Opengrep Forks from Semgrep to Preserve Open-Source AppSec Capabilities

The application security community is witnessing a significant conflict resulting from changes in the licensing and features of a widely-used code-scanning tool named Semgrep. This controversy has given rise to a new project called Opengrep, which intends to provide a more feature-rich, open-source alternative to Semgrep. The discord stems from Semgrep’s recent decision to shift certain advanced capabilities from its open-source engine to its paid, proprietary version, a move seen as a hindrance to free use by certain application security service providers. Consequently, nine companies, including Aikido Security, Arnica, Amplify Security, Endor Labs, Jit, Kodem, Legit Security, Mobb, and Orca Security, chose to “fork” the project, leading to the development of Opengrep. A fork, in software development terms, refers to taking the source code from one project and developing it independently, resulting in two parallel projects.

The Catalyst for Change

The conflict began when Semgrep announced its decision to relocate some functionalities from its open-source engine to its paid, proprietary version. This move was perceived as a barrier to the free use of advanced features by certain application security service providers, leading to a strong reaction from the community. In response, nine companies collectively decided to fork the project, resulting in Opengrep. This new initiative aims to restore some advanced features and functionalities that were shifted to the paid version, including vital data export capabilities in JSON and SARIF formats. Furthermore, Opengrep seeks to establish an open-source database of rules, positioning itself as a neutral project not owned by any single entity but rather driven by the combined effort of its sponsoring companies.

Opengrep has retained the license of the Semgrep Community Edition, which is the Lesser GNU Public License (LGPL). This choice underscores the commitment to keeping the project open-source and accessible to all users. By restoring these advanced features, Opengrep seeks to ensure that security practitioners have access to powerful tools without needing to resort to paid versions. The collective backing by the nine founding companies highlights their dedication to maintaining a valuable open-source resource within the application security landscape. This move has sparked a broader conversation about the balance between open-source ideals and commercial viability within the software development community.

Collective Funding and Future Intentions

Varun Badhwar, CEO and co-founder of Endor Labs, provided crucial insights into the collective funding and future intentions for Opengrep. He emphasized that the companies behind the fork aim to eventually hand over the project to a broader community once it stabilizes. This transfer is intended to prevent single-vendor influence over the project’s development, ensuring that Opengrep remains a true open-source initiative. The immediate catalyst for this change occurred on December 13, when Semgrep rebranded its open-source engine as the “Community Edition.” This rebranding included stipulations that the license allowed internal use of its ruleset only and removed the capability of exporting certain fields in traditional output formats like JSON and SARIF.

These changes reflect an “open core” business model, wherein the essential engine remains open-source, while advanced features are relegated to the commercial platform. Badhwar’s vision for Opengrep is to foster a community-driven project that serves the application security field without the constraints imposed by proprietary limitations. By pooling resources and expertise, the companies involved aim to create a sustainable and effective open-source tool that can evolve in tandem with the community’s needs. The emphasis on collective funding and future intentions underscores a proactive approach to addressing the gaps left by Semgrep’s shift to an open core model.

Reactions from the Community

Luke O’Malley, Semgrep’s chief product officer and founder, expressed that their approach aims to adequately distinguish between what should be included in an open-source tool for security practitioners and what belongs in a commercial product. O’Malley emphasized that decisions about which features to include in the Community Edition are guided by what the majority of the community perceives as fair. The creation of Opengrep has sparked a mixed reaction among application security experts. Some argue that this fork could be detrimental to the original project and suggest that the companies should support Semgrep’s open-source core financially instead.

Criticism has come from application security expert Mark Curphey, who highlighted that this situation is part of a recurring trend where companies leverage open-source projects to develop commercial products without adequately contributing back to the projects. Curphey’s viewpoint resonates with past experiences within the industry, where similar tensions have surfaced. Despite these criticisms, proponents of Opengrep, including Badhwar, contend that the fork will bridge the gap between Semgrep’s professional application security platform and its open-source engine. The gap had widened as Semgrep removed what it considered “experimental” features, which were valued by commercial vendors.

Examples from the Industry

Curphey pointed to the Zed Attack Proxy (ZAP) as another example facing similar commercial challenges. Despite ZAP’s extensive use in dynamic application security testing (DAST), it has struggled with funding its maintainers. Eventually, Checkmarx stepped in by hiring ZAP’s core maintainers and committing to funding the project. This example serves as a potential model for how commercial entities can sustainably support open-source development. It illustrates how commercial backing can coexist with maintaining the core principles of open-source projects.

Badhwar and other proponents of Opengrep argue that the fork is a necessary step to maintain access to critical functionalities that Semgrep had relegated to its proprietary version. They assert that these changes were aimed at fragmenting the open-source community by removing high-value features from the free version. By taking this initiative, they seek to ensure that the open-source engine remains robust and continues to meet the needs of the community without proprietary constraints. This effort underscores the broader conversation about the balance between innovation and accessibility in the world of software development.

The Road Ahead for Opengrep

Varun Badhwar, CEO and co-founder of Endor Labs, shared important insights on the funding and future plans for Opengrep. He stressed that the companies supporting the fork intend to eventually transfer control of the project to a larger community once it stabilizes. This move aims to avoid single-vendor dominance in its development, ensuring Opengrep’s status as a true open-source project.

The catalyst for this shift occurred on December 13 when Semgrep rebranded its open-source engine as the “Community Edition.” This change included restrictions that its license permits internal use of its ruleset only and removed the ability to export certain fields in formats like JSON and SARIF.

These modifications reflect an “open core” business model, where the foundational engine remains open-source, but advanced features are kept within the commercial platform. Badhwar envisions Opengrep as a community-driven project serving application security without proprietary constraints. By pooling resources and expertise, the supporting companies aim to develop a sustainable, effective open-source tool evolved with the community’s needs. The focus on collective funding highlights a proactive stance to fill the gaps left by Semgrep’s shift to an open core model.

Explore more