Everything You Need to Know About Opengrep

What is Opengrep?

Opengrep is a fork of Semgrep's open source static code analysis engine, created in response to Semgrep's December 13th, 2024 announcement that moved critical features behind their commercial license. Opengrep provides a drop-in replacement that maintains and extends the capabilities developers rely on, while ensuring they remain truly open source.
Why Opengrep matters now

The recent changes to Semgrep's licensing model have significant implications:

New community-contributed rules are now restricted to Semgrep's commercial product
Essential features like tracking ignores, fingerprinting, and meta-variables have moved behind the SaaS platform
The rebranding from "Semgrep OSS" to "Semgrep Community Edition" signals a shift away from open source principles

These changes create uncertainty for both developers and security teams who rely on these tools for their daily work. More importantly, they threaten the collaborative nature of security tooling that has helped democratize SAST capabilities.
Current status of Opengrep

Opengrep launches with strong backing from over 10 vendors in the application security space, including Aikido Security, Arnica, Amplify, Endor Labs, Jit, Kodem, Legit, Mobb, and Orca Security. This consortium is committing significant resources to ensure Opengrep's success:

Dedicated OCAML development resources from multiple organizations
Shared expertise in security rule development
Infrastructure support for testing and deployment
Regular community contribution reviews

Wait, aren't you all competitors?

It's rare to see competitors in the security space unite behind a single cause. The fact that Endor Labs, Aikido Security, Arnica, Amplify, Jit, Kodem, Legit Security, Mobb, Orca Security, and others—have come together to support Opengrep is a special moment indeed. And we should address the elephant in the room - we all benefit from a standardized, open source SAST engine, and we all contribute community rules and improvements for it. But that is exactly the point. The promise of Opengrep means that developers and application security teams will get a better baseline product, no matter who their AppSec vendor of choice is.
What makes Opengrep different from Semgrep?

Opengrep is built on three core principles:

True Open Source: All features and capabilities remain accessible to everyone, with no artificial restrictions or commercial gates
Community Governance: Development priorities are set collectively, with contributions evaluated based on merit rather than commercial interests
Foundation Management: A clear 12-month roadmap to transition to foundation oversight (like OWASP or Linux Foundation) ensures long-term stability

Switching to Opengrep provides immediate advantages to application security teams:

Full access to all scanning capabilities without feature restrictions
Backward compatibility with existing workflows and JSON/SARIF outputs
Portable security rules that work across any environment
Community-driven feature development
Long-term stability through foundation governance

How can you contribute to Opengrep?

Opengrep is committed to being a truly community-driven project. We invite developers, security professionals, and organizations who share this vision to join us in supporting Opengrep. Together, we can ensure that code security remains accessible to everyone.

You can get involved by:

Contributing to the rule repository
Participating in the open roadmap sessions
Submitting pull requests for improvements
Joining the technical discussions

Learn more about Opengrep

Static code analysis is too important to be restricted. By creating Opengrep, we're ensuring that security tooling remains open, innovative, and community-driven. This isn't just about preserving existing capabilities—it's about building a future where security tools evolve through collaboration rather than commercial interests.