OpenGrep vs Semgrep (2026): Fork vs Original Compared

Key Takeaways

OpenGrep is a community fork of Semgrep CE created in January 2025 after Semgrep moved cross-function taint analysis, fingerprinting, and other features behind the commercial platform.
Both tools are LGPL-2.1 at the CLI level and share the same rule format, JSON output, and SARIF output — existing Semgrep rules work on OpenGrep without modification.
OpenGrep restores cross-function taint tracking across 12 languages and fingerprinting; it also adds Visual Basic support not available in Semgrep.
Semgrep's commercial AppSec Platform adds cross-file dataflow analysis (Semgrep Code), SCA with reachability (Supply Chain), Secrets detection, and AI-assisted triage — free for up to 10 contributors.
OpenGrep is backed by a consortium of 10+ appsec companies including Aikido, Endor Labs, Jit, and Orca Security, with a dedicated full-time OCaml development team.

Which is better: OpenGrep or Semgrep?

OpenGrep is a community fork of Semgrep Community Edition that restores cross-function taint analysis, fingerprinting, and other features Semgrep moved behind its commercial platform in late 2024. OpenGrep is the better choice for a free, standalone SAST CLI. Semgrep is the better choice for an all-in-one AppSec platform with cross-file analysis, SCA, and secrets scanning.

The fork happened in January 2025 after Semgrep Inc. moved several CE features into its proprietary platform. A consortium of appsec companies (Aikido, Endor Labs, Jit, Orca Security, and others) forked the last fully-featured CE codebase to keep those capabilities under the original LGPL-2.1 license. The result is two tools that share the same rule format and core engine but serve different purposes.

OpenGrep is a pure open-source CLI with restored advanced analysis and no commercial layer. Semgrep is the original tool backed by a commercial platform that adds cross-file dataflow analysis (Semgrep Code), SCA with reachability (Supply Chain), Secrets detection, and AI-assisted triage, free for up to 10 contributors.

What are the differences?

Feature	OpenGrep	Semgrep
License	LGPL-2.1	LGPL-2.1 (CE) / Commercial (Platform)
Origin	Community fork of Semgrep CE (Jan 2025)	Original tool by Semgrep Inc. (formerly r2c)
GitHub Stars	2,100+	14,300+
Languages	30+ (including Visual Basic)	30+
Taint Analysis	Yes, cross-function (12 languages)	CE: Single-function only / Semgrep Code: Cross-function + cross-file
Cross-Function Scanning	Yes	CE: No / Semgrep Code: Yes
Cross-File Analysis	No	Semgrep Code (Platform)
Rule Compatibility	Semgrep rule format (backward compatible)	Native rule format
Community Rules	Semgrep community rules (compatible)	3,000+ community rules
SCA / Dependency Scanning	No	Semgrep Supply Chain (Platform)
Secrets Detection	No	Semgrep Secrets (Platform)
AI Features	No	Semgrep Assistant (triage and fixes)
Windows Support	Yes	CE: Yes (restored Fall 2025) / Platform: N/A
Commercial Platform	No (CLI only)	Yes (AppSec Platform)
Backing	Consortium of 10+ appsec companies	Semgrep Inc. (venture-backed)

OpenGrep vs Semgrep: how do they compare?

Why does OpenGrep exist?

OpenGrep was created in January 2025 after Semgrep Inc. moved cross-function taint analysis, fingerprinting, tracking ignores, and certain meta-variable features from Semgrep Community Edition into its commercial platform. A consortium of 10+ application security companies forked the last fully-featured CE codebase under the LGPL-2.1 license to keep those capabilities freely available.

The fork was not hostile. It was a pragmatic response from companies whose products depended on Semgrep CE features that were no longer free. Aikido, Endor Labs, Jit, and Orca Security are among the backers, and a dedicated full-time OCaml development team maintains the project. OpenGrep’s stated goal is to keep advanced SAST analysis open-source and community-driven.

