Skip to content
OpenGrep

OpenGrep

NEW
Category: SAST
License: LGPL-2.1
GitHub (2144β˜…)
Visit Website β†’
Suphi Cankurt
Suphi Cankurt
+7 Years in AppSec
Updated March 12, 2026
6 min read
Key Takeaways
  • Community fork of Semgrep CE (LGPL-2.1) that restores taint analysis, inter-procedural scanning, fingerprinting, and Windows support removed from the Community Edition.
  • Backward compatible with Semgrep's rule format, JSON output, and SARIF outputβ€”existing rules and CI pipelines work without modification.
  • Supports 30+ languages with taint tracking across 12 languages; Visual Basic support is exclusive to OpenGrep (not available in Semgrep).
  • Maintained by a consortium of 10+ appsec companies (Aikido, Endor Labs, Jit, Orca Security, and others) with a dedicated full-time OCaml development team.

OpenGrep is a community-maintained, LGPL-2.1 fork of Semgrep CE β€” the popular open-source SAST engine β€” created in January 2025 after Semgrep moved cross-function taint analysis and other features behind its commercial platform. A consortium of 10+ application security vendors governs the project jointly.

The fork is licensed under LGPL-2.1. Governance is the main thing that sets it apart: a consortium of 10+ appsec companies maintains the project jointly, so no single vendor controls the roadmap.

OpenGrep restores the features that Semgrep removed from CE β€” taint analysis, inter-procedural scanning, fingerprinting, and Windows support β€” and keeps them free under LGPL-2.1.

The project has 2,100+ GitHub stars and stays backward compatible with Semgrep’s rule format, JSON output, and SARIF output. Existing rules and CI pipelines work without changes.

For a direct head-to-head, see the OpenGrep vs Semgrep comparison.

What Is OpenGrep?

OpenGrep is a community-maintained fork of Semgrep’s Community Edition, created in 2025 when Semgrep Inc. relicensed parts of the CE engine. Instead of a single-company project, OpenGrep is governed by a consortium of 10+ appsec vendors so no individual company can restrict features again.

It is a static code analysis engine written primarily in OCaml. It uses pattern-matching rules that look like the source code they scan β€” no regex or custom DSLs needed. The engine covers 30+ languages and runs locally.

OpenGrep CLI scan output showing taint analysis findings: a critical SQL injection and two warnings with taint propagation paths highlighted
OpenGrep detects a SQL injection by tracing tainted input through inter-method calls to the SQL sink
FeatureDetails
Languages30+ including Python, JavaScript, TypeScript, Java, Go, C, C++, C#, Ruby, Rust, Kotlin, PHP, Swift, Visual Basic
Rule formatYAML-based, Semgrep-compatible
Output formatsJSON, SARIF 2.1.0, human-readable console
Taint analysisConstructor tracking, inter-method propagation, higher-order function support across 12 languages
PlatformsLinux, macOS, Windows (including ARM)
LicenseLGPL-2.1
Binary signingCosign-signed releases
CodebaseOCaml 75.0%, Python 13.1%, Java 3.8%
Contributors189 contributors, 9,400+ commits
Current version1.16.4 (March 2026)
30+ Languages
Covers Apex, Bash, C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Rust, Kotlin, PHP, Swift, Scala, Terraform, Dockerfile, Visual Basic, and more. Visual Basic support is exclusive to OpenGrep.
Taint Analysis
Tracks tainted data through constructors, field assignments, inter-method calls, higher-order functions, and collection operations like map, filter, and reduce. Available across 12 languages.
Semgrep Compatible
Backward compatible with Semgrep’s rule format, JSON output, and SARIF 2.1.0 output. Existing rules, CI pipelines, and integrations work without modification.

OpenGrep vs Semgrep: Key Differences

OpenGrep is fully backward compatible with Semgrep’s rule format, JSON output, and SARIF output, so existing Semgrep rules and CI pipelines work without modification.

