The safety neighborhood witnessed a seismic shift in January 2025, as rival firms united to launch Opengrep—a fork of static software safety testing device, Semgrep. As soon as celebrated for its community-driven open-source ethos, Semgrep ignited controversy when it altered its licensing mannequin in December 2024. These licensing modifications restricted using contributed guidelines in business merchandise and shifted key options behind a paywall.
Semgrep turned a necessary device for builders worldwide because of its skill to detect vulnerabilities throughout a number of programming languages. Nevertheless, the corporate’s determination dangers stifling innovation in an space important to fashionable cybersecurity.
Amid the controversy, DevSecOps startup DeepSource launched Globstar, a brand new open-source toolkit for code safety. Constructed from scratch and launched beneath the MIT license, Globstar says it goals to supply unrestricted business and full public entry to its code.
“By way of Globstar, we’re providing a recent strategy to customized static evaluation, designed with the wants of safety groups in thoughts. It emerged from an inner framework we had developed for menace detection,” Sanket Saurav, co-founder and CEO of DeepSource, instructed me. “Semgrep is already in succesful arms, and our objective was to take a definite path. We see ourselves not as a substitute, however an alternate who brings a brand new perspective to the house.”
The corporate has raised a complete of $7.7M in funding and is at the moment being backed by Y-Combinator traders.
Developed using the Go programming language and built-in with Tree-sitter, Globstar helps over 20 programming languages. The toolkit options an intuitive YAML interface for creating customized safety checkers and a complicated Go interface for complicated, cross-file evaluation.
“When a undertaking is forked, it usually takes a distinct trajectory—however when constrained to constructing on prime of an present product, innovation may be restricted,” stated Sanket. “We created a system that simplifies the method of writing customized code checkers.”
Enterprise Necessity Versus Open-Supply Preservation
On Dec. 13, 2024, Semgrep revamped its licensing mannequin to limit third-party use of contributed guidelines in competing business merchandise with out authorization. Furthermore, the corporate rebranded its open-source model to “Semgrep CE” (Group Version). Semgrep claims that its licensing modifications are important to guard mental property and guarantee sustainable income. The corporate contends that limiting business use helps curb unauthorized repackaging and helps long-term innovation.
“When engineers write code to unravel an issue, static evaluation examines the code with out execution, figuring out patterns and potential points early within the growth course of. Semgrep is a revered participant on this house, and I maintain them in excessive regard,” stated Sanket. “Nevertheless, their shift in licensing for business customers displays a broader actuality: VC-backed firms should steadiness open-source rules with sustainable enterprise fashions.”
He notes that whereas the change didn’t immediately impression finish customers, it raises an ongoing debate about whether or not open supply ought to stay solely unrestricted or evolve to make sure long-term viability.
On January 2025, 10 DevSec companies together with Aikido Safety, Arnica, Amplify Safety, Endor Labs, Jit, Kodem, Legit Safety, Mobb and Orca Safety—fashioned a consortium to launch Opengrep. Historically fierce opponents, the brand new consortium immediately plans to problem Semgrep’s determination to restrict performance in favor of business acquire. In a blog post, Endor Labs acknowledged that static code evaluation is “too necessary to limit”.
Nevertheless, it is not but clear if Opengrep merely repackages legacy code slightly than providing a totally new resolution.
The Rise of Open-Supply Alternate options
DeepSource acknowledged a rising want amongst builders for a device that doesn’t inherit legacy constraints. “Enterprise clients don’t need to juggle a number of instruments—it creates integration challenges and drives demand for an all-in-one resolution,” defined Sanket. “Static evaluation performs a vital position in understanding code structure, which is why we’ve positioned ourselves as a unified platform.”
Nevertheless, DeepSource’s Globstar just isn’t alone, a number of static code evaluation options have gained traction following the Semgrep licensing controversy. For example, SonarQube is a code evaluation platform that gives each a free Group Version and paid variations, for static code evaluation, integration help and metrics monitoring. Likewise, ShellCheck is one other different particularly used for analyzing shell scripts, and aids builders in catching scripting errors that might later result in main bugs or inefficiencies. It flags instructions or syntax that might not be transportable throughout totally different shell environments. As a result of its ease of use—skill to run from the command line and simply combine into CI/CD pipelines, ShellCheck has turn into an more and more fashionable alternative.
Whereas Opengrep seeks to protect a legacy device’s open roots, different options like SonarQube, Globstar and ShellCheck additionally provide a recent, forward-thinking resolution. Because the open-source debate unfolds, builders and enterprises face pivotal decisions which will redefine the panorama of code evaluation.