Are OpenGrep and Semgrep rules compatible?

Yes. OpenGrep is fully backward compatible with Semgrep’s rule format, JSON output, and SARIF output. Existing Semgrep community rules, custom YAML rules, and third-party rule packs all run on OpenGrep without modification. CI pipelines that consumed Semgrep CE output can switch to OpenGrep by swapping the binary.

Teams migrating from Semgrep CE to OpenGrep do not need to rewrite rules or reconfigure output parsing. As of early 2026, compatibility remains intact. Whether it holds long-term depends on how much the two projects diverge. OpenGrep already has Visual Basic support that Semgrep lacks, and further differences in language support and analysis features are likely over time.

How do OpenGrep and Semgrep features compare?

OpenGrep has more features than Semgrep CE but fewer than the Semgrep AppSec Platform. The comparison breaks into two parts.

Against Semgrep CE, OpenGrep has the advantage. It restores cross-function taint tracking across 12 languages, result fingerprinting for deduplication, and tracking ignores. It also adds Visual Basic support that Semgrep has never offered. Semgrep CE has since restored native Windows support (Fall 2025), but the taint analysis and fingerprinting features remain platform-only. For teams that relied on those CE features before the license change, OpenGrep is the direct replacement.

Against the Semgrep AppSec Platform, OpenGrep falls short. Semgrep Code provides cross-file dataflow analysis that OpenGrep does not have. According to Semgrep’s own benchmarks, Semgrep Code detects 72% of vulnerabilities in WebGoat compared to 48% with CE alone. The Platform also includes SCA with reachability analysis (Supply Chain), Secrets detection, and AI-assisted triage (Assistant). OpenGrep is a CLI-only scanner with no dashboard, policy management, or SCA capabilities.

What is the licensing difference?

Both tools share the LGPL-2.1 license at the engine level, but OpenGrep is entirely open-source while Semgrep splits free and paid features across two tiers.

OpenGrep has no commercial tier, no paid features, and no platform. Every capability, including taint analysis and fingerprinting, is free under LGPL-2.1.

Semgrep CE is also LGPL-2.1, but cross-file analysis, SCA, secrets scanning, and AI triage live in the proprietary AppSec Platform. The Platform is free for up to 10 contributors. Beyond that threshold, it requires a commercial license.

For organizations where open-source licensing is a hard requirement (government agencies, companies with strict procurement policies, or teams that need to audit every line of code they run), OpenGrep is the simpler choice since there is no commercial component to evaluate.

When should you choose OpenGrep?

OpenGrep is the better choice when you need a free, full-featured SAST CLI without any commercial dependencies. Choose OpenGrep if:

You need cross-function taint analysis across 12 languages in a free, open-source tool
LGPL-2.1 licensing with no commercial components is a strict procurement requirement
You need result fingerprinting and tracking ignores without paying for a platform license
Your codebase includes Visual Basic, which Semgrep does not support
You want to use the 3,000+ Semgrep community rules without depending on Semgrep Inc.
You are building a security product that embeds a SAST engine and need a fully open-source core

When should you choose Semgrep?

Semgrep is the better choice when you need a managed AppSec platform that goes beyond single-tool SAST scanning. Choose Semgrep if:

You need cross-file dataflow analysis (Semgrep Code detects 72% of WebGoat vulnerabilities vs. 48% with CE)
You want SCA with reachability analysis and secrets detection from a single vendor
Dashboards, policy management, and team collaboration features are important to your workflow
AI-assisted triage and auto-fix would reduce your remediation workload
Your team has fewer than 10 contributors and qualifies for the free Platform tier
You want access to 20,000+ proprietary rules in addition to the 3,000+ community rules

The choice often comes down to scope. OpenGrep is the better standalone SAST CLI. Semgrep is the better end-to-end AppSec platform. Teams that already use separate SCA and secrets tools may find OpenGrep sufficient for the SAST layer. Teams consolidating their security toolchain into fewer vendors may prefer Semgrep’s all-in-one approach.

