.svg)
I’ve been waiting to see if Semgrep themselves would react to the announcement of the formation of Opengrep, an open-source fork of the Semgrep engine:
We’re launching Opengrep, a fork of SemgrepCE (formerly SemgrepOSS), in response to recent changes by Semgrep that affect its open-source nature and shift focus to its paid offering, limiting access and innovation for the broader community.
Luke O’Malley, founder and CPO of Semgrep, responds here:
As maintainers, we’re glad to see commercial competitors using Semgrep’s Community Edition (CE), many of whom are excellent community members. However, last year we discovered a small number of companies distributing the semgrep-rules repository in violation of its existing Commons Clause license.
The Opengrep coalition includes several application security startups who have ticked their “SAST” box by dropping in Semgrep (and presumably semgrep-rules): Aikido, Arnica, and JIT all apparently leverage Semgrep for SAST scanning.
So do we, here, at Codacy, under a commercial agreement with Semgrep that does allow us to continue to use semgrep-rules.
So, if you’re a happy Codacy customer utilising Semgrep within the product, there is no need for alarm.
What’s Going On?
We find ourselves in a strange battleground. What were point scanners must now become application security posture management (ASPM) tools to survive, precisely because the point scanners that the commercial ASPMs rely upon are open-sourced.
Tooling will always flag more security vulnerabilities than it’s feasible to fix, so the value of commercial offerings has to be in adding a layer of intelligence to these basic results to enable triage and fixing to take place effectively.
If Semgrep want to get paid, they must compete for the same dollars as Jit, Aikido, et al., and therefore they must stop giving their new competitors their functionality for free!
Everyone is realising that maybe giving your IP away for free to gain traction in the market is a far more complex proposition than might have been thought 2-5 years ago. (You can also see moves by our friends at Sonar to close source on some of their tools; SonarC# and SonarVB scanners are becoming decreasingly available for commercial use.)
Interestingly, as per my last post on DAST consolidation, the point scanners that stayed closed were bought instead.
Investors at Probely and Dazz have cashed out, whereas Checkmarx has “bought” the open-source ZAP tool. We wait to see how much development effort will continue to go into the open-source flavour of ZAP versus whatever additions Checkmarx feels it needs for itself.
Is Open-Source Security Dead?
Fundamentally, I think giving away security tools for free is a losing game in a market that is increasingly willing to pay for access to code security tools. Startups like Privado, who have hung their hats on an open-source version to drum up business, will have to cross the same Rubicon as Semgrep in time.
We already leverage 35 open-source scanners, largely developed by and for developer communities rather than as teaser rates for commercial offerings. Not much will change in Codacy-land. When forks like Opengrep come along, we’re in a great position to evaluate them and add them to our arsenal as appropriate.
But the real money in this game will still and always come from managing the outputs of these tools, allowing easy and rapid configuration and deployment, and tracking success metrics.
Hi, we’re Codacy. We do all of that, for all your code quality and security needs.
To see for yourself, start a free trial today or book a demo.
