Opengrep launched by Endor Labs to boost open-source SAST

Today

Endor Labs, in collaboration with numerous partners, has launched a new project called Opengrep to maintain the open-source nature of static code analysis tools used in application security. This initiative is in response to recent changes by Semgrep that have altered its open-source dynamics.

Semgrep has previously played a key role in the field of Static Application Security Testing (SAST), which is crucial for maintaining software security, as a large portion of codebases are constructed using open-source code. However, recent adjustments to its open-source services have shifted community-contributed rules to its proprietary licensing and migrated essential scanning features to its commercial SaaS platform. This includes important functionalities such as tracking ignores and meta-variables.

The developers behind Opengrep, a fork of Semgrep OSS, perceive these changes as having a significant impact on the broader security ecosystem. Varun Badhwar, CEO and co-founder of Endor Labs, expressed concerns: "Static code analysis is too important to be restricted. As one of the creators of Opengrep, Endor Labs ensures that security tooling remains open, innovative, and accessible to all."

"This isn't just about preserving existing capabilities—it's about building a future where security tools evolve through collaboration rather than commercial interests. By preserving and advancing open source security tooling, we can create a more secure future for software development—one where security capabilities are democratised, innovation is unrestricted, and the community's needs come first."

Opengrep is founded on three key principles: ensuring all features remain open-access, community-led governance, and a structured transition to foundation management akin to organisations such as OWASP or the Linux Foundation. Its design ensures full access to scanning capabilities without restrictions, compatibility with existing workflows, and portable security rules adaptable across environments.

This platform is supported by over ten vendors in the security sector, including Aikido Security, Arnica, Amplify, Endor Labs, and others. The consortium of companies is pooling resources to secure Opengrep's infrastructure, development, and community participation. This partnership between traditionally competitive companies underscores the recognition of the benefits offered by an open-source SAST engine.

Opengrep aims to empower developers and security teams by promoting openness and collaboration, addressing limitations observed in Semgrep's recent shifts toward a more commercial model. One of the project's unique aspects is its approach to orchestrating development through community involvement, with coding contributions assessed based on technical merit, independent of commercial interests.

The development community is invited to engage with Opengrep through various channels, including submitting contributions to the rule repository, partaking in public roadmap sessions, and discussing enhancements via technical forums. This communal effort is streamlined by a long-term plan that includes a shift to foundation oversight, promising stability and growth without imposing commercial boundaries.

Opengrep's creators encourage broad participation to uphold the accessibility of code security and drive the development of security tools driven by collective needs rather than commercial imperatives. By fostering a collaborative environment, Opengrep seeks to preserve open-source principles while ensuring current and future capabilities in static code analysis are not constrained by proprietary enclosures.

Share on: