TL;DR: We’re launching Opengrep, a fork of SemgrepCE, in response to its open-source clampdown.
Last month, Semgrep announced major changes to its OSS project—strategically timed for a Friday, of course ;)
Since 2017, Semgrep has been a cornerstone of the open-source security community, offering a code analysis engine and rule repository alongside its SaaS product. But their recent moves raise the question: what does “open” really mean?
Key changes include locking community-contributed rules under a restrictive license and migrating critical features like tracking ignores, LOC, fingerprints, and essential metavariables away from the open project.
This isn’t surprising—Semgrep has been quietly quitting the open-source engine for some time. The rebranding from “Semgrep OSS” to “Semgrep Community Edition” feels like the final nail in the coffin.
Why?
Perhaps pressure from VCs, viewing open-source contributions as “cannibalizing” SaaS revenue, or protecting against competition? Semgrep claims the move was to stop vendors from using the rules and engine in competing SaaS offerings. Yet, just yesterday with their “AI” announcement, the founder declared, “the original Semgrep engine is becoming obsolete.”
Whatever the case, while we respect a competitive spirit, this open-source clampdown does little to stop rival organizations. More than anything, this move undermines community trust—not just in Semgrep, but across open-source projects.
“This sort of change also harms all similar open-source projects. Every company and every developer now needs to think twice before adopting and investing in an open-source project in case the creator suddenly decides to change the license”... or kneecap the functionality (Opentofu).
This pattern is familiar: Elasticsearch’s license shift led AWS to create OpenSearch. The Opentofu movement arose after HashiCorp’s Terraform rugpull. Vendor-led open-source often prioritize commercial interests over community to make it to the “big leagues.” And that sucks.
So, we’re taking action.
We’ve united with 10 direct competitors to launch Opengrep—a coordinated, industry-wide stand to protect open-source and make secure software development a shared standard.
I’m joined by Nir Valtman (CEO, Arnica), Ali Mesdaq (CEO, Amplify Security), Varun Badhwar (CEO, Endor Labs), Aviram Shmueli (CIO, Jit), Pavel Furman (CTO, Kodem), Liav Caspi (CTO, Legit), Eitan Worcel (CEO, Mobb), and Yoav Alon (CTO, Orca Security).
What can you expect? Performance improvements, unlocking pro-only features, extended language supports, migrating critical features back to the engine, and new advancements: windows compatibility, cross-file analysis, the roadmap is long.
Together, we’re pooling committed capital and OCAML development resources to advance and democratize - even commoditized - static application security testing.
Because let’s face it—there are more interesting things to build. Finding is one thing... let’s focus on the future, on how we can find and fix security vulnerabilities fast automatically. Let’s focus on getting devs back to building.
Read the Opengrep Manifesto. Leverage and contribute to Opengrep today. To contribute or join as a sponsor, open an issue on GitHub.
For community & contributors, join the open roadmap session on 20th February.
Follow along on X. Linkedin.
Upvote Opengrep on Producthunt today-> Opengrep on Product Hunt
.svg)
