The security community witnessed the earthquake shift in January 2025 as rival companies unite to launch OpenGrep, the fork of Semgrep’s static application security testing tool. Once known for its community-driven open source spirit, Semgrep sparked controversy when he changed its licensing model in December 2024. These licensing changes limit the use of contribution rules in commercial products and transfer critical functions.
Semgrep has become an important tool for developers around the world because of its ability to detect the vulnerability of multiple programming languages. However, the company’s decisions have the potential to kill areas that are crucial to modern cybersecurity.
In controversy, DevSecops Startup DeepSource launches Globstar, a new open source toolkit for code security. Globstar was built from scratch and released under the MIT license to provide unlimited commercial and comprehensive access to its code.
“With GlobStar, we offer a new custom static analysis method that takes into account the needs of the security team. It emerged from the internal framework we developed for threat detection,” Sanket Saurav, co-founder and CEO of DeepSource, told me. “Semgrep has mastered its capabilities and our goal is to go a unique path. We see ourselves as an alternative, but an alternative to bringing new perspectives to the space.”
The company has raised a total of $7.7 million in funding and is currently being supported by Y-Combinator investors.
GlobStar uses the GO programming language and integrates with the trees’ devices, and it supports more than 20 programming languages. The toolkit has an intuitive YAML interface for creating custom security checkers and an advanced GO interface for complex cross-file analysis.
“When a project forked, it often requires taking a different trajectory, but innovation can be limited when it is restricted to build on top of existing products,” Sanket said. “We created a system that simplifies the process of writing custom code inspectors.”
Business Necessity and Open Source Saving
On December 13, 2024, Semgrep modified its licensing model to limit the contribution rules of third parties to compete with unauthorized commercial products. Additionally, the company renamed its open source version “Semgrep CE” (community version). Semgrep claims that its licensing changes are essential to protecting intellectual property rights and ensuring sustainable income. The company believes that restricting commercial use can help curb unauthorized repackaging and support long-term innovation.
“When engineers write code to solve problems, static analysis examines the code without execution, identifying patterns and potential issues early in the development process. Semgrep is a respected player in the field, and I take it seriously,” Sanket said. “But their shift in licensing for commercial users reflects a broader reality: Companies powered by VCs must balance open source principles with sustainable business models.”
He noted that while the change did not directly affect end users, it sparked ongoing debate on whether open source should be completely unrestricted or developed to ensure long-term viability.
In January 2025, 10 DEVSEC companies including Aikido Security, Arnica, Amplify Security, Endor Labs, JIT, Kodem, Kodem, Legal Security, MOBB and ORCA Security, launched OpenGrep. Traditionally, new alliances directly plan to challenge Semgrep restriction functionality to support decisions on commercial gains. In a blog post, Endor Labs notes that static code analysis is “too important to limit.”
However, it is not clear whether OpenGREP is simply repackaging old code rather than providing a completely new solution.
The rise of open source alternatives
DeepSource recognizes the growing demand for developers for tools that do not inherit legacy constraints. “Enterprise customers don’t want to juggle multiple tools, which creates integration challenges and drives the need for an all-in-one solution,” explains Sanket. “Static analytics plays a crucial role in understanding code architecture, which is why we position ourselves as a unified platform.”
However, DeepSource’s Globstar is not alone, and several static code analysis alternatives have gained traction after the Semgrep licensing dispute. For example, Sonarqube is a code analysis platform that offers free community and paid versions for static code analysis, integration support, and metric tracking. Likewise, ShellCheck is another alternative method specifically used to analyze shell scripts and help developers catch script errors that can later lead to major errors or inefficiencies. It flags commands or syntaxes that may not be portable in different shell environments. Due to its ease of use – the ability to run from the command line and easily integrate into the CI/CD pipeline, ShellCheck has become an increasingly popular choice.
While OpenGrep attempts to preserve the open roots of traditional tools, other alternatives like Sonarqube, Globstar, and ShellCheck also offer fresh, forward-looking solutions. As the open source debate unfolds, developers and businesses will face key options that may redefine the code analysis landscape.
