Semgrep Forked by Nine Application Security Service Providers

A group of nine application security service providers announced they would "fork" the popular code-scanning project Semgrep, creating a new codebase, after a series of moves by the eponymous startup made it more difficult for the firms to use the open source software in their own products.

Background of the Fork

The companies — Aikido Security, Arnica, Amplify Security, Endor Labs, Jit, Kodem, Legit Security, Mobb, and Orca Security — embarked on the initiative after Semgrep announced it had moved some capabilities of its open source engine into the startup’s paid version. Dubbed Opengrep, the new project remains under the same license as the Semgrep Community Edition — the Lesser GNU Public License (LGPL) — but will restore advanced features and the ability to export data in JSON and SARIF formats, as well as create an open source database of rules.

Similar Forks in the Open Source Community

This is not the first time a fork has occurred in the open source community. For example, Elasticsearch was forked to create OpenSearch, which provides an open version of the Elasticsearch database. This move was made to give the community the ability to use an open version.

Semgrep’s Response to the Fork

In Semgrep’s case, founder O’Malley argues that the company has an incentive to keep the Community Edition well-maintained and strong, while the Opengrep team has not demonstrated their product will be an improvement. Two parallel projects is never ideal, he says.

Concerns About Forks in Open Source

"Multiple forks can create confusion, making it harder for individuals to know where to contribute and what’s actively maintained," O’Malley says. "That’s always a risk with fragmentation in open source. Our priority is keeping Semgrep CE strong, well-maintained, and growing. Developers and security engineers relying on it should feel confident that we’re committed to its long-term success and a thriving ecosystem."