Better Code Scanning? Putting #Opengrep to the Test 🧐
Part of consistently improving our #pentesting procedures includes evaluating the tools we use in our assessments. When conducting code-reviews and pentests of fat-client applications we are often faced with the challenge of identifying vulnerabilities in the targets source code. 🧵
#AppSec #CyberSecurity #InfoSec #Hacking #CodeReview #SourceCode #Semgrep
Nieuwe open source code-scanner opengrep gelanceerd door beveiligingsbedrijven https://www.trendingtech.news/trending-news/2025/01/52277/nieuwe-open-source-code-scanner-opengrep-gelanceerd-door-beveiligingsbedrijven #Opengrep #Semgrep #open source #code-scanning #beveiliging #Trending #News #Nieuws
Here's what #opengrep should have said, IMO:
"Semgrep has made the decision to move some previously-open-source features under a proprietary license for any future development. This left us with a problem to solve, as our customers -- and other users of semgrep-oss -- rely on those features.
We respect Semgrep's business decision. Nevertheless, our concern about this decision and the message that we can't rely on their "open core" to continue to provide popular features has led us to exercise our rights under the LGPL and create Opengrep. We're committed to changing our products to use this fork in order to preserve the features our customers rely on, and intend place governance of the project into the hands of a non-profit foundation to ensure that no single vendor can change licenses or remove features in the future.
We believe that there's a place for both opengrep and semgrep-oss, and are hopeful that good ideas can cross-polinate between the projects."
Welp, #opengrep (https://www.opengrep.dev/) is a great example of something that seems like it was a reasonable thing to do, but put together by people who do not understand community relations or messaging.
It's pretty clear that what really happened is that Semgrep moved some features from their LGPL-licensed open-source core into their proprietary-licensed "pro" product (and there were some license changes around community rules, but those were never open-source anyway, so that's whatever).
A bunch of companies that compete with Semgrep at some level relied on those features. They had pretty limited choices to respond, and decided to fork semgrep-oss into opengrep, and commit to giving it to a foundation to defend against future license changes. This is the least-bad outcome for the community (more on that in 🧵 ).
However, the way they made the announcement tries to cast Semgrep as a "bad guy" and act like the opengrep cabal is somehow a champion of open-source -- which is precious because they contributed very little to the open core as it was.
"We’re launching #Opengrep a fork of SemgrepCS (formerly SemgrepOSS), in response to recent changes by #Semgrep that affect its open-source nature and shift focus to its paid offering, limiting access and innovation for the broader community."
https://www.opengrep.dev/
https://github.com/opengrep/opengrep
OpenGrep sounds like a very interesting community initiative. I really hope this will get traction. The community needs open source tools without licensing pain.
Semgrep has been a great tool and it was just too disappointing to see it go pay walled with time.
#opengrep #semgrep
https://www.opengrep.dev/
