Opengrep Emerges as Open Source Alternative Amid Semgrep Licensing Controversy

On January 23, 2025, a coalition of security vendors launched Opengrep, an open source static application security testing (SAST) tool, as a direct response to recent licensing changes made by Semgrep. Opengrep is a fork of Semgrep CE (formerly Semgrep OSS).

With backing from companies like Aikido Security, Jit, Amplify Security, Endor Labs, Orca Security, and others, Opengrep is positioning itself as a fully open and community-driven alternative to Semgrep.

This launch comes after Semgrep’s December 2024 announcement, which renamed its open source offering to "Semgrep Community Edition" and introduced a controversial "Semgrep Rules License." The new proprietary license restricts the use of Semgrep’s rules in commercial, SaaS, or competing products, prompting criticism from some vendors who previously relied on Semgrep’s open source ecosystem. While Semgrep’s engine remains LGPL 2.1 licensed, the shift in rule licensing and the removal of certain features from the Community Edition has drawn significant backlash.

Why Opengrep Forked Semgrep#

The Opengrep fork was created as a direct response to Semgrep’s changes, with the goal of preserving and advancing open source principles in static analysis. The project’s backers argue that Semgrep’s licensing changes disrupt the collaborative spirit of open source software, effectively limiting its accessibility for the broader security and development community.

Opengrep contributors are promising several key commitments:

• Full access to all scanning capabilities without feature restrictions
• Backward compatibility with existing workflows and JSON/SARIF outputs
• Portable security rules that work across any environment
• Community-driven feature development
• Long-term stability through foundation governance

“Static code analysis is too important to be restricted,” Endor Labs stated in its announcement of support. “By creating Opengrep, we're ensuring that security tooling remains open, innovative, and community-driven. This isn't just about preserving existing capabilities—it's about building a future where security tools evolve through collaboration rather than commercial interests.”

Endor Labs also highlighted the broader implications for the security community:

We should address the elephant in the room. We all benefit from a standardized, open-source SAST engine, and we all contribute community rules and improvements for it. The promise of Opengrep means that developers and application security teams will get a better baseline product, no matter who their AppSec vendor of choice is.

Semgrep Moves to Restrict Competition with Proprietary License on Rules Repository#

The launch of Opengrep has sparked significant debate within the security and developer communities. Critics argue that some Opengrep sponsors are opportunistic, using this fork as a marketing strategy rather than a genuine commitment to open source. Others view it as a necessary move to preserve open SAST tools in the face of increasing commercialization.

“To me, the choice is either optimism about what these guys will contribute, or watching Semgrep's product continue to go paid and effectively the end of an open source SAST,” Latio Tech founder James Berthoty commented on LinkedIn. “If we like the idea of an open source SAST anyone can contribute to, this was really the only option.”

Semgrep’s leadership, meanwhile, has defended their decision, citing the need to protect their rules from unauthorized commercial use. Luke O’Malley, Semgrep’s Co-Founder and Chief Product Officer, clarified in the blog post announcing the Rules license change:

Semgrep Community Edition remains free, with 2800+ rules and no login required. It’s ideal for individuals, security auditors, and pentesters who need fast, one-off scans. For AppSec teams looking for a low-noise, cost-effective, and scalable security solution, see Semgrep AppSec Platform.

Critics point to the timing of Semgrep’s changes, arguing that they’ve eroded trust among its contributors and users. While Semgrep emphasized that the engine itself remains LGPL 2.1, many in the community viewed the changes as a significant blow to open source collaboration.

“The loss of metadata is what now makes using Semgrep internally, for free, virtually impossible,” Berthoty noted in blog post explaining the impact of the license change. “Effectively, the open source version of Semgrep is now a fun scanning toy for one-off scans, but nothing you could seriously implement at an organization.”

Semgrep’s justification for the changes has also raised concerns. In a recent clarification, the company stated:

Why was Semgrep CE forked now? Alongside semgrep-rules license violations, we discovered vendors were building on our platform fields and experimental features. Notably, the fingerprinting field—unnecessary for an engine but useful for competitor triage platforms—was among these. To address this, we moved those fields to the Pro Engine.

For some, this translates to a clear strategy to shut down competition. “All these cookie-cutter companies pretended to have a SAST engine that under the hood was just Semgrep, and Semgrep as an organization rightfully said we can’t operate like that,” one observer noted on LinkedIn. However, critics argue that these changes have disrupted the very collaborative nature that made Semgrep a pillar of the open source SAST ecosystem.

Opengrep Charts a New Course for Open Source SAST#

Opengrep has its work cut out. While its backers have pledged to maintain and expand the fork, questions remain about the long-term sustainability of such efforts, especially as contributors balance business interests with community obligations.

The stakes for the SAST ecosystem—and the developers who rely on it—have never been higher. In response to critics accusing Opengrep collaborators of championing open source principles without demonstrating meaningful contributions, Aikido Security CBO Madeline Lawrence offered a defense and explanation of how the fork originated.

“We don't like ‘open washing’ as much as the next person,” Lawrence said. “Nor would we go so far as to say we are a champion, of anything.

“What I can say - as the initiators of Opengrep - is that we have 2 full-time OCAML developers on our Aikido team shipping as we speak, soon to commit Windows compatibility– with a long roadmap to execute asap. We initially forked to develop internally, and thought, let's keep it open and get others involved to see if we can go farther and faster together. Semgreps announcement was a month ago.

“We also actively open source our embedded firewall and OSS vulnerability feed, which we will continue to maintain & ensure are usable and valuable to developers."

Fellow Opengrep collaborators from Amplify Security also echoed this sentiment, emphasizing their commitment to open source:

Hi, engineering lead and architect from Amplify Security here. I just wanted to mention that we’ve open sourced every single project that isn’t absolutely central to our IP, including a new Opengrep rules library. We also open source our projects with permissive licensing. I think it’s a bit quick to judge the initiative and the companies behind it as being insincere. At least at Amplify we are absolutely dedicated to permissive open source projects.

In their efforts to refute allegations of opportunism, Opengrep collaborators drove home the distinction between those who adopt proprietary licensing to protect commercial interests and those committed to fostering collaboration and advancing open source tools for the benefit of the entire community.

“I imagine the most common reaction to this news will be, ‘I use vendor x who doesn’t use Semgrep, so I don’t care about this,’” Berthoty said. “Nonetheless, Opengrep offers a future where we can instead say 'I can’t believe I used to have to pay just for that.’ Application security is hard enough. The community deserves a great free scanning tool, one with robust options that doesn’t just exist to ultimately serve a single corporate interest.”

For now, the project appears to have struck a chord with those who feel disillusioned by Semgrep’s pivot. Whether Opengrep can truly deliver on its promises remains to be seen, but its launch has already set the stage for a new era of competition and collaboration in application security. The future of open source SAST is now a contested space, and developers stand to benefit from the competition.

“I can't speak for the others who have joined us and their history of supporting the OSS community,” Lawrence said. “What I can say is as they joined us in building this, the core sentiment is 'Semgrep did a really good thing, it would be great if we can keep it going.’”