Open-Source Security Debate Sparks Creation of New Tool: Opengrep

2025-01-27

The world of open-source software is no stranger to controversy, but a recent licensing change by Semgrep, a widely used static application security testing (SAST) tool, has ignited a heated debate. This dispute has led to an unprecedented collaboration among competing security firms, resulting in the creation of a new open-source alternative: Opengrep.

Semgrep, a tool designed to analyze code for security vulnerabilities during development, gained immense popularity after its launch in 2017. Its open-source version allowed users to create and share custom rules, making it a favorite among developers and security professionals. However, in December 2023, Semgrep’s parent company altered its licensing policy, restricting the use of community-contributed rules. The company cited the need to prevent rival SaaS platforms from leveraging their tool, but this move sparked widespread backlash from the open-source community.

In response, a coalition of over 10 security firms, including Endor Labs, Mobb, and Amplify Security, joined forces to create Opengrep. This new tool aims to preserve the open-source principles that Semgrep originally championed. The consortium has pledged significant resources to ensure Opengrep’s success, with plans to transition the tool to a foundation or nonprofit for long-term stability.

The Birth of Opengrep

The controversy began when Semgrep’s licensing changes limited the sharing of community-created rules, a feature that had been central to its appeal. Developers and security professionals argued that this move undermined the collaborative spirit of open-source software. In response, the coalition of security firms decided to fork Semgrep’s codebase, creating Opengrep as a fully open-source alternative.

Opengrep’s mission is clear: to make secure software development accessible to all. The tool will offer unrestricted access to scanning features, compatibility with existing workflows, and a commitment to community-driven development. The consortium behind Opengrep believes that this approach will not only benefit developers but also set a new standard for open-source SAST tools.

A Rare Collaboration

What makes Opengrep particularly noteworthy is the collaboration between competing security firms. Companies like Endor Labs, Aikido Security, and Orca Security, which typically vie for market share, have united behind a shared vision. Varun Badhwar, CEO of Endor Labs, described this as a “special moment,” emphasizing the collective benefit of a standardized, open-source SAST engine.

The consortium has committed to regular reviews of community contributions, ensuring that Opengrep maintains high standards of quality and transparency. By pooling their resources and expertise, these firms aim to create a tool that surpasses Semgrep in both functionality and adherence to open-source principles.

What Undercode Say:

The creation of Opengrep highlights a growing tension in the open-source ecosystem: the balance between commercial interests and community-driven innovation. Semgrep’s licensing changes, while arguably necessary for its business model, alienated a significant portion of its user base. This backlash underscores the importance of transparency and trust in open-source projects.

Opengrep’s emergence also reflects a broader trend in the tech industry: the power of collaboration. By setting aside their competitive differences, the security firms behind Opengrep have demonstrated that shared goals can lead to innovative solutions. This approach could serve as a model for addressing other challenges in the open-source community.

However, the success of Opengrep is not guaranteed. Forking an existing project is a complex endeavor, and maintaining long-term momentum will require sustained effort and community engagement. The consortium’s plan to transition Opengrep to a foundation or nonprofit is a step in the right direction, but it will need to ensure that the tool remains relevant and adaptable to evolving security needs.

From an analytical perspective, Opengrep represents both an opportunity and a challenge. On one hand, it has the potential to democratize access to SAST tools, empowering developers to build more secure software. On the other hand, it must navigate the complexities of open-source governance and avoid the pitfalls that led to Semgrep’s licensing controversy.

Ultimately, the story of Opengrep is a testament to the resilience of the open-source community. It shows that when commercial interests clash with open-source values, the community has the power to rally together and create alternatives that align with its principles. Whether Opengrep will succeed in its mission remains to be seen, but its creation marks a significant moment in the ongoing evolution of open-source software.