Jan. 24, 2025 /Mpelembe Media/ — Ten competing cybersecurity firms have collaboratively launched Opengrep, an open-source alternative to Semgrep, following Semgrep’s decision to restrict its open-source features. This move aims to preserve open access to code security analysis tools and prevent the commercialisation of crucial features. The consortium behind Opengrep is committed to a decentralised management structure, ensuring continued community contribution and avoiding vendor lock-in. Opengrep offers enhanced capabilities and full backward compatibility with Semgrep. The project welcomes further developer and organisation participation.
Opengrep’s creation directly challenges Semgrep’s business model and open-source ethos following Semgrep’s decision to restrict its open-source project. Here’s how:
License Changes: Semgrep changed its license and placed key features behind a commercial paywall, which is seen as a departure from its commitment to democratising code security for developers. This move restricts access to community-contributed rules and essential features.
Community Disruption: By commercialising previously open-source features developed with community support (like tracking ignores, fingerprinting, and meta-variables) Semgrep has disrupted the open-source ecosystem and end-users who relied on its open-source engine. Opengrep sponsors state that “the development community must now think twice before investing in open-source” because of Semgrep’s changes.
Direct Response: Opengrep was formed by a consortium of competing security companies as a direct response to Semgrep’s perceived betrayal of open-source principles. This alliance aims to maintain a free and accessible code analysis engine. The Opengrep manifesto criticizes Semgrep’s “rebranding and license shift” which it views as a move away from open-source principles.
Decentralisation and Openness: Opengrep aims to be a decentralised project with multiple contributors, removing the risk of single-vendor dependence. It also ensures that community contributions are reviewed on a merit basis and are not locked into commercial exclusivity. Opengrep’s commitment to foundation management aims to prevent any single entity from imposing restrictions.
Preserving Access: Opengrep’s goals include preserving access, innovation and trust in open-source security tools, and to make secure software development a shared standard for all. This contrasts with Semgrep’s move towards commercialisation and the perceived restriction of access to previously open-source features.
Feature Support: Opengrep is committed to supporting the critical features that are now part of the pro-only Semgrep offering such as full backward compatibility, fingerprinting and support for common JSON and SARIF outputs.
Challenging the Status Quo: Opengrep directly challenges Semgrep’s status as a leading open-source project, offering an alternative that is more in line with open-source principles. The formation of the consortium also indicates a shared disapproval of Semgrep’s business model among a wide group of security companies.
Opengrep was created as a direct response to Semgrep’s decision to restrict its open-source security project by changing its license and placing key features behind a commercial paywall. This move by Semgrep, which is backed by Sequoia and used by many organisations and millions of developers worldwide, was seen as a departure from its commitment to democratise code security for developers.
The specific actions by Semgrep that prompted the creation of Opengrep include:
Changing the license: Semgrep changed its open-source license and placed key features behind a commercial paywall.
Restricting access to community contributions: Community-contributed rules were locked behind a commercial license.
Commercialising essential features: Key features such as tracking ignores, fingerprinting, and meta-variables, which were developed with community support, were no longer open-source.
These changes were viewed as disruptive to the open-source ecosystem and harmful to developers and end-users who relied on Semgrep’s open-source engine. The Opengrep consortium views Semgrep’s actions as a signal that the development community needs to reconsider investing in open-source projects, and they wanted to ensure access, innovation, and trust in open-source security tools.
The specific Semgrep features that are no longer open-source, as a result of Semgrep’s license changes, include:
Community-contributed rules which are now locked behind a commercial license. Previously, these rules were part of a shared registry built with community input, but now access is restricted.
Essential features developed with community support, such as tracking ignores, fingerprinting, and meta-variables, are no longer available as open-source.
These changes by Semgrep are viewed by the Opengrep consortium as a move away from its commitment to democratising code security for developers. The consortium has explicitly stated that these features were developed with community support, which makes their commercialisation particularly problematic for the open-source ecosystem. Opengrep aims to provide these crucial features without commercial restrictions, ensuring they remain accessible to the wider development community.
