OpenGrep Restores Fingerprinting in JSON and SARIF Outputs

OpenGrep continues to build on its early momentum with an important update for security automation: fingerprint and metavariable fields are now back in both JSON and SARIF outputs. For teams integrating static analysis into CI/CD pipelines, this update makes OpenGrep a significantly more powerful and usable tool, restoring functionality that was removed from Semgrep Community Edition (CE).

The open source static application security testing (SAST) engine launched in January 2025, in response to Semgrep's controversial shift toward proprietary rule licensing and feature restrictions, which limited the use of its rule sets in commercial and SaaS environments. A coalition of security vendors, including Aikido Security, Jit, Amplify Security, Endor Labs, and Orca Security, came together to fork Semgrep CE and build something more open.

Earlier this month, OpenGrep shipped its new Playground desktop app, a faster, more stable environment for crafting and testing SAST rules. Now the team is tackling automation pain points, starting with one of the most foundational: reliable fingerprinting.

What's Next: Context-Aware Fingerprinting#

When you're running security scans across dozens or thousands of repos, a finding without a stable fingerprint is practically noise. Fingerprints allow you to:

• Track issues across code changes
• Suppress or ignore findings with confidence
• De-duplicate noisy results
• Tie findings into issue trackers and remediation tools

Without fingerprints, every scan feels like a fresh start, making automation brittle and manual triage painful.

Fingerprinting source code is notoriously hard. As OpenGrep noted in a Twitter thread, code changes in arbitrary ways, lines move, functions shift, and entire classes can be refactored. Naively hashing a line number or source snippet can break tracking the moment the file is edited.

That’s why OpenGrep is now preparing a major improvement: context-aware fingerprinting.

By anchoring findings to structural context, such as classes, functions, or modules, OpenGrep aims to make fingerprints more resilient to change. This will enable more accurate tracking across code evolution, something especially important for long-lived projects and large-scale codebases.

Community-Driven, Weekly Releases#

OpenGrep continues to ship rapidly, guided by community feedback and public roadmap sessions. In a recent feature prioritization exercise, fingerprint support and SARIF enhancements were among the most highly requested features—right alongside cross-function analysis, inter-file scanning, and better DevOps integrations.

Recent roadmap progress includes restored support for fingerprints and metavariables in JSON and SARIF outputs, the release of a beta version with Windows support, and the launch of the Playground desktop app for local rule development. In development are Elixir language support and cross-function (inter-procedural) analysis, with inter-file analysis currently in the planning phase.

The OpenGrep team is shipping updates every week. You can track the ongoing work on the OpenGrep GitHub issues board and follow along with the open roadmap sessions.