The safety neighborhood witnessed a seismic shift in January 2025, as rival corporations united to launch Opengrep—a fork of static utility safety testing device, Semgrep. As soon as celebrated for its community-driven open-source ethos, Semgrep ignited controversy when it altered its licensing mannequin in December 2024. These licensing adjustments restricted using contributed guidelines in business merchandise and shifted key options behind a paywall.
Semgrep grew to become a necessary device for builders worldwide attributable to its capability to detect vulnerabilities throughout a number of programming languages. Nonetheless, the corporate’s choice dangers stifling innovation in an space very important to fashionable cybersecurity.
Amid the controversy, DevSecOps startup DeepSource launched Globstar, a brand new open-source toolkit for code safety. Constructed from scratch and launched underneath the MIT license, Globstar says it goals to supply unrestricted business and full public entry to its code.
“By way of Globstar, we’re providing a contemporary method to customized static evaluation, designed with the wants of safety groups in thoughts. It emerged from an inside framework we had developed for menace detection,” Sanket Saurav, co-founder and CEO of DeepSource, informed me. “Semgrep is already in succesful fingers, and our objective was to take a definite path. We see ourselves not as a alternative, however an alternate who brings a brand new perspective to the area.”
The corporate has raised a complete of $7.7M in funding and is at the moment being backed by Y-Combinator traders.
Developed using the Go programming language and built-in with Tree-sitter, Globstar helps over 20 programming languages. The toolkit options an intuitive YAML interface for creating customized safety checkers and a complicated Go interface for advanced, cross-file evaluation.
“When a challenge is forked, it usually takes a special trajectory—however when constrained to constructing on prime of an present product, innovation will be restricted,” mentioned Sanket. “We created a system that simplifies the method of writing customized code checkers.”
Enterprise Necessity Versus Open-Supply Preservation
On Dec. 13, 2024, Semgrep revamped its licensing mannequin to limit third-party use of contributed guidelines in competing business merchandise with out authorization. Furthermore, the corporate rebranded its open-source model to “Semgrep CE” (Neighborhood Version). Semgrep claims that its licensing adjustments are important to guard mental property and guarantee sustainable income. The corporate contends that limiting business use helps curb unauthorized repackaging and helps long-term innovation.
“When engineers write code to unravel an issue, static evaluation examines the code with out execution, figuring out patterns and potential points early within the growth course of. Semgrep is a revered participant on this area, and I maintain them in excessive regard,” mentioned Sanket. “Nonetheless, their shift in licensing for business customers displays a broader actuality: VC-backed corporations should steadiness open-source rules with sustainable enterprise fashions.”
He notes that whereas the change didn’t instantly impression finish customers, it raises an ongoing debate about whether or not open supply ought to stay completely unrestricted or evolve to make sure long-term viability.
On January 2025, 10 DevSec companies together with Aikido Safety, Arnica, Amplify Safety, Endor Labs, Jit, Kodem, Legit Safety, Mobb and Orca Safety—fashioned a consortium to launch Opengrep. Historically fierce rivals, the brand new consortium instantly plans to problem Semgrep’s choice to restrict performance in favor of business achieve. In a weblog submit, Endor Labs said that static code evaluation is “too essential to limit”.
Nonetheless, it isn’t but clear if Opengrep merely repackages legacy code relatively than providing a very new answer.
The Rise of Open-Supply Options
DeepSource acknowledged a rising want amongst builders for a device that doesn’t inherit legacy constraints. “Enterprise clients don’t wish to juggle a number of instruments—it creates integration challenges and drives demand for an all-in-one answer,” defined Sanket. “Static evaluation performs an important function in understanding code structure, which is why we’ve positioned ourselves as a unified platform.”
Nonetheless, DeepSource’s Globstar shouldn’t be alone, a number of static code evaluation options have gained traction following the Semgrep licensing controversy. As an illustration, SonarQube is a code evaluation platform that gives each a free Neighborhood Version and paid variations, for static code evaluation, integration assist and metrics monitoring. Likewise, ShellCheck is one other different particularly used for analyzing shell scripts, and aids builders in catching scripting errors that would later result in main bugs or inefficiencies. It flags instructions or syntax that is probably not transportable throughout totally different shell environments. Attributable to its ease of use—capability to run from the command line and simply combine into CI/CD pipelines, ShellCheck has develop into an more and more well-liked selection.
Whereas Opengrep seeks to protect a legacy device’s open roots, different options like SonarQube, Globstar and ShellCheck additionally provide a contemporary, forward-thinking answer. Because the open-source debate unfolds, builders and enterprises face pivotal selections that will redefine the panorama of code evaluation.