In response, a group of over ten competing security companies formed the Opengrep consortium to create a collaborative fork of Semgrep’s code analysis engine. The Opengrep manifesto criticises Semgrep’s “rebranding and license shift” as a move away from its commitment to open-source principles. This consortium aims to advance and democratise code security analysis by pooling resources and expertise and ensuring the project is under foundation management to avoid restrictions by any single entity.
The rivalry between Opengrep and Semgrep has the potential to significantly impact the open-source security landscape in the long term. Here are some of the potential impacts, based on the sources and our conversation history:
Shifting Trust in Open-Source Security Tools: Semgrep’s decision to move key features behind a commercial paywall has created a sense of distrust in its commitment to open-source principles. Opengrep’s emergence challenges the notion that open-source security tools will always remain free and accessible, potentially making developers more cautious about investing in any open-source project. This may lead to increased scrutiny of the licensing and governance of open-source security tools in general..
Increased Emphasis on Community-Driven Development: Opengrep’s commitment to a decentralised project with multiple contributors and merit-based reviews for community contributions may establish a new standard for open-source projects. This could encourage other projects to adopt similar governance models to ensure no single entity can impose restrictions. This move to further democratise code security analysis could foster greater trust and collaboration in open-source security projects.
Accelerated Innovation: The competition between Opengrep and Semgrep could drive faster innovation in the code analysis space. With Opengrep committing to support features that are now part of the pro-only Semgrep, Semgrep may be forced to respond with their own improvements. This dynamic could benefit the broader community by offering more advanced features and capabilities, and could be key to the long-term health of the open-source security landscape.
The Rise of Collaborative Forks: Opengrep’s creation demonstrates how a collaborative fork can be a powerful response to perceived violations of open-source principles. This could inspire similar actions in other open-source communities where there are grievances about commercialisation or licensing changes.
Impact on Business Models for Open-Source Security Companies: The rivalry between Opengrep and Semgrep raises questions about the sustainability of business models that mix open-source and commercial offerings. Semgrep’s approach led to a significant challenge from the community and its competitors. This event may prompt other companies to rethink their strategies and be more transparent and consistent in their open-source commitments to avoid losing the trust of the community.
Increased Awareness of License Changes: Semgrep’s actions have highlighted the importance of understanding the fine print of open-source licenses. The creation of Opengrep serves as a warning to both users and developers about the potential risks associated with changes to open-source licenses and the implications for their continued access to technology. This could lead to a more informed community of users who are more careful and critical of licensing practices in open-source software.
Potential for Fragmentation: While competition can foster innovation, it can also fragment the market. If multiple forks or alternatives to Semgrep emerge, it could confuse users and developers. It is important to have open and collaborative platforms like Opengrep for a healthy security landscape.
Overall, the long-term impact of the Opengrep-Semgrep rivalry is likely to be complex, with the potential to shift trust in open-source security tools, increase emphasis on community governance and accelerate innovation in code analysis, while also raising questions about licensing and business models in the open-source landscape.
The founding members of the Opengrep consortium are representatives from several competing security companies. These individuals and their respective companies are:
Willem Delbare from Aikido Security.
Nir Valtman from Arnica.
Ali Mesdaq from Amplify Security.
Varun Badhwar from Endor Labs.
Aviram Shmueli from Jit.
Pavel Furman from Kodem.
Liav Caspi from Legit Security.
Eitan Worcel from Mobb.
Yoav Alon from Orca Security.
These individuals and companies have joined together to launch Opengrep as a collaborative fork of Semgrep’s code analysis engine, following Semgrep’s decision to restrict its open-source project. The consortium is made up of companies spanning Silicon Valley, Europe, and Israel. The founding members represent a range of expertise and resources, all committed to the Opengrep project.