For a broader view of static analysis options, see the full SAST tools category.

Frequently Asked Questions

What is OpenGrep?

OpenGrep is a community fork of Semgrep Community Edition, launched in January 2025 after Semgrep Inc. moved cross-function taint analysis, fingerprinting, and tracking ignores behind its commercial AppSec Platform. A consortium of 10+ application security companies (including Aikido, Endor Labs, Jit, and Orca Security) forked the last fully-featured CE codebase to keep those capabilities freely available under the LGPL-2.1 license. OpenGrep restores cross-function taint tracking across 12 languages and adds Visual Basic support that Semgrep has never offered. The project is maintained by a dedicated full-time OCaml development team. OpenGrep is a CLI-only tool with no commercial tier or paid features. It uses the same rule format, JSON output, and SARIF output as Semgrep, so existing rules and CI pipelines work without modification.

Are Semgrep rules compatible with OpenGrep?

Yes. OpenGrep is fully backward compatible with Semgrep’s rule format, JSON output, and SARIF output. All 3,000+ Semgrep community rules, custom YAML rules, and third-party rule packs run on OpenGrep without any modification. CI pipelines that consumed Semgrep CE output can switch to OpenGrep by replacing the binary, with no changes to output parsing or rule configuration. As of early 2026, this compatibility remains fully intact. However, since both projects now develop independently, long-term parity is not guaranteed. OpenGrep already supports Visual Basic, which Semgrep does not, and further differences in language support and analysis features are likely to emerge over time.

Is OpenGrep completely free?

Yes. OpenGrep is a free, open-source CLI tool licensed under LGPL-2.1 with no commercial tier, paid features, or platform subscription. Every capability is available at no cost, including cross-function taint analysis across 12 languages, result fingerprinting for deduplication, and tracking ignores. This is a key differentiator from Semgrep, where the free Community Edition lost several of these features in late 2024 when Semgrep Inc. moved them behind the commercial AppSec Platform. OpenGrep exists specifically to keep those features freely available. The project is backed by a consortium of 10+ appsec companies and maintained by a full-time development team, so there is an organizational commitment to keeping it free and open-source long-term.

Which tool has more features: OpenGrep or Semgrep?

It depends on which Semgrep you are comparing to. OpenGrep has more features than Semgrep CE (the free CLI), since it restores cross-function taint analysis across 12 languages, fingerprinting, and tracking ignores that CE lost in late 2024. OpenGrep also supports Visual Basic, which Semgrep has never offered. However, the Semgrep AppSec Platform significantly exceeds OpenGrep’s capabilities. The Platform adds cross-file dataflow analysis (Semgrep Code), SCA with reachability analysis (Supply Chain), Secrets detection, AI-assisted triage (Assistant), dashboards, and policy management. According to Semgrep’s benchmarks, Semgrep Code detects 72% of vulnerabilities in WebGoat compared to 48% with CE alone. OpenGrep does not offer any of these platform-level features.

Will OpenGrep and Semgrep diverge over time?

Some divergence is likely and has already begun. OpenGrep supports Visual Basic, which Semgrep has never offered, and the two projects now have separate development teams making independent decisions about language support, analysis features, and rule capabilities. As of early 2026, rule format compatibility remains fully intact, meaning Semgrep community rules still work on OpenGrep without changes. However, maintaining perfect parity long-term is not guaranteed. The core OCaml engine code has the same origin, but each team may optimize, extend, or refactor in different directions. Teams choosing between the two should plan for the possibility that switching costs will increase over time as the codebases drift further apart.

Suphi Cankurt

Application Security @ Invicti

LinkedIn Twitter

10+ years in application security. Reviews and compares 170 AppSec tools across 11 categories to help teams pick the right solution. More about me →