strong support from multiple vendors, whilst also respecting Semgrep’s commercial rights”.
The Opengrep manifesto closes by detailing what’s in it for users – promising a more capable scanning engine which doesn’t hide functionality behind a login, and full backward compatibility with open standard JSON and SARIF outputs. Responding to likely criticism that a consortium of software vendors manages the project, they also give long-term assurance that future improvements won’t be locked into any of those vendors.
An open roadmap session for Opengrep is scheduled for 27th February 2025, with more information available at opengrep.dev.
