Everything You Need to Know About Opengrep

January 2025 by Endor Labs

While 80%-90% of codebases are composed of open source code, Static Application Security Testing (SAST) is an essential part of software security. Semgrep has been an important open source project that helped shape the landscape of modern SAST tools. However, recent changes have created a need for a truly open alternative. Today, we’re introducing Opengrep, a community-driven fork that ensures static code analysis remains open, accessible and innovative for everyone.

What is Opengrep?

Opengrep is a fork of Semgrep’s open source static code analysis engine, created in response to Semgrep’s December 13th, 2024 announcement that moved critical features behind their commercial license. Opengrep provides a drop-in replacement that maintains and extends the capabilities developers rely on, while ensuring they remain truly open source.

Why Opengrep matters now

The recent changes to Semgrep’s licensing model have significant implications:

New community-contributed rules are now restricted to Semgrep’s commercial product

Essential features like tracking ignores, fingerprinting, and meta-variables have moved behind the SaaS platform

The rebranding from "Semgrep OSS" to "Semgrep Community Edition" signals a shift away from open source principles

These changes create uncertainty for both developers and security teams who rely on these tools for their daily work. More importantly, they threaten the collaborative nature of security tooling that has helped democratize SAST capabilities.

Current status of Opengrep

Opengrep launches with strong backing from over 10 vendors in the application security space, including Aikido Security, Arnica, Amplify, Endor Labs, Jit, Kodem, Legit, Mobb, and Orca Security. This consortium is committing significant resources to ensure Opengrep’s success:

Dedicated OCAML development resources from multiple organizations

Shared expertise in security rule development

Infrastructure support for testing and deployment

Regular community contribution reviews

Wait, aren’t you all competitors?

It’s rare to see competitors in the security space unite behind a single cause. The fact that Endor Labs, Aikido Security, Arnica, Amplify, Jit, Kodem, Legit Security, Mobb, Orca Security, and others—have come together to support Opengrep is a special moment indeed. And we should address the elephant in the room - we all benefit from a standardized, open source SAST engine, and we all contribute community rules and improvements for it. But that is exactly the point. The promise of Opengrep means that developers and application security teams will get a better baseline product, no matter who their AppSec vendor of choice is.

What makes Opengrep different from Semgrep?

Opengrep is built on three core principles:

True Open Source: All features and capabilities remain accessible to everyone, with no artificial restrictions or commercial gates

Community Governance: Development priorities are set collectively, with contributions evaluated based on merit rather than commercial interests

Foundation Management: A clear 12-month roadmap to transition to foundation oversight (like OWASP or Linux Foundation) ensures long-term stability

Switching to Opengrep provides immediate advantages to application security teams:

Full access to all scanning capabilities without feature restrictions

Backward compatibility with existing workflows and JSON/SARIF outputs

Portable security rules that work across any environment

Community-driven feature development

Long-term stability through foundation governance

How can you contribute to Opengrep?

Opengrep is committed to being a truly community-driven project. We invite developers, security professionals, and organizations who share this vision to join us in supporting Opengrep. Together, we can ensure that code security remains accessible to everyone.

You can get involved by:

Contributing to the rule repository

Participating in the open roadmap sessions

Submitting pull requests for improvements

Joining the technical discussions

Learn more about Opengrep

Static code analysis is too important to be restricted. By creating Opengrep, we’re ensuring that security tooling remains open, innovative, and community-driven. This isn’t just about preserving existing capabilities—it’s about building a future where security tools evolve through collaboration rather than commercial interests.