The safety community witnessed a seismic shift in January 2025, as rival corporations united to launch Opengrep—a fork of static application security testing tool, Semgrep. Once celebrated for its community-driven open-source ethos, Semgrep ignited controversy when it altered its licensing model in December 2024. These licensing changes restricted the usage of contributed rules in business products and shifted key features behind a paywall.
Semgrep became a necessary tool for developers worldwide as a result of its ability to detect vulnerabilities across multiple programming languages. Nonetheless, the corporate’s decision risks stifling innovation in an area vital to modern cybersecurity.
Amid the controversy, DevSecOps startup DeepSource launched Globstar, a brand new open-source toolkit for code security. Built from scratch and released under the MIT license, Globstar says it goals to offer unrestricted business and full public access to its code.
“Through Globstar, we’re offering a fresh approach to custom static evaluation, designed with the needs of security teams in mind. It emerged from an internal framework we had developed for threat detection,” Sanket Saurav, co-founder and CEO of DeepSource, told me. “Semgrep is already in capable hands, and our goal was to take a definite path. We see ourselves not as a alternative, but another who brings a brand new perspective to the space.”
The corporate has raised a complete of $7.7M in funding and is currently being backed by Y-Combinator investors.
Developed utilizing the Go programming language and integrated with Tree-sitter, Globstar supports over 20 programming languages. The toolkit features an intuitive YAML interface for creating custom security checkers and a sophisticated Go interface for complex, cross-file evaluation.
“When a project is forked, it often takes a special trajectory—but when constrained to constructing on top of an existing product, innovation will be limited,” said Sanket. “We created a system that simplifies the strategy of writing custom code checkers.”
Business Necessity Versus Open-Source Preservation
On Dec. 13, 2024, Semgrep revamped its licensing model to limit third-party use of contributed rules in competing business products without authorization. Furthermore, the corporate rebranded its open-source version to “Semgrep CE” (Community Edition). Semgrep claims that its licensing changes are essential to guard mental property and ensure sustainable revenue. The corporate contends that restricting business use helps curb unauthorized repackaging and supports long-term innovation.
“When engineers write code to resolve an issue, static evaluation examines the code without execution, identifying patterns and potential issues early in the event process. Semgrep is a respected player on this space, and I hold them in high regard,” said Sanket. “Nonetheless, their shift in licensing for business users reflects a broader reality: VC-backed corporations must balance open-source principles with sustainable business models.”
He notes that while the change didn’t directly impact end users, it raises an ongoing debate about whether open source should remain entirely unrestricted or evolve to make sure long-term viability.
On January 2025, 10 DevSec firms including Aikido Security, Arnica, Amplify Security, Endor Labs, Jit, Kodem, Legit Security, Mobb and Orca Security—formed a consortium to launch Opengrep. Traditionally fierce competitors, the brand new consortium directly plans to challenge Semgrep’s decision to limit functionality in favor of business gain. In a blog post, Endor Labs stated that static code evaluation is “too vital to limit”.
Nonetheless, it isn’t yet clear if Opengrep merely repackages legacy code slightly than offering a very recent solution.
The Rise of Open-Source Alternatives
DeepSource recognized a growing need amongst developers for a tool that doesn’t inherit legacy constraints. “Enterprise customers don’t need to juggle multiple tools—it creates integration challenges and drives demand for an all-in-one solution,” explained Sanket. “Static evaluation plays an important role in understanding code architecture, which is why we’ve positioned ourselves as a unified platform.”
Nonetheless, DeepSource’s Globstar is just not alone, several static code evaluation alternatives have gained traction following the Semgrep licensing controversy. As an illustration, SonarQube is a code evaluation platform that gives each a free Community Edition and paid versions, for static code evaluation, integration support and metrics tracking. Likewise, ShellCheck is one other alternative specifically used for analyzing shell scripts, and aids developers in catching scripting errors that might later result in major bugs or inefficiencies. It flags commands or syntax that is probably not portable across different shell environments. As a result of its ease of use—ability to run from the command line and simply integrate into CI/CD pipelines, ShellCheck has grow to be an increasingly popular selection.
While Opengrep seeks to preserve a legacy tool’s open roots, other alternatives like SonarQube, Globstar and ShellCheck also offer a fresh, forward-thinking solution. Because the open-source debate unfolds, developers and enterprises face pivotal decisions that will redefine the landscape of code evaluation.
