The safety group witnessed a seismic shift in January 2025, as rival firms united to launch Opengrep—a fork of static software safety testing software, Semgrep. As soon as celebrated for its community-driven open-source ethos, Semgrep ignited controversy when it altered its licensing mannequin in December 2024. These licensing modifications restricted using contributed guidelines in industrial merchandise and shifted key options behind a paywall.
Semgrep grew to become a necessary software for builders worldwide as a consequence of its potential to detect vulnerabilities throughout a number of programming languages. Nonetheless, the corporate’s determination dangers stifling innovation in an space important to trendy cybersecurity.
Amid the controversy, DevSecOps startup DeepSource launched Globstar, a brand new open-source toolkit for code safety. Constructed from scratch and launched beneath the MIT license, Globstar says it goals to offer unrestricted industrial and full public entry to its code.
“Via Globstar, we’re providing a recent strategy to customized static evaluation, designed with the wants of safety groups in thoughts. It emerged from an inner framework we had developed for risk detection,” Sanket Saurav, co-founder and CEO of DeepSource, instructed me. “Semgrep is already in succesful arms, and our objective was to take a definite path. We see ourselves not as a alternative, however another who brings a brand new perspective to the area.”
The corporate has raised a complete of $7.7M in funding and is at the moment being backed by Y-Combinator traders.
Developed using the Go programming language and built-in with Tree-sitter, Globstar helps over 20 programming languages. The toolkit options an intuitive YAML interface for creating customized safety checkers and a sophisticated Go interface for advanced, cross-file evaluation.
“When a undertaking is forked, it usually takes a special trajectory—however when constrained to constructing on high of an present product, innovation could be restricted,” mentioned Sanket. “We created a system that simplifies the method of writing customized code checkers.”
Enterprise Necessity Versus Open-Supply Preservation
On Dec. 13, 2024, Semgrep revamped its licensing mannequin to limit third-party use of contributed guidelines in competing industrial merchandise with out authorization. Furthermore, the corporate rebranded its open-source model to “Semgrep CE” (Group Version). Semgrep claims that its licensing modifications are important to guard mental property and guarantee sustainable income. The corporate contends that proscribing industrial use helps curb unauthorized repackaging and helps long-term innovation.
“When engineers write code to unravel an issue, static evaluation examines the code with out execution, figuring out patterns and potential points early within the improvement course of. Semgrep is a revered participant on this area, and I maintain them in excessive regard,” mentioned Sanket. “Nonetheless, their shift in licensing for industrial customers displays a broader actuality: VC-backed firms should steadiness open-source ideas with sustainable enterprise fashions.”
He notes that whereas the change didn’t instantly affect finish customers, it raises an ongoing debate about whether or not open supply ought to stay solely unrestricted or evolve to make sure long-term viability.
On January 2025, 10 DevSec companies together with Aikido Safety, Arnica, Amplify Safety, Endor Labs, Jit, Kodem, Legit Safety, Mobb and Orca Safety—shaped a consortium to launch Opengrep. Historically fierce rivals, the brand new consortium instantly plans to problem Semgrep’s determination to restrict performance in favor of business achieve. In a weblog submit, Endor Labs acknowledged that static code evaluation is “too vital to limit”.
Nonetheless, it isn’t but clear if Opengrep merely repackages legacy code somewhat than providing a very new answer.
The Rise of Open-Supply Options
DeepSource acknowledged a rising want amongst builders for a software that doesn’t inherit legacy constraints. “Enterprise clients don’t need to juggle a number of instruments—it creates integration challenges and drives demand for an all-in-one answer,” defined Sanket. “Static evaluation performs a vital function in understanding code structure, which is why we’ve positioned ourselves as a unified platform.”
Nonetheless, DeepSource’s Globstar just isn’t alone, a number of static code evaluation alternate options have gained traction following the Semgrep licensing controversy. As an example, SonarQube is a code evaluation platform that provides each a free Group Version and paid variations, for static code evaluation, integration help and metrics monitoring. Likewise, ShellCheck is one other various particularly used for analyzing shell scripts, and aids builders in catching scripting errors that would later result in main bugs or inefficiencies. It flags instructions or syntax that is probably not transportable throughout totally different shell environments. Attributable to its ease of use—potential to run from the command line and simply combine into CI/CD pipelines, ShellCheck has change into an more and more well-liked selection.
Whereas Opengrep seeks to protect a legacy software’s open roots, different alternate options like SonarQube, Globstar and ShellCheck additionally supply a recent, forward-thinking answer. Because the open-source debate unfolds, builders and enterprises face pivotal selections that will redefine the panorama of code evaluation.