Skip to content

Announcing Opengrep and Why We Forked Semgrep

Ali Mesdaq 2 Min Read
Announcing Opengrep and Why We Forked Semgrep

TL;DR: We’re launching Opengrep, a fork of SemgrepCE, in response to its open-source clampdown.

December 2024 Semgrep announced a major change to their licensing model of its OSS project, they picked the friendly date of Friday the 13th.

Key changes include locking community-contributed rules under a restrictive license and migrating critical features like tracking ignores, LOC, fingerprints, and essential metavariables away from the open project.

Some would consider this a rug pull of a project. It's not the first and won't be the last time a company goes against the original open source ethos of a project.

Amplify Security has teamed up with other companies to fork SemgrepCE to create OpenGrep a truly open and free scanning engine. Thanks to: Aikido Security, ArnicaEndor Labs, Jit, Kodem, Legit Security, Mobb, Orca Security, & more.

Is A Fork Needed?

The changes that Semgrep has made to the OSS engine not only impacts vendors but also the community of developers and AppSec engineers who have contributed to Semgrep's success. When a project is launched as OSS it creates incentives for technical practitioners to adopt the solution because their work won't benefit just one company but rather a community. This is especially important for rule creators when they are selecting the platform to learn, create rules for, blog, talk at conferences, share best practices, and build a career around. The only way to keep this community thriving and moving forward without them feeling like their efforts were wasted is to create a fork that stays truly open.

Another important point to call out is the open source engine having specific limitations that are behind a proprietary engine does limit the community. Creating a fork allows innovation and improvement at the engine level that benefits everyone. 

opengrep_800

Closing Thoughts

Semgrep has every right as a business to make any decisions and changes it wants to. I think the consequence here is that it alienates the community which helped make Semgrep engine a goto for researchers and practitioners. Having a fork that stays innovative and open is also a good thing for the community. Hopefully this moves the whole industry forward and benefits everyone. Please visit https://www.opengrep.dev/ 

Subscribe to Amplify Weekly Blog Roundup

Subscribe Here!

See What Experts Are Saying

BOOK A DEMO arrow-btn-white
By far the biggest and most important problem in AppSec today is vulnerability remediation. Amplify Security’s technology automatically fixes vulnerable code for developers at scale is the solution we’ve been waiting decades for.
strike-read jeremiah-grossman-01

Jeremiah Grossman

Founder | Investor | Advisor
As a security company we need to be secure, Amplify helped us achieve that without slowing down our developers
seclytic-logo-1 Saeed Abu-Nimeh, Founder @ SecLytics

Saeed Abu-Nimeh

CEO and Founder @ SecLytics
Amplify is working on making it easier to empower developers to fix security issues, that is a problem worth working on.
Kathy Wang

Kathy Wang

CISO | Investor | Advisor
If you want all your developers to be secure, then you need to secure the code for them. That's why I believe in Amplify's mission
strike-read Alex Lanstein

Alex Lanstein

Chief Evangelist @ StrikeReady

Frequently
Asked Questions

What is vulnerability management, and why is it important?

Vulnerability management is a systematic approach to managing security risks in software and systems by prioritizing risks, defining clear paths to remediation, and ultimately preventing and reducing software risks over time.

Why is vulnerability management important?

Without a sound vulnerability management program, organizations often face a backlog of undifferentiated security alerts, leading to inefficient use of resources and oversight of critical software risks.

What makes vulnerability management extremely challenging in today’s high-growth environment?

Vulnerability management faces challenges from the complexity and dynamism of software environments, often leading to an overwhelming number of security findings, rapid technological advancements, and limited resources to thoroughly explore appropriate solutions.

How can Amplify help me with vulnerability management?

Amplify automates repetitive and time-consuming tasks in vulnerability management, such as risk prioritization, context enrichment, and providing remediations for security findings from static (SAST) application security tools.

What technology does the Amplify platform integrate with?

Amplify integrates with hosted code repositories such as GitHub or GitLab, as well as various security tools.

Have a
Questions?

Contact Us arrow-btn-white

Ready to
Get started?

Book A GUIDED DEMO arrow-purple