December 2024 Semgrep announced a major change to their licensing model of its OSS project, they picked the friendly date of Friday the 13th.
Key changes include locking community-contributed rules under a restrictive license and migrating critical features like tracking ignores, LOC, fingerprints, and essential metavariables away from the open project.
Some would consider this a rug pull of a project. It's not the first and won't be the last time a company goes against the original open source ethos of a project.
Amplify Security has teamed up with other companies to fork SemgrepCE to create OpenGrep a truly open and free scanning engine. Thanks to: Aikido Security, Arnica, Endor Labs, Jit, Kodem, Legit Security, Mobb, Orca Security, & more.
The changes that Semgrep has made to the OSS engine not only impacts vendors but also the community of developers and AppSec engineers who have contributed to Semgrep's success. When a project is launched as OSS it creates incentives for technical practitioners to adopt the solution because their work won't benefit just one company but rather a community. This is especially important for rule creators when they are selecting the platform to learn, create rules for, blog, talk at conferences, share best practices, and build a career around. The only way to keep this community thriving and moving forward without them feeling like their efforts were wasted is to create a fork that stays truly open.
Another important point to call out is the open source engine having specific limitations that are behind a proprietary engine does limit the community. Creating a fork allows innovation and improvement at the engine level that benefits everyone.
Semgrep has every right as a business to make any decisions and changes it wants to. I think the consequence here is that it alienates the community which helped make Semgrep engine a goto for researchers and practitioners. Having a fork that stays innovative and open is also a good thing for the community. Hopefully this moves the whole industry forward and benefits everyone. Please visit https://www.opengrep.dev/