The security community witnessed a seismic shift in January 2025, as rival companies united to launch Opengrep—a fork of static application security testing tool, Semgrep. Once celebrated for its community-driven open-source ethos, Semgrep ignited controversy when it altered its licensing model in December 2024. These licensing changes restricted the use of contributed rules in commercial products and shifted key features behind a paywall.
Semgrep became an essential tool for developers worldwide due to its ability to detect vulnerabilities across multiple programming languages. However, the company’s decision risks stifling innovation in an area vital to modern cybersecurity.
Amid the controversy, DevSecOps startup DeepSource launched Globstar, a new open-source toolkit for code security. Built from scratch and released under the MIT license, Globstar says it aims to provide unrestricted commercial and full public access to its code.
“Through Globstar, we are offering a fresh approach to custom static analysis, designed with the needs of security teams in mind. It emerged from an internal framework we had developed for threat detection,” Sanket Saurav, co-founder and CEO of DeepSource, told me. “Semgrep is already in capable hands, and our goal was to take a distinct path. We see ourselves not as a replacement, but an alternative who brings a new perspective to the space.”
The company has raised a total of $7.7M in funding and is currently being backed by Y-Combinator investors.
Developed utilizing the Go programming language and integrated with Tree-sitter, Globstar supports over 20 programming languages. The toolkit features an intuitive YAML interface for creating custom security checkers and an advanced Go interface for complex, cross-file analysis.
“When a project is forked, it often takes a different trajectory—but when constrained to building on top of an existing product, innovation can be limited,” said Sanket. “We created a system that simplifies the process of writing custom code checkers.”
Business Necessity Versus Open-Source Preservation
On Dec. 13, 2024, Semgrep revamped its licensing model to restrict third-party use of contributed rules in competing commercial products without authorization. Moreover, the company rebranded its open-source version to “Semgrep CE” (Community Edition). Semgrep claims that its licensing changes are essential to protect intellectual property and ensure sustainable revenue. The company contends that restricting commercial use helps curb unauthorized repackaging and supports long-term innovation.
“When engineers write code to solve a problem, static analysis examines the code without execution, identifying patterns and potential issues early in the development process. Semgrep is a respected player in this space, and I hold them in high regard,” said Sanket. “However, their shift in licensing for commercial users reflects a broader reality: VC-backed companies must balance open-source principles with sustainable business models.”
He notes that while the change didn’t directly impact end users, it raises an ongoing debate about whether open source should remain entirely unrestricted or evolve to ensure long-term viability.
On January 2025, 10 DevSec firms including Aikido Security, Arnica, Amplify Security, Endor Labs, Jit, Kodem, Legit Security, Mobb and Orca Security—formed a consortium to launch Opengrep. Traditionally fierce competitors, the new consortium directly plans to challenge Semgrep’s decision to limit functionality in favor of commercial gain. In a blog post, Endor Labs stated that static code analysis is “too important to restrict”.
However, it’s not yet clear if Opengrep merely repackages legacy code rather than offering a completely new solution.
The Rise of Open-Source Alternatives
DeepSource recognized a growing need among developers for a tool that does not inherit legacy constraints. “Enterprise customers don’t want to juggle multiple tools—it creates integration challenges and drives demand for an all-in-one solution,” explained Sanket. “Static analysis plays a crucial role in understanding code architecture, which is why we’ve positioned ourselves as a unified platform.”
However, DeepSource’s Globstar is not alone, several static code analysis alternatives have gained traction following the Semgrep licensing controversy. For instance, SonarQube is a code analysis platform that offers both a free Community Edition and paid versions, for static code analysis, integration support and metrics tracking. Likewise, ShellCheck is another alternative specifically used for analyzing shell scripts, and aids developers in catching scripting errors that could later lead to major bugs or inefficiencies. It flags commands or syntax that may not be portable across different shell environments. Due to its ease of use—ability to run from the command line and easily integrate into CI/CD pipelines, ShellCheck has become an increasingly popular choice.
While Opengrep seeks to preserve a legacy tool’s open roots, other alternatives like SonarQube, Globstar and ShellCheck also offer a fresh, forward-thinking solution. As the open-source debate unfolds, developers and enterprises face pivotal choices that may redefine the landscape of code analysis.
Credit: Source link
