I was at an off-site last week and largely disconnected from the world. In truth, I largely disconnected myself from getting fed news about the state of the world, given the inauguration. I wish I never reconnected when I got home, but when I did get back online, I had an email from a respected journalist asking my opinion on Opengrep, a fork of Semgrep, the excellent open-source SAST scanning engine. I have a lot of respect for the team behind Semgrep, so I was baffled why anyone would feel the need to do that.

My first point of call was to read posts from the Semgrep team, who I personally know to be upstanding humans, and then read the homepage at opengrep.dev, with an open mind. 

Having tried to help ZAP raise money to sustain their open-source project last year, what was immediately obvious to me, was that a similar narrative that was being threatened by a similar set of vendors then, was at play here.

Why Fork?

So why on earth would anyone fork a successful open-source security project with a vibrant community? There are a lot of free-loaders in the world of software, companies who build on other peoples hard work, and that don’t fairly contribute back to the projects that they are making money off. It's perfectly legal as long as they stay within the license terms, and sadly a fact of life. Life ain't always fair. Open-source is and has always been hard. It always will be. There are circumstances where I think this is actually reasonable, using a logging library for example, but there is a difference when it's also core to your business and you are making money from it. It’s a moral obligation not to profit at the expense of others' hard-work and goodwill, beyond leveraging the power of open-source economics. It also makes good business sense to ensure that the core is sustainable and not to bite the hand that feeds you. By trying to split the sustainability of the core of an open-source project, and risking pissing off the people and community around it, you are on the face of it hurting your own interests, unless of course you have other issues happening behind the scenes. 

The people behind Opengrep are essentially claiming that they have done this because Semgrep has done an open-source rug-pull. They haven’t. From what I can read into this, this fork appears to be simply self-serving, but wrapped up in FUD and misinformation. This is not in the best interest of the ‘community at large’ as they claim, it’s in their own financial best interest, so let's pull it apart. 

The Value of Open-Core

Semgrep’s open-core business model is to license the core scanning engine as open-source, and then build and sell additional value on top of that. That's the very definition of the open-core model, we do the same at CrashOverride with Chalk. In Semgrep’s case that additional value is three things: advanced rules, additional product features and support. 

The real issue for these vendors is that without free access to that additional value, that everyone knows many people consider worth paying for, their companies will have to build it themselves on their own dime, or be faced with a product that is inferior to the one that Semgrep successfully sells. 

There are two core bits of technology being cited are the core engine and the ruleset. 

On their homepage they state "On December 13th, 2024, Semgrep announced license changes to its OSS engine, and moved critical features behind the commercial license.’ This is an alternative truth, yes a phrase chosen intentionally. Below is a screen shot of the actual truth. 

Luke O’Malley, one of the semgrep founders posted on LinkedIn to clarify this. The screen shot above is from his post.  

To quote Luke, “Semgrep's LGPL-2.1 license remains unchanged. The only license update is semgrep/semgrep-rules, which transitioned from a generic non-OSI license (Commons Clause w/ LGPL 2.1) to a custom non-OSI license (Semgrep Rule License) that clarifies our policy on the distribution of the subset of rules we maintain.”

One of the other things that really struck me, were the negative intimations about open-source core business models, trying to justify what they have done. 

This will result in …. "A better and more capable scanning engine by not hiding essential metadata and new scanning capabilities behind a login.", and,  "As much as the changes have been positioned as only affecting other SaaS providers, their walling of experimental and “Pro” features stunted the capabilities of its open-source scanner."

The way I, and several other people who are deep in the open-source world read this, is that they are implying that open-core is not a model they think is appropriate for Semgrep, or the security community at large. Give us all your hard work for us to do what we want with it, including making money off you.

Well frankly fuck you, because I take umbrage at that. It's always been the case since Semgrep started that they are open-core and none of their messaging about democratizing security scanning for developers has ever contradicted that. If they don’t like it, then they should never have bundled it, or built a business on top of it. Open-core is a tried, tested and widely accepted business model that has worked for the likes of Elastic, Kafka and Neo4J, in fact I would suggest that the vast majority of the DevOps tooling we all build on today has open-core deep in its ecosystem. 

If you don’t like open-core then you have two choices. The first is don't build a business on it, and the second is to build your own value on top of it. What is not a choice is to build a business on it, realize you made a mistake and then cry wolf. Spreading disinformation and trying to publicly bully people that have invested millions and millions of dollars, and spent countless hours beavering away, and that has already given you millions of dollars of their work for free is not OK. 

Playing by the Rules

The second thing they are whining about are the rules. These are also one of the ‘value add’ features in the open-core model that Semgrep sells as part of their paid offering. The Semgrep rule license was always clear to the likes of Trail of Bits and Gitlab that produce and maintain their own rule-sets under their own licenses. You could certainly argue there was some level of interpretation in the rule license wording, but unless you didn’t pass basic English, it's clear to see the intent, so trying to claim it's a rug-pull, is just predatory. My daughter who is training to be a barrister will tell you that many criminal cases that test the law, are settled by judges who rule on the side of common sense, where there is a clear understanding of the intent of law, even if there was ambiguity in the wording of the law. The very point of updating the rule license as confirmed by the semgrep team, is to clarify it moving forward with no retroactive impact. It’s not someone pulling the rug and doing it retroactively.

None of this stops anyone bundling the community edition of Semgrep. In many cases it’s good enough, and where it's not, there is an upsell for Semgrep into their pro editions. We have a design partner that is using Chalk to deploy Semgrep Community Edition in order to replace their current commercial closed-source SAST deployment, and save massive amounts of money, seven figures. They are realistic that if the community edition won’t give them what they want, they will upgrade to pro and still save a boat load of money. Be grateful that someone is offering you a free sandwich, don't be a bully and demand you get their ice-cream as well. 

Consortium?

It’s interesting to note the companies behind this refer to themselves as a consortium. 

This is why a consortium of 10+ organizations in the application security space, including Aikido Security, Arnica, Amplify, Endor Labs, Jit, Kodem, Legit, Mobb, Orca Security, and others have united behind Opengrep.

That’s actually nine but whose counting. The Cambridge dictionary definition of a consortium is an organization of several businesses or banks joining together as a group for a shared purpose. Seems accurate, but I don't think the shared purpose is for the good of the community or altruistic open-source values. As far as I can see from the commit history of Semgrep, it appears none of these companies, the so-called consortium,  have made any significant contributions in the past. Perhaps because they don’t have the technical skills, perhaps another reason, but certainly not because they were making them in their fork, which shows little change so far beyond text changes.

I have heard a few people on LinkedIn say that Opengrep is laudable. I think it's deplorable, and the companies behind it should be ashamed of themselves. Some are the same companies that bundle and make money from ZAP, but never contributed back, and would have rather seen that project collapse than chip in a fair amount. It's what the Brits call having “a bit of form”, and that's not complimentary slang. 

I hope the community and ultimate purchasers will see through this, vote with their wallets and boycott the consortium's products. This type of behavior should not be rewarded, and the security industry deserves better.

The Future has a History

That said, I am confident that history will just repeat itself, so perhaps best to just sit back and watch. As Paul Graham said : "If you find yourself competing with someone who could be described as an opportunist, you don't have to worry much. Opportunists, almost by definition, lack staying power. Usually all you have to do is keep going, and they'll fall away."

When I was discussing this with a CSO friend, over WhatsApp, he jokingly said, “If they are so passionate about totally free open-source, why aren’t their products fully open-source?”. It’s a fair question, and I would love to hear their answers. People in glass houses and all that.