Software application development lifecycle (SDLC) analysis company Endor Labs has worked with a cadre of industry partners to now launch Opengrep, a toolset designed to ensure static software application code analysis remains open and accessible.
The company has partnered with Aikido Security, Arnica, Amplify, Kodem, Legit, Mobb and Orca Security to create Opengrep, which is a fork of Semgrep OSS… an open-source penetration testing code analysis engine suitable for ad-hoc use cases with a high tolerance level for false positives, it is much beloved of security auditors.
Forking Hell, Why?
Why the forking then? Well, says Endor, the new project is in response to recent changes by Semgrep that (it claims) compromise the technology’s open-source nature and limit access and innovation for the broader community.
“Static code analysis is too important to be restricted,” said Varun Badhwar, CEO and co-founder of Endor Labs. “As one of the creators of Opengrep, Endor Labs is ensuring that security tooling remains open, innovative and accessible to all. This isn’t just about preserving existing capabilities, it’s about building a future where security tools evolve through collaboration rather than commercial interests. By preserving and advancing open source security tooling, we can create a more secure future for software development, i.e. one where security capabilities are democratized, innovation is unrestricted and the community’s needs come first.”
According to Endor’s all you need to know pages, some 80%-90% of [modern] codebases are composed of open source code, and so Static Application Security Testing (SAST) is an essential part of software security.
As information management services company OpenText reminds us, SAST is an essential step in the SDLC because it identifies critical vulnerabilities in an application before it’s deployed to the public, while they’re the least expensive to remediate.
“It’s in this stage of static code analysis that developers can code, test, revise and test again to ensure that the final app functions as expected, without any vulnerabilities. When SAST is included as part of the Continuous Integration/Continuous Development (CI/CD) pipeline, this is referred to as Secure DevOps, or DevSecOps,” notes OpenText.
The Democratization of SAST
Endor has worked to further justify the fork from Semgrep to Opengrep, and said that Semgrep has been an important open-source project that has helped shape and democratize the landscape of modern SAST tools. It works by searching and scanning code bases, finding and identifying bugs… and then enforcing code standards at the point of edit, commit and continuous integration.
But, last month (Dec 2024) says Badhwar, Semgrep announced changes to its open source offerings that restricted new community-contributed rules to the proprietary license and moved essential scanning engine features behind a commercial SaaS platform. This included what he classifies as “crucial capabilities” like tracking ignores, lines of code, fingerprint and meta-variables.
Confident about the change, Semgrep chief product officer Luke O’Malley went on the record to say that the team had chosen changes that they believe will be “non-disruptive for the majority of community use cases” and that is striking the right balance between supporting a thriving community and growing a commercial business.
“When fundamental security capabilities become restricted, it creates a ripple effect throughout the entire software development ecosystem,” stated Badhwar. “Developers lose the ability to craft and share custom rules freely. Security teams can’t easily port their security policies between environments. Organizations face increased vendor lock-in for essential security features. This fragmentation ultimately makes it harder for everyone to build secure software.
Championing ‘True’ Open Source
As a new project, Opengrep is built on three core principles that encompass what the team call “true open source”, where all features and capabilities remain accessible to everyone, with no artificial restrictions or commercial gates. There is community governance so that development priorities are set collectively, with contributions evaluated based on merit rather than commercial interests. Thirdly, there is also foundation management, i.e. a clear 12-month roadmap to transition to foundation oversight (like OWASP or Linux Foundation) to ensure long-term stability.
By switching to Opengrep, developers get full access to all scanning capabilities without feature restrictions; backward compatibility with existing workflows and JSON/SARIF outputs; portable security rules that work across any environment; community-driven feature development; and long-term stability through foundation governance.
