The safety group witnessed a seismic shift in January 2025, as rival corporations united to launch Opengrep—a fork of static utility safety testing device, Semgrep. As soon as celebrated for its community-driven open-source ethos, Semgrep ignited controversy when it altered its licensing mannequin in December 2024. These licensing adjustments restricted the usage of contributed guidelines in business merchandise and shifted key options behind a paywall.
Semgrep turned a vital device for builders worldwide because of its capability to detect vulnerabilities throughout a number of programming languages. Nonetheless, the corporate’s resolution dangers stifling innovation in an space very important to trendy cybersecurity.
Amid the controversy, DevSecOps startup DeepSource launched Globstar, a brand new open-source toolkit for code safety. Constructed from scratch and launched underneath the MIT license, Globstar says it goals to supply unrestricted business and full public entry to its code.
“Via Globstar, we’re providing a recent strategy to customized static evaluation, designed with the wants of safety groups in thoughts. It emerged from an inner framework we had developed for menace detection,” Sanket Saurav, co-founder and CEO of DeepSource, informed me. “Semgrep is already in succesful arms, and our objective was to take a definite path. We see ourselves not as a alternative, however an alternate who brings a brand new perspective to the area.”
The corporate has raised a complete of $7.7M in funding and is presently being backed by Y-Combinator traders.
Developed using the Go programming language and built-in with Tree-sitter, Globstar helps over 20 programming languages. The toolkit options an intuitive YAML interface for creating customized safety checkers and a sophisticated Go interface for advanced, cross-file evaluation.
“When a undertaking is forked, it typically takes a special trajectory—however when constrained to constructing on high of an present product, innovation could be restricted,” mentioned Sanket. “We created a system that simplifies the method of writing customized code checkers.”
Enterprise Necessity Versus Open-Supply Preservation
On Dec. 13, 2024, Semgrep revamped its licensing mannequin to limit third-party use of contributed guidelines in competing business merchandise with out authorization. Furthermore, the corporate rebranded its open-source model to “Semgrep CE” (Neighborhood Version). Semgrep claims that its licensing adjustments are important to guard mental property and guarantee sustainable income. The corporate contends that proscribing business use helps curb unauthorized repackaging and helps long-term innovation.
“When engineers write code to unravel an issue, static evaluation examines the code with out execution, figuring out patterns and potential points early within the improvement course of. Semgrep is a revered participant on this area, and I maintain them in excessive regard,” mentioned Sanket. “Nonetheless, their shift in licensing for business customers displays a broader actuality: VC-backed corporations should stability open-source ideas with sustainable enterprise fashions.”
He notes that whereas the change didn’t immediately impression finish customers, it raises an ongoing debate about whether or not open supply ought to stay solely unrestricted or evolve to make sure long-term viability.
On January 2025, 10 DevSec companies together with Aikido Safety, Arnica, Amplify Safety, Endor Labs, Jit, Kodem, Legit Safety, Mobb and Orca Safety—shaped a consortium to launch Opengrep. Historically fierce opponents, the brand new consortium immediately plans to problem Semgrep’s resolution to restrict performance in favor of economic achieve. In a blog post, Endor Labs said that static code evaluation is “too vital to limit”.
Nonetheless, it is not but clear if Opengrep merely repackages legacy code reasonably than providing a very new answer.
The Rise of Open-Supply Alternate options
DeepSource acknowledged a rising want amongst builders for a device that doesn’t inherit legacy constraints. “Enterprise clients don’t wish to juggle a number of instruments—it creates integration challenges and drives demand for an all-in-one answer,” defined Sanket. “Static evaluation performs a vital position in understanding code structure, which is why we’ve positioned ourselves as a unified platform.”
Nonetheless, DeepSource’s Globstar just isn’t alone, a number of static code evaluation alternate options have gained traction following the Semgrep licensing controversy. As an illustration, SonarQube is a code evaluation platform that provides each a free Neighborhood Version and paid variations, for static code evaluation, integration assist and metrics monitoring. Likewise, ShellCheck is one other different particularly used for analyzing shell scripts, and aids builders in catching scripting errors that would later result in main bugs or inefficiencies. It flags instructions or syntax that might not be transportable throughout completely different shell environments. Resulting from its ease of use—capability to run from the command line and simply combine into CI/CD pipelines, ShellCheck has turn out to be an more and more well-liked alternative.
Whereas Opengrep seeks to protect a legacy device’s open roots, different alternate options like SonarQube, Globstar and ShellCheck additionally provide a recent, forward-thinking answer. Because the open-source debate unfolds, builders and enterprises face pivotal selections which will redefine the panorama of code evaluation.