#United States #San Francisco #Opengrep #Semgrep #Open-source

Security Rivals Join Forces to Formulate "Opengrep"

In a groundbreaking initiative, more than ten rival security firms have collectively launched a project named Opengrep, which serves as a collaborative fork of the code analysis engine, Semgrep. This unprecedented alliance responds strategically to Semgrep's decision on December 13 to modify its licensing terms, restricting access to essential elements by imposing a commercial paywall.

The new collaborative effort brings together notable companies including Aikido Security, Arnica, Amplify Security, Endor Labs, Jit, Kodem, Legit Security, Mobb, and Orca Security, representing a diverse coalition from Silicon Valley, Europe, and Israel. This is the first known occasion when direct competitors unite to reinforce open-source infrastructure.

Inspired by successful forks such as OpenSearch (from ElasticSearch) and OpenTofu (Terraform), the launch of Opengrep epitomizes a joint commitment to uphold vital open-source tools against the encroachment of commercialization. The manifesto from the Opengrep consortium articulates the significant risks posed by open-source license changes driven by private technology vendors. The document expresses, "Open-source license changes by private vendors can disrupt contributors and communities that help build these projects. Semgrep's rebranding and license shift signal a departure from its commitment to democratize code security for developers."

Previously, Semgrep contributed an open-source pattern-matching engine licensed under LGPL 2.1 along with a community-driven shared rules registry. However, the recent licensing overhaul has restricted access to community-contributed rules, locking them behind a commercial license. Moreover, critical features developed with community input—including tracking ignores, fingerprinting, and meta-variables—are no longer available under open-source terms. These restrictive changes not only impact SaaS providers but also hinder developers and end-users who rely on Semgrep’s open-source offerings. According to the Opengrep consortium, such limitations could harm the broader open-source ecosystem and prompt developers to rethink their investment in open-source technologies.

By pooling their resources and expertise, the consortium behind Opengrep aims to advance and democratize code security analysis. They have pledged to manage Opengrep under a foundation framework, ensuring that no single entity can impose restrictions or dictate terms. Each member is contributing initial resources, ranging from capital to development expertise, reflecting their commitment to an open-source future.

Advantages for Developers

Opengrep introduces a decentralized project model with numerous contributors, which mitigates the risks associated with dependence on a single vendor. Additionally, it offers essential features typically reserved for subscription-based Semgrep users, including full backward compatibility, tracking, and support for standard JSON and SARIF output formats.

Moreover, Opengrep promises enhanced scanning capabilities devoid of commercial limitations and facilitates a merit-based review process for community contributions, allowing rules to remain portable and free from commercial control. The coalition emphasizes the necessity of safeguarding access, innovation, and trust in open-source security tools, stating, "Opengrep will make secure software development a shared standard for all."

On February 20, developers and organizations are invited to contribute to Opengrep’s open roadmap session, aiming to expand collaboration and foster involvement in this vital initiative. Key founding members from various companies include Willem Delbare (Aikido Security), Nir Valtman (Arnica), Ali Mesdaq (Amplify Security), Varun Badhwar (Endor Labs), Aviram Shmueli (Jit), Pavel Furman (Kodem), Liav Caspi (Legit Security), Eitan Worcel (Mobb), and Yoav Alon (Orca Security). The establishment of Opengrep signifies a monumental shift in the landscape of open-source software development and a united front against commercialization in the tech industry.