OpenGrep Review 2026: The Community Fork of Semgrep CE

Name: OpenGrep
Availability: OnlineOnly

OpenGrep is a SAST tool and community fork of Semgrep CE. It restores scanning features that Semgrep moved behind commercial licensing — taint analysis, inter-procedural scanning, fingerprinting, and Windows support — under the LGPL-2.1 license.

The project has 2,100+ GitHub stars and is backed by a consortium of 10+ application security companies.

The fork launched in January 2025 after Semgrep restricted several capabilities from Semgrep CE. OpenGrep keeps backward compatibility with Semgrep’s rule format, JSON output, and SARIF output. Existing rules and CI pipelines work without changes.

What is OpenGrep?

OpenGrep is a static code analysis engine built primarily in OCaml. It uses pattern-matching rules that look like the source code they scan — no regex or custom DSLs needed. The engine covers 30+ languages and runs locally.

Feature	Details
Languages	30+ including Python, JavaScript, TypeScript, Java, Go, C, C++, C#, Ruby, Rust, Kotlin, PHP, Swift, Visual Basic
Rule format	YAML-based, Semgrep-compatible
Output formats	JSON, SARIF 2.1.0, human-readable console
Taint analysis	Constructor tracking, inter-method propagation, higher-order function support across 12 languages
Platforms	Linux, macOS, Windows (including ARM)
License	LGPL-2.1
Binary signing	Cosign-signed releases
Codebase	OCaml 75.0%, Python 13.1%, Java 3.8%
Contributors	189 contributors, 9,400+ commits
Current version	1.16.1 (February 2026)

30+ Languages

Covers Apex, Bash, C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Rust, Kotlin, PHP, Swift, Scala, Terraform, Dockerfile, Visual Basic, and more. Visual Basic support is exclusive to OpenGrep.

Taint Analysis

Tracks tainted data through constructors, field assignments, inter-method calls, higher-order functions, and collection operations like map, filter, and reduce. Available across 12 languages.

Semgrep Compatible

Backward compatible with Semgrep’s rule format, JSON output, and SARIF 2.1.0 output. Existing rules, CI pipelines, and integrations work without modification.

Key features

Taint analysis

OpenGrep’s taint engine tracks data flow through code. When user-controlled input reaches a vulnerable sink like a SQL query or OS command, the scanner flags it.

Taint tracking covers constructor and field assignment tracking, inter-method propagation, higher-order function support across 12 languages, and collection method tainting (map, filter, reduce). Enable it with the --taint-intrafile flag.

What Semgrep restricted

Semgrep moved taint analysis, fingerprinting, meta-variable tracking, and certain language support out of the Community Edition (CE). OpenGrep restores all of these under LGPL-2.1.

Pattern-matching rules

Rules resemble the source code they target. To find insecure YAML loading in Python, you write a rule that looks like yaml.load(...) rather than building a regex.

rules:
  - id: insecure-yaml-load
    pattern: yaml.load(...)
    message: "Use yaml.safe_load() instead of yaml.load()"
    languages: [python]
    severity: WARNING

Existing Semgrep community rulesets work as-is. Same YAML format with pattern, message, languages, and severity fields.

Language support

OpenGrep supports 30+ languages. Notable differences from the Semgrep CE baseline:

Visual Basic: Exclusive to OpenGrep, not available in Semgrep CE or Semgrep Code
Apex, Elixir: Restored from Semgrep’s restricted set
C#: Improved support (version 14)
PHP: Version 8.4 support
Clojure: Added taint analysis support
Generic mode: Handles ERB, Jinja, and other template formats

Windows support

OpenGrep runs natively on Windows alongside macOS and Linux. The Semgrep CE project dropped Windows support.

OpenGrep restored it, including ARM binaries and a PowerShell install script.

Consortium governance

The project is maintained by a consortium rather than a single company. Member organizations:

Aikido Security, Arnica, Amplify, Endor Labs, Jit, Kodem, Legit, Mobb, Orca Security, Phoenix Security

A dedicated full-time development team builds the core engine. The stated plan is to move the project under foundation management.

Installation

Method	Command
Linux/macOS	`curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh \| bash`
Windows	`irm https://raw.githubusercontent.com/opengrep/opengrep/main/install.ps1 \| iex`
Binaries	Download from GitHub Releases

All release binaries are Cosign-signed.

Getting started

Install OpenGrep — Use the install script for your platform, or download a signed binary from GitHub Releases.

Run a scan — Run opengrep scan -f rules/ . where rules/ points to your YAML rule directory. The scanner produces human-readable output with progress bars.

Use Semgrep rules — Any Semgrep-compatible ruleset works. Drop in your existing custom rules or community rulesets without changes.

Export results — Use --sarif-output=results.sarif for SARIF 2.1.0 output, or pipe JSON output into your existing CI/CD workflow.

When to use OpenGrep

OpenGrep fits teams that want Semgrep’s scanning engine without commercial licensing restrictions. If you already have Semgrep community rules or custom rules, OpenGrep is a drop-in replacement that adds taint analysis, Visual Basic support, and Windows binaries.

The consortium governance model means no single vendor controls the project’s direction. If you’ve been burned by an open-source tool going commercial before, that’s the pitch here.

For a comparison with the Semgrep AppSec Platform, see our Semgrep review. For a broader SAST comparison, see SAST tools.

Best for

Teams that want Semgrep-compatible static analysis with taint tracking, 30+ language support, and Windows binaries — all under LGPL-2.1 with no commercial restrictions.

Frequently Asked Questions

What is OpenGrep?

OpenGrep is a community-maintained fork of Semgrep CE that restores features Semgrep removed from the Community Edition, including taint analysis, inter-procedural scanning, and Windows support. A consortium of 10+ application security companies backs the project, including Aikido Security, Endor Labs, Jit, and Orca Security.

How does OpenGrep differ from Semgrep?

Semgrep moved several scanning engine features behind commercial licensing, including taint analysis, certain language support, fingerprinting, and meta-variable tracking. OpenGrep restores all of these under LGPL-2.1. It is backward compatible with Semgrep’s rule format, JSON output, and SARIF output.

Is OpenGrep free?

Yes. OpenGrep is fully open-source under LGPL-2.1 with no commercial tier. All features are available in the free version. The project plans to move under foundation management to guarantee its open-source future.

Can I use my existing Semgrep rules with OpenGrep?

Yes. OpenGrep maintains backward compatibility with Semgrep’s rule format. Existing custom rules and community rulesets work without modification.

Who maintains OpenGrep?

A consortium of 10+ application security companies maintains OpenGrep, including Aikido Security, Arnica, Amplify, Endor Labs, Jit, Kodem, Legit, Mobb, Orca Security, and Phoenix Security. A dedicated full-time development team builds the core engine in OCaml.