Opengrep vs Semgrep: Rival security firms close ranks to fork open source code analysis tool
Competitors launch "coordinated industry-wide stand against commercialisation and single vendor interest".
Ten rival security companies have joined forces to launch Opengrep, a collaborative fork of Semgrep's code analysis engine.
The collaboration is believed to be the first time direct competitors in the cybersecurity industry have united to preserve open-source infrastructure, with a spokesperson for the unusually chummy workers describing the move as "unprecedented".
The "industry-first alliance" was formed after Sequoia-backed Semgrep made changes to its license rules and introduced a new commercial license for some critical features - even though millions and developers and large numbers of organisations depend on its tool.
Members of the "unlikely consortium" includes, Aikido Security, Arnica, Amplify Security, Endor Labs, Jit, Kodem, Legit Security, Mobb, and Orca Security.
It follows in the footsteps of open-source forks like OpenSearch, which bounced away from ElasticSearch, and OpenTofu, a dish cooked up from the ingredients first introduced by Terraform.
Put a fork in it: Why have security vendors launched Opengrep?
Opengrep "marks a coordinated industry-wide stand to preserve critical open-source in the face of commercialisation and single vendor interest", the security firms said.
“Open-source license changes by private vendors are no small matter, often leading to disruption and uncertainty for contributors that help build them,” says the Opengrep manifesto.
“In such cases, the future of the community hangs in doubt as community members must work to continue and protect an open future. Beyond the license and critical feature migration, Semgrep's rebranding from Semgrep OSS confirms a departure from their open source commitment and goal to democratize code security for developers.”
Since 2017, Semgrep has maintained two leading open-source security projects: a smart pattern matcher engine to analyse large code bases licensed under LGPL 2.1, and a shared rules registry combining Semgrep's rules with community contributions.
We understand that all new community-contributed rules will now be locked behind Semgrep's commercial license. The company is also believed to have moved essential engine features behind a commercial license, including tracking ignores, lines of code, fingerprint, and meta-variables. All of these are "critical components the open-source community helped build and relied upon", the forking firms said.
“As much as the changes have been positioned as only affecting other SaaS providers, the changes have stunted the capabilities of its open-source engine,” the Opengrep sponsors claimed.
“This creates serious disruptions for end-users and organizations alike, as the communities scramble to adopt new standards. This sort of change harms all similar open-source projects, the development ecosystem now needs to think twice about investing in open-source.”
By pooling resources across competing companies, the Opengrep initiators believe they can “better advance and democratise code security analysis for the benefit and free use of all.”
The benefits Opengrap hopes to bring to developers
The consortium has already committed significant resources to Opengrep's development, with each organisation contributing capital and specialised development expertise.
To establish long-term continuity, the group has committed to moving Opengrep under the management of a foundation to ensure no single commercial entity can restrict its use in the future.
For developers, Opengrep aims to deliver these benefits:
- A decentralised project with multiple contributors that removes single-vendor dependence risk
- Support for critical features now locked in pro-only Semgrep, including full backward compatibility, fingerprint, support for common JSON and SARIF outputs
- Enhanced scanning capabilities without commercial restrictions
- Vendor-independent, merit-based review of community contributions
- Rule portability, Community-contributed rules will not be locked into a commercial exclusivity
“Democratizing static code analysis isn’t just a technical goal,” the collective stated “The evolving landscape of open-source security highlights the importance of preserving access, innovation, and trust for the developer community. With Opengrep, we can make secure software development a shared standard for all.”
A spokesperson from Semgrep told us its LGPL-2.1 license is "unchanged" and it updated from a non-OSI license to another non-OSI license on semgrep-rules only.
They said: "As maintainers, we’re happy to have competitors using and contributing to Semgrep’s Community Edition. And 99% of them are great community members.
"But last year, we were surprised to learn that a few companies were distributing the semgrep-rules repository in violation of the existing Commons Clause license, which prevents re-sale.
"We take the responsibility to maintain and update them, but they are only a small portion of the 100,000+ Semgrep rules in the ecosystem.)Giving those players the benefit of the doubt, we assumed they were misinterpreting the Commons Clause so we worked with our lawyer who originally wrote it to create a clearer, purpose-built license.
" While this felt abrupt for those in violation, the restriction against commercial use isn’t new – it’s a continuation of existing policy. Responsible players who have been writing and contributing their own rules back to the community like GitLab, Trail of Bits, and others, are unaffected and already maintain their own rule repositories.
"These rules remain accessible through their repositories and the online Semgrep Registry under their respective licenses. If you publish your own rules, with your own license, and want those available through the registry, we happily accept contributions."
Organizations interested in contributing to or adopting Opengrep can join the open roadmap sessions scheduled for February 20th.
The launching sponsors of are: Willem Delbare(CTO, Aikido Security), Nir Valtman (CEO, Arnica), Ali Mesdaq (CEO, Amplify Security), Varun Badhwar (CEO, Endor Labs), Aviram Shmueli (CIO, Jit), Pavel Furman (CTO, Kodem), Liav Caspi(CTO, Legit), Eitan Worcel (CEO, Mobb), and Yoav Alon (CTO, Orca Security)
Have you got a story or insights to share? Get in touch and let us know.
