Open-source security spat leads companies to join forces for new tool | CyberScoop<\/title> <meta name=\"description\" content=\"A conflux of application security companies has been embroiled in a complex debate, leading to the creation of Opengrep.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/opengrep-static-analysis-security-tool-semgrep-open-source\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Open-source security spat leads companies to join forces for new tool\"> <meta property=\"og:description\" content=\"A conflux of application security companies has been embroiled in a complex debate, leading to the creation of Opengrep.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/opengrep-static-analysis-security-tool-semgrep-open-source\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-01-27T15:23:52+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-27T15:29:35+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472017g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1737070850g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=cc5cb8dd0a9ba2b865c4\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83278\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83278\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fopengrep-static-analysis-security-tool-semgrep-open-source%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fopengrep-static-analysis-security-tool-semgrep-open-source%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83278 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/opengrep-static-analysis-security-tool-semgrep-open-source\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.390969162996\">\n<div class=\"single-article__header-content\" readability=\"34.171122994652\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/opengrep-static-analysis-security-tool-semgrep-open-source\/\"> <span>Technology<\/span> <\/a> <\/li>\n<\/ul>\n<p> A company\u2019s licensing change to a static analysis tool has forced 10 companies together to create Opengrep. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83278\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Digital generated image of html code over deep black background. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"37.902058197303\"><body readability=\"78.18191995522\"><\/p>\n<p>A conflux of open-source developers and application security companies has been embroiled in a complex debate after a recent change in the licensing policy of a widely used static code analysis tool, resulting in a faction of organizations creating a new, open-source rival. <\/p>\n<p>The issue started with a recent change in the licensing policy of Semgrep, a popular static application security testing (SAST) tool. This type of tooling examines code while it\u2019s still being written, helping developers spot mistakes that could lead to security issues before the software goes live. Semgrep\u2019s open-source version grew in popularity since its inception in 2017, partly because users can write and run custom rules that resemble patterns in code. By allowing this, it makes it easier for people to learn how to spot security flaws in code. <\/p>\n<p>In December, the San Francisco-based company changed its licensing rules for the tool, restricting the use of community-contributed rules, with the company\u2019s <a href=\"https:\/\/semgrep.dev\/blog\/2024\/important-updates-to-semgrep-oss\/\">CEO stating the changes<\/a> were made to keep rival Software-as-a-Service (SaaS) platforms from using their tool in their own services. Although the core engine remains free, the strategic shift has stoked discontent among stakeholders who had been drawn to the tool partly due to the original open-source ethos.<\/p>\n<p>Over the next few weeks, users complained about the changes to the licensing rules, saying it makes it harder for community-created improvements to be shared freely. That led to a consortium of over 10 security firms \u2014 including U.S.-based Endor Labs, Israeli firm Mobb, and U.K.-headquartered Amplify Security, among others \u2014 to launch Opengrep, a \u201cforked\u201d version of Semgrep the companies say will preserve the essence of open-source principles the initial tool was founded on. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWe believe that discovering security issues must remain accessible to all,\u201d the website reads. \u201cOpengrep will empower every developer with open and transparent SAST, making secure software development a shared standard.\u201d<\/p>\n<p>The security firms say they will be putting in a lot of effort and resources to make sure Opengrep succeeds, providing dedicated teams to work on development, testing and deployment. They will also hold regular reviews to assess community contributions, ensuring everything stays on track and meets high standards.<\/p>\n<p>\u201cIt\u2019s rare to see competitors in the security space unite behind a single cause. The fact that Endor Labs, Aikido Security, Arnica, Amplify, Jit, Kodem, Legit Security, Mobb, Orca Security, and others \u2014 have come together to support Opengrep is a special moment indeed,\u201d Varun Badhwar, CEO of Endor Labs, wrote <a href=\"https:\/\/www.endorlabs.com\/learn\/everything-you-need-to-know-about-opengrep\">in a blog post<\/a>. \u201cAnd we should address the elephant in the room \u2014 we all benefit from a standardized, open source SAST engine, and we all contribute community rules and improvements for it. But that is exactly the point. The promise of Opengrep means that developers and application security teams will get a better baseline product, no matter who their AppSec vendor of choice is.\u201d <\/p>\n<p>Opengrep\u2019s backers contend that the tool will improve on Semgrep by focusing on remaining entirely open source, relying on a community for its development, and ultimately transitioning the tool to a foundation or nonprofit to ensure its long-term stability. The group also says that users will have unrestricted access to all scanning features, and the tool will have compatibility with existing workflows and outputs.<\/p>\n<p>Semgrep\u2019s parent company did not return CyberScoop\u2019s request for comment. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.5765696784074\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/opengrep-static-analysis-security-tool-semgrep-open-source\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Open-source security spat leads companies to join forces for new<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3548,3549,3550,78,3551,3552,3553,3554,3555,1073,3556,3557,256,3558,3559,3560,310],"tags":[3561,3562,3563,86,3564,3565,3566,3567,3568,1076,3569,3570,262,3571,3572,3573,311],"class_list":["post-7076","post","type-post","status-publish","format-standard","hentry","category-aikido-security","category-amplify","category-arnica","category-cybersecurity","category-endor-labs","category-jit","category-kodem","category-legit-security","category-mobb","category-open-source","category-opengrep","category-orca-security","category-research","category-security-testing","category-semgrep","category-static-analysis","category-technology","tag-aikido-security","tag-amplify","tag-arnica","tag-cybersecurity","tag-endor-labs","tag-jit","tag-kodem","tag-legit-security","tag-mobb","tag-open-source","tag-opengrep","tag-orca-security","tag-research","tag-security-testing","tag-semgrep","tag-static-analysis","tag-technology"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/aikido-security\/\" rel=\"category tag\">Aikido Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/amplify\/\" rel=\"category tag\">Amplify<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/arnica\/\" rel=\"category tag\">Arnica<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/endor-labs\/\" rel=\"category tag\">Endor Labs<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/jit\/\" rel=\"category tag\">Jit<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/kodem\/\" rel=\"category tag\">Kodem<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/legit-security\/\" rel=\"category tag\">Legit Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mobb\/\" rel=\"category tag\">Mobb<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/opengrep\/\" rel=\"category tag\">OpenGrep<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/orca-security\/\" rel=\"category tag\">Orca Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/security-testing\/\" rel=\"category tag\">security testing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/semgrep\/\" rel=\"category tag\">Semgrep<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/static-analysis\/\" rel=\"category tag\">Static Analysis<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a>","tag_info":"Technology","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7076","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7076"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7076\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7076"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7076"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7076"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7076,"date":"2025-01-27T09:23:52","date_gmt":"2025-01-27T15:23:52","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83278"},"modified":"2025-01-27T09:23:52","modified_gmt":"2025-01-27T15:23:52","slug":"open-source-security-spat-leads-companies-to-join-forces-for-new-tool","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/27\/open-source-security-spat-leads-companies-to-join-forces-for-new-tool\/","title":{"rendered":"Open-source security spat leads companies to join forces for new tool"},"content":{"rendered":"