Open-Source Tool Sparks Controversy With Unusual Licensing Change

The Controversy Surrounding Semgrep’s Licensing Model: A Shift in the Open-Source Landscape

In January 2025, the security community witnessed a seismic shift with the launch of Opengrep, a fork of static application security testing tool Sem Gregg. The move was a response to Sem Gregg’s altered licensing model, which restricted the use of contributed rules in commercial products and shifted key features behind a paywall. This change has sparked a heated debate about the future of open-source software and its viability as a sustainable business model.

Sem Gregg, once celebrated for its community-driven open-source ethos, had become an essential tool for developers worldwide due to its ability to detect vulnerabilities across multiple programming languages. However, the company’s decision to limit functionality in favor of commercial gain has raised concerns about the potential stifling of innovation in this critical area of modern cybersecurity.

In response to Sem Gregg’s licensing controversy, DevSecOps startup DeepSource launched Globstar, a new open-source toolkit for code security. Built from scratch and released under the MIT license, Globstar aims to provide unrestricted commercial and full public access to its code. According to Sanket Saurav, co-founder and CEO of DeepSource, Globstar is designed to offer a fresh approach to custom static analysis, tailored to the needs of security teams.

“We are not seeing ourselves as a replacement for Sem Gregg, but rather an alternative that brings a new perspective to the space,” Sanket explained. “Through Globstar, we aim to provide a unified platform that simplifies the process of writing custom code checkers and offers an intuitive YAML interface for creating security checkers.”

Globstar supports over 20 programming languages, utilizing the Go programming language and integrated with Tree-sitter. The toolkit features advanced analysis capabilities, including cross-file analysis, and is designed to simplify the process of writing custom code checkers.

The launch of Globstar has been met with significant investment, with DeepSource raising a total of $7.7M in funding from Y-Combinator investors. This backing reflects the growing demand for open-source alternatives to traditional static code analysis tools.

Sem Gregg’s revised licensing model has sparked controversy among developers and industry experts. The company claims that its changes are necessary to protect intellectual property and ensure sustainable revenue. However, critics argue that these restrictions could limit the growth of open-source software and stifle innovation in this critical area.

“When engineers write code to solve a problem, static analysis examines the code without execution, identifying patterns and potential issues early in the development process,” said Sanket. “Sem Gregg is a respected player in this space, and I hold them in high regard. However, their shift in licensing for commercial users reflects a broader reality: VC-backed companies must balance open-source principles with sustainable business models.”

The debate surrounding Sem Gregg’s licensing model highlights the ongoing challenge of balancing open-source principles with sustainable business models. As venture capital-backed companies continue to grow and evolve, they are faced with increasing pressure to adapt their business models while maintaining the integrity of their open-source software.

DeepSource recognized a growing need among developers for a tool that does not inherit legacy constraints. “Enterprise customers don’t want to juggle multiple tools—it creates integration challenges and drives demand for an all-in-one solution,” explained Sanket. “Static analysis plays a crucial role in understanding code architecture, which is why we’ve positioned ourselves as a unified platform.”

However, DeepSource’s Globstar is not alone. Several static code analysis alternatives have gained traction following Sem Gregg’s licensing controversy. SonarQube, for instance, offers both a free Community Edition and paid versions, providing static code analysis, integration support, and metrics tracking. ShellCheck provides an open-source alternative to shell-specific security tools, offering developers a more comprehensive solution.

The growing demand for fresh perspectives in the field of static code analysis reflects a broader trend towards innovation and flexibility in the open-source landscape. As developers and enterprises face pivotal choices that may redefine the landscape of code analysis, it is essential to consider the implications of these decisions on innovation, sustainability, and the integrity of our open-source tools.

In conclusion, the controversy surrounding Sem Gregg’s licensing model serves as a catalyst for exploring the complexities of open-source software and its relationship with sustainable business models. As we navigate this evolving landscape, it is essential to prioritize innovation, flexibility, and the integrity of our open-source tools to ensure that they continue to meet the demands of developers and enterprises worldwide.

The future of open-source software is built on the principles of collaboration, transparency, and sustainability. By embracing these values and continuing to push the boundaries of innovation, we can ensure that open-source software remains a vital component of our technological infrastructure.

Relevant Links

• Ai Advances Unlock Decades-Old Secret To Unbreakable Data Security
• Affordable Skies Ahead: Start Your Airspace Protection Journey For Under 5000
• Agentic Ai Revolutionizes Software Delivery With Unprecedented Autonomy