Three differences matter. The OpenGrep CLI is 100% open-source under LGPL-2.1. Features Semgrep moved behind its commercial platform β€” cross-function taint analysis, fingerprinting, tracking ignores β€” are free in OpenGrep. And Visual Basic is supported in OpenGrep but not in Semgrep.

Governance is the other split. OpenGrep is steered by a consortium of 10+ vendors, not a single company.

For the full head-to-head β€” including feature tables, detection benchmarks, and licensing trade-offs β€” see OpenGrep vs Semgrep.

Key features

Taint analysis

OpenGrep’s taint engine tracks data flow through code.

When user-controlled input reaches a vulnerable sink like a SQL query or OS command, the scanner flags it.

Taint tracking covers constructor and field assignment tracking, inter-method propagation, higher-order function support across 12 languages, and collection method tainting (map, filter, reduce). Enable it with the --taint-intrafile flag.

OpenGrep taint analysis data flow: user input propagates through a helper function into a SQL sink, triggering a critical SQL injection finding
Taint path: untrusted input flows from request.GET through build_query() into cursor.execute() β€” OpenGrep flags each hop
What Semgrep restricted
Semgrep moved taint analysis, fingerprinting, meta-variable tracking, and certain language support out of the Community Edition (CE). OpenGrep restores all of these under LGPL-2.1.

Pattern-matching rules

Rules resemble the source code they target. To find insecure YAML loading in Python, you write a rule that looks like yaml.load(...) rather than building a regex.

rules:
  - id: insecure-yaml-load
    pattern: yaml.load(...)
    message: "Use yaml.safe_load() instead of yaml.load()"
    languages: [python]
    severity: WARNING

Existing Semgrep community rulesets work as-is. Same YAML format with pattern, message, languages, and severity fields.

Language support

OpenGrep supports 30+ languages. Notable differences from the Semgrep CE baseline:

  • Visual Basic: Exclusive to OpenGrep, not available in Semgrep CE or Semgrep Code
  • Apex, Elixir: Restored from Semgrep’s restricted set
  • C#: Improved support (version 14)
  • PHP: Version 8.4 support
  • Clojure: Added taint analysis support
  • Generic mode: Handles ERB, Jinja, and other template formats

Windows support

OpenGrep runs natively on Windows alongside macOS and Linux. The Semgrep CE project dropped Windows support.

OpenGrep restored it, including ARM binaries and a PowerShell install script.

Consortium governance

The project is maintained by a consortium rather than a single company. Member organizations:

  • Aikido Security, Arnica, Amplify, Endor Labs, Jit, Kodem, Legit, Mobb, Orca Security, Phoenix Security

A dedicated full-time development team builds the core engine. The stated plan is to move the project under foundation management.

Supported Languages

OpenGrep covers 30+ languages out of the box, including the full Semgrep CE baseline plus additions and restorations. The full list (from the project’s language manifest): Apex, Bash, C, C++, C#, Clojure, Dart, Dockerfile, Elixir, Go, HTML, Java, JavaScript, JSON, Jsonnet, JSX, Julia, Kotlin, Lisp, Lua, OCaml, PHP, Python, R, Ruby, Rust, Scala, Scheme, Solidity, Swift, Terraform, TSX, TypeScript, Visual Basic, XML, and YAML.

Compared to Semgrep CE, the notable differences are:

  • Visual Basic β€” exclusive to OpenGrep; Semgrep has never shipped Visual Basic support
  • Apex and Elixir β€” restored from the set Semgrep restricted
  • C# β€” improved support (version 14)
  • PHP β€” version 8.4 support
  • Clojure β€” added taint analysis support
  • Generic mode β€” handles ERB, Jinja, and other template formats

Taint tracking is available across 12 of these languages.

How to Install OpenGrep

MethodCommand
Linux/macOScurl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash
Windowsirm https://raw.githubusercontent.com/opengrep/opengrep/main/install.ps1 | iex
BinariesDownload from GitHub Releases

All release binaries are Cosign-signed.

Getting started

1
Install OpenGrep β€” Use the install script for your platform, or download a signed binary from GitHub Releases.
2
Run a scan β€” Run opengrep scan -f rules/ . where rules/ points to your YAML rule directory. The scanner produces human-readable output with progress bars.
3
Use Semgrep rules β€” Any Semgrep-compatible ruleset works. Drop in your existing custom rules or community rulesets without changes.
4
Export results β€” Use --sarif-output=results.sarif for SARIF 2.1.0 output, or pipe JSON output into your existing CI/CD workflow.

Is OpenGrep Production-Ready?

Yes. The 10+ appsec vendors that back the consortium (Aikido Security, Arnica, Amplify, Endor Labs, Jit, Kodem, Legit, Mobb, Orca Security, and Phoenix Security) already run OpenGrep in production pipelines. The project has 189+ contributors and 9,500+ commits. A full-time OCaml team builds the core engine, and new releases ship on a roughly weekly cadence through 2026.

Release binaries are Cosign-signed for supply chain verification, and the engine runs on Linux, macOS, and Windows (including ARM). Because OpenGrep keeps Semgrep’s rule format and SARIF output, most teams can swap the binary into an existing CI workflow without changes.

When to use OpenGrep

OpenGrep fits teams that want Semgrep’s scanning engine without commercial licensing restrictions.

If you already have Semgrep community rules or custom rules, OpenGrep is a drop-in replacement that adds taint analysis, Visual Basic support, and Windows binaries.

The consortium governance model means no single vendor controls the project’s direction. If you’ve been burned by an open-source tool going commercial before, that’s the pitch here.

For a comparison with the Semgrep AppSec Platform, see the Semgrep review. For a broader SAST comparison, see SAST tools.

Best for
Teams that want Semgrep-compatible static analysis with taint tracking, 30+ language support, and Windows binaries β€” all under LGPL-2.1 with no commercial restrictions.

Frequently Asked Questions

What is OpenGrep?
OpenGrep is a community-maintained fork of Semgrep CE that restores features Semgrep removed from the Community Edition, including taint analysis, inter-procedural scanning, and Windows support. A consortium of 10+ application security companies backs the project, including Aikido Security, Endor Labs, Jit, and Orca Security.
How does OpenGrep differ from Semgrep?
Semgrep moved several scanning engine features behind commercial licensing, including taint analysis, certain language support, fingerprinting, and meta-variable tracking. OpenGrep restores all of these under LGPL-2.1. It is backward compatible with Semgrep’s rule format, JSON output, and SARIF output.
Is OpenGrep free?
Yes. OpenGrep is fully open-source under LGPL-2.1 with no commercial tier. All features are available in the free version. The project plans to move under foundation management to guarantee its open-source future.
Can I use my existing Semgrep rules with OpenGrep?
Yes. OpenGrep maintains backward compatibility with Semgrep’s rule format. Existing custom rules and community rulesets work without modification.
Who maintains OpenGrep?
A consortium of 10+ application security companies maintains OpenGrep, including Aikido Security, Arnica, Amplify, Endor Labs, Jit, Kodem, Legit, Mobb, Orca Security, and Phoenix Security. A dedicated full-time development team builds the core engine in OCaml.
How I review tools Suggest an edit

Other SAST Tools

Bandit
Bandit

Open-Source Python Scanner

BE
Betterleaks

Gitleaks successor with secrets validation

Brakeman
Brakeman

Open-Source Ruby on Rails

Checkmarx
Checkmarx

Enterprise AppSec platform for Fortune 100

Codacy
Codacy

40+ Languages with AI Code Protection

Contrast Scan
Contrast Scan

SAST with Runtime Context

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

Syft
Syft

SBOM generation tool

Anchore
Anchore

SBOM-First Container Security Platform

See all SCA tools

Learn More

Best SAST Tools for JavaScript and TypeScript in 2026 Best SAST Tools for Python in 2026 Secret Scanning Tools Open Source SAST Tools: 9 Free Scanners Compared Reducing SAST False Positives SAST vs SCA

Explore all SAST guides and tools