A recent development in the realm of application security has seen a group of nine companies specializing in application security services take action against the popular code-scanning project Semgrep. This action was sparked by the eponymous startup’s decision to move some key capabilities of its open source engine into its paid version, making it challenging for the firms to integrate the software into their own products. In response, these companies, including Aikido Security, Arnica, Amplify Security, and others, have come together to create a new codebase known as Opengrep.
The Opengrep project aims to maintain the advanced features and functionalities that were previously available in Semgrep’s open source engine. This new initiative, backed by the sponsoring companies, will operate under the same Lesser GNU Public License (LGPL) as Semgrep Community Edition. The driving force behind Opengrep is to establish a neutral open source project that is not controlled by a single entity, ensuring that it can evolve to meet the needs of enterprise users and the collaborating companies behind the endeavor.
As stated by Varun Badhwar, CEO and co-founder of Endor Labs, one of the firms supporting Opengrep, the intention is not to retain ownership of the project indefinitely but to eventually transfer it to the broader community. This collective funding approach is viewed as an interim solution to prevent a single vendor from making unilateral changes that could affect the project’s direction.
The decision to fork Semgrep and create Opengrep was triggered by the changes announced by Semgrep, which sought to distinguish its Pro version from the open source Community Edition. By limiting certain features and functionalities in the Community Edition, Semgrep adopted an open core model, where more advanced capabilities are reserved for the commercial offering.
The move to fork Semgrep has stirred controversy within the application security community, with some critics questioning the rationale behind forking the project instead of supporting its original development. This scenario is emblematic of a broader trend where venture-backed companies leverage open source projects to advance their own commercial products, as noted by application security specialist Mark Curphey in a recent column.
Curphey highlighted the challenges faced by open source projects like Zed Attack Proxy (ZAP) in securing sustainable funding and suggested that commercial entities often benefit from open source contributions without adequately giving back to the community. The tensions surrounding the development and funding of open source projects are not unique to Semgrep but reflect broader issues in the software development landscape.
Despite the criticisms, proponents of Opengrep, such as Varun Badhwar, argue that the project will offer a more comprehensive set of features compared to Semgrep’s open source engine. The decision to fork the project was motivated by the perceived gap that was emerging between Semgrep’s professional platform and its open source counterpart, prompting the need for a more inclusive and feature-rich alternative.
While Semgrep founder Luke O’Malley expressed concerns about potential fragmentation caused by multiple forks of the project, the Opengrep team remains committed to enhancing and maintaining their version of the code-scanning engine. The ongoing dialogue between the two initiatives underscores the complexities of open source funding and community engagement, reflecting a broader trend in the software industry towards balancing commercial interests with open source principles.
In conclusion, the creation of the Opengrep project signifies a significant development in the landscape of application security tools, highlighting the evolving dynamics between open source projects and commercial entities. As the initiative progresses, the industry will continue to navigate the complexities of funding, collaboration, and community ownership in the ever-changing world of software development.