Opengrep - Open Source Code Security Engine What is Opengrep? Opengrep is a fork of Semgrep CE (Community Edition), launched in early 2025 by a consortium including JIT, Aikido Security, Endor Labs, and other companies. It was created in response to Semgrep's licensing changes that restricted community-contributed rules from being used in commercial products. Key Differences from Semgrep: - Fully open-source rules (no license restrictions) - Community-driven governance - No proprietary feature lock-in - Compatible with Semgrep CE syntax and rules - Focused on keeping critical features open -…

| \\\n xargs opengrep scan -f p/security-audit\n```\n\n### 5. Diff Scan (Changed Files Only)\n\n```bash\n# Scan only modified files\ngit diff --name-only origin/main...HEAD | \\\n xargs opengrep scan -f p/security-audit --sarif -o diff-scan.sarif\n```\n\n## Suppressing False Positives\n\n### Inline Suppressions\n\n```python\n# nosemgrep: rule-id\npassword = get_from_vault()\n\n# Multiple rules\neval(safe_code) # nosemgrep: dangerous-eval, code-injection\n```\n\n```javascript\n// nosemgrep: xss-vulnerability\nelement.innerHTML = sanitizedContent;\n```\n\n### Configuration-Based Suppressions\n\n```yaml\n# .opengrep.yml\nexclude-rules:\n - rule-id-1\n - rule-id-2\n\nexclude-paths:\n - tests/\n - generated/\n```\n\n## Performance Optimization\n\n```bash\n# Limit to specific file types\nopengrep scan --include='*.py' --include='*.js' .\n\n# Exclude large directories\nopengrep scan --exclude=node_modules --exclude=vendor .\n\n# Set timeout per file\nopengrep scan --timeout 60 .\n\n# Disable experimental features for speed\nopengrep scan -f p/security-audit . # No --experimental\n```\n\n## Comparing with Semgrep\n\n### Compatibility\n\nOpengrep maintains compatibility with Semgrep CE:\n\n- Same rule syntax (YAML)\n- Same pattern language\n- Same command-line interface\n- Can use Semgrep rules directly\n\n### Key Differences\n\n| Feature | Opengrep | Semgrep CE |\n|---------|----------|------------|\n| **License** | LGPL 2.1 (fully open) | LGPL 2.1 (engine), restrictive rules |\n| **Rules** | Fully open, no restrictions | Community rules have usage restrictions |\n| **Governance** | Community consortium | r2c/Semgrep Inc. |\n| **Commercial Use** | Unrestricted | Restricted for community rules |\n| **Pro Features** | Being migrated to open | Proprietary |\n| **Development** | Community-driven | Company-driven |\n\n### Migration from Semgrep\n\n```bash\n# Rules are compatible - just change binary\nalias opengrep=semgrep # For testing\nopengrep scan -f p/security-audit .\n\n# Update CI/CD configs\nsed -i 's/semgrep/opengrep/g' .github/workflows/security.yml\n```\n\n## Supported Languages\n\n- **Web**: JavaScript, TypeScript, JSX, TSX\n- **Backend**: Python, Go, Java, Kotlin, Scala\n- **Systems**: C, C++, Rust\n- **Mobile**: Swift, Kotlin, Java\n- **Scripting**: Ruby, PHP, Bash, Lua\n- **Infrastructure**: Terraform, Dockerfile, YAML, JSON\n- **Other**: C#, Elixir, Solidity, Apex\n\n## Limitations\n\n- **Intra-file taint only**: Cross-file dataflow requires CodeQL\n- **Pattern-based**: Can't understand complex program semantics\n- **No runtime analysis**: Static analysis only\n- **Performance**: Large codebases may be slow with all features enabled\n- **Experimental features**: May have bugs or incomplete coverage\n\n## Rationalizations to Reject\n\n| Shortcut | Why It's Wrong |\n|----------|----------------|\n| \"Opengrep found nothing = code is secure\" | Pattern-based analysis can miss context-specific vulnerabilities |\n| \"Just use default rules\" | Default rules are generic; custom rules for your stack are essential |\n| \"Skip dataflow/taint analysis for speed\" | These features catch vulnerabilities simple patterns miss |\n| \"Semgrep and Opengrep are identical\" | Licensing differences matter for commercial use; feature sets diverging |\n| \"Don't need both Opengrep and CodeQL\" | Complementary: Opengrep is fast/broad, CodeQL is deep/precise |\n\n## References\n\n- Repository: \u003chttps://github.com/opengrep/opengrep>\n- Website: \u003chttps://www.opengrep.dev/>\n- Rules Repository: \u003chttps://github.com/opengrep/opengrep-rules>\n- Documentation: \u003chttps://www.opengrep.dev/docs/>\n- Trail of Bits Rules: \u003chttps://github.com/trailofbits/semgrep-rules>\n- Comparison with Semgrep: \u003chttps://semgrep.dev/docs/faq/comparisons/opengrep>\n- Launch Announcement: \u003chttps://www.aikido.dev/blog/launching-opengrep-why-we-forked-semgrep>\n\n**Articles:**\n\n- [Opengrep vs. Semgrep: Some Thoughts](https://blog.codacy.com/opengrep-vs-semgrep)\n- [Launching Opengrep | Why we forked Semgrep](https://www.aikido.dev/blog/launching-opengrep-why-we-forked-semgrep)\n- [Opengrep Launches as Free Fork After Semgrep License Shift](https://thenewstack.io/opengrep-launches-as-free-fork-after-semgrep-license-shift/)\n---","attachment_filenames":[],"attachments":[],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Opengrep - Open Source Code Security Engine","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"