OPEN SOURCE

Launching Opengrep in response to Semgrep's Open Source Licensing Change

Eran Medan
CTO & Co-Founder
January 23, 2025
Eran has spent the last 20+ years as an accomplished software engineer and technology executive, leading teams at Amazon Web Services and NICE Actimize.

TL;DR

Semgrep has shifted away from its open-source roots, restricting key features under proprietary licensing. In response, Opengrep has launched as a fully open, community-driven alternative to ensure free and accessible code security tools. Join the movement at opengrep.dev.

{{arnica-top-signup-banner="/template-pages/try-arnica-banner"}}

Since its inception in 2017, Semgrep has been a stalwart of the open-source security community, democratizing code security with a vision of empowering developers. Its OSS Engine, a taint-aware pattern matcher, and the OSS Rules repository became cornerstones of the application security landscape. However, with its recent decision to alter licensing terms and move critical features behind a commercial paywall, Semgrep has left its open-source roots behind, sparking a need for a new path forward.

On December 13, 2024, Semgrep announced that its OSS Rules repository would now be subject to a proprietary, non commercial license (Semgrep Rules License v.1.0) with restrictions against competing use cases, effectively crippling the open-source ethos it once championed. Moreover, features integral to the OSS Engine were migrated to commercial licenses, limiting community access to essential capabilities. Coupled with a rebranding of Semgrep OSS to "Community Edition," the message was clear: the focus had shifted from open collaboration to commercial gatekeeping.

This change reflects a broader, concerning trend in the industry. We've seen similar moves before—Elasticsearch’s license shift led to the creation of OpenSearch, and HashiCorp's Terraform licensing pivot spurred the birth of OpenTofu. These decisions disrupt the communities that helped build these tools, forcing developers and vendors to scramble for alternatives while questioning what "open source" really means.

Why This Matters

Open-source projects are more than just tools; they are ecosystems driven by trust, collaboration, and a shared mission. When vendors prioritize monetization of open-source projects over community values, it erodes that trust and sets dangerous precedents. For the application security community, this is especially critical. Security is not a luxury—it is a necessity. Every developer should have access to robust, shareable, and transparent tools for securing their code without fear of vendor lock-in or sudden license changes.

Semgrep’s decision threatens to fracture the community it once supported, creating uncertainty and hindering progress. A once-accessible scanning engine now places key innovations out of reach, limiting the effectiveness of open-source rules and stalling collective advancements in application security.

Enter Opengrep: A New Home for Open-Source Code Security

In response, a consortium of nine security organizations has come together to launch Opengrep, a fork of Semgrep OSS dedicated to preserving the ideals of openness, accessibility, and collaboration. With Opengrep, we are taking decisive action to ensure that developers have access to a free and open scanning engine that they can trust for the long term.

Our Commitment to the Community

  • Truly Open-Source: Opengrep is licensed under a permissive license, ensuring transparency and accessibility for all. No features or metadata will be locked behind a commercial paywall.
  • Community-Driven Development: Supported by a collective of security organizations, Opengrep’s roadmap is set collaboratively, with contributions reviewed and accepted based on merit, not corporate interests.
  • Unbiased Collaboration: Valuable features and fixes are prioritized based on their benefit to the community. We are committed to moving Opengrep under a neutral foundation, such as OWASP or the Linux Foundation, within the next 12 months.
  • Long-Term Assurance: Users can rest assured that their rules will remain portable and interoperable across vendors and platforms.

Why Opengrep is the Future of Open-Source Code Security

Opengrep aims to be more than just a replacement—it strives to be a better alternative. By unlocking previously restricted metadata and features, we will deliver:

  • A More Capable Engine: Enhanced scanning capabilities without artificial limitations.
  • Empowered Community Contributions: By restoring access to essential features, we enable contributors to develop richer, more effective rules.
  • Stability and Trust: A commitment to a truly open ecosystem ensures users and contributors won’t face sudden disruptions or license changes.

Join Us in Democratizing Code Security

The launch of Opengrep is more than just a technical milestone; it is a rallying call for the community to come together and reaffirm its commitment to open-source principles. Democratizing static code analysis is not just about technology—it’s about ensuring that security remains accessible, scalable, and impactful for every organization and developer.

We invite everyone who shares this mission to contribute to Opengrep, leverage its capabilities, and join us in building a secure and open future for application security. Together, we can create tools that serve the community, not just vendors, and help developers everywhere build more secure software.

Visit opengrep.dev to learn more and get involved.

Next
Next blog image
THE LATEST UPDATES

More from our blog

GitGoat: An Open Source Project of Intentionally (Riskless) Misconfigured GitHub Organizations
OPEN SOURCE
GitGoat: An Open Source Project of Intentionally (Riskless) Misconfigured GitHub Organizations
Nir Valtman
Nir Valtman
March 25, 2024

{{arnica-bottom-signup-banner="/template-pages/try-arnica-banner"}}

SOLUTIONS
BENEFITS
COMPANY
Developer Access Management
Arnica for Security
Arnica for DevOps
About
Anomalous Developer Behavior
Careers
Secret Detection & Mitigation
Arnica for Developers
Contact
Continuous SDLC Compliance
Arnica for Compliance & Risk
Security
Software Bill Of Materials (SBOM)
Status
INTEGRATIONS
RESOURCES
LEGAL
GitHub
Announcements
Terms of Use
Azure DevOps
Blog
Privacy Policy
Chat
Press
Docs
Solutions
Code Security Solutions: SAST, SCA, IaC, Licenses
Hardcoded Secret Detection & Real-Time Mitigation
SBOM & Dependency Management for Secure Code
Automated Developer Access Management
Anomalous Developer Behavior & Code Protection
Security Reporting & Audit
Application Security Posture Management (ASPM)
Company
About
Careers
Security
Contact
SUBSCRIBE TO OUR NEWSLETTER
Subscribe to our newsletter to receive the latest content and updates from Arnica.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, I agree to Arnica's privacy policy.
© 2022 Arnica, Inc. All rights reserved.
© Arnica, Inc. All rights reserved.
info@arnica.io
|
Linkedin logoInstagram logo