Press Release: Security Rivals Unite to Launch “Opengrep” Following Semgrep Clampdown

‍USA, Belgium, Israel, January 23, 2025 - In an unprecedented move, more than ten competing security companies today announced they are uniting to launch Opengrep, a collaborative fork of Semgrep's code analysis engine. This industry-first alliance comes after Sequoia-backed Semgrep's December 13th decision to effectively clamp down its open-source security project through license change and moving critical features behind a commercial license. Semgrep is used by a multitude of organizations and millions of developers worldwide.

The unlikely consortium stretches from Silicon Valley to Europe to Israel, and includes, Aikido Security, Arnica, Amplify Security, Endor Labs, Jit, Kodem, Legit Security, Mobb, and Orca Security. It represents the first time direct competitors in the security industry have united to preserve open-source infrastructure. In line with previous open-source forks like OpenSearch (ElasticSearch) and OpenTofu (Terrafrom), Opengrep marks a coordinated industry-wide stand to preserve critical open-source in the face of commercialization and single vendor interest. 

“Open-source license changes by private vendors are no small matter, often leading to disruption and uncertainty for contributors that help build them,” states the Opengrep manifesto, a public statement penned by the launching organizations.

 “In such cases, the future of the community hangs in doubt as community members must work to continue and protect an open future. Beyond the license and critical feature migration, Semgrep's rebranding from Semgrep OSS confirms a departure from their open source commitment and goal to democratize code security for developers.”

Since 2017, Semgrep has maintained two leading open-source security projects: a smart pattern matcher engine to analyze large code bases licensed under LGPL 2.1, and a shared rules registry combining Semgrep's rules with community contributions.

The impact of this change goes beyond Semgrep’s commercial position and affects the open-source community and its ecosystem. All new community-contributed rules will now be locked behind Semgrep's commercial license. The company also moved essential engine features behind their commercial license, including tracking ignores, lines of code, fingerprint, and meta-variables; critical components the open-source community helped build and relied upon. 

“As much as the changes have been positioned as only affecting other SaaS providers, the changes have stunted the capabilities of its open-source engine,” states the Opengrep sponsors, “This creates serious disruptions for end-users and organizations alike, as the communities scramble to adopt new standards. This sort of change harms all similar open-source projects, the development ecosystem now needs to think twice about investing in open-source.” 

By pooling resources across competing companies, the Opengrep initiators believe they can “better advance and democratize code security analysis for the benefit and free use of all.” The consortium has already committed significant resources to Opengrep's development, with each organization contributing capital and specialized development expertise. To guarantee long-term continuity, the group has committed to moving Opengrep under foundation management, ensuring no single commercial entity can restrict its use in the future.

For developers, Opengrep delivers immediate benefits:

• A decentralized project with multiple contributors that removes single-vendor dependence risk
• Support for critical features now locked in pro-only Semgrep, including full backward compatibility, fingerprint, support for common JSON and SARIF outputs
• Enhanced scanning capabilities without commercial restrictions
• Vendor-independent, merit-based review of community contributions
• Rule portability, Community-contributed rules will not be locked into a commercial exclusivity 

“Democratizing static code analysis isn’t just a technical goal—,” the unlikely collective states, “The evolving landscape of open-source security highlights the importance of preserving access, innovation, and trust for the developer community. With Opengrep, we can make secure software development a shared standard for all.”

Organizations interested in contributing to or adopting Opengrep can join the open roadmap session scheduled for February 20th.

The launching sponsors of Opengrep are represented by the respective founders: Willem Delbare (CTO, Aikido Security), Nir Valtman (CEO, Arnica), Ali Mesdaq (CEO, Amplify Security), Varun Badhwar (CEO, Endor Labs), Aviram Shmueli (CIO, Jit), Pavel Furman (CTO, Kodem), Liav Caspi (CTO, Legit), Eitan Worcel (CEO, Mobb), and Yoav Alon (CTO, Orca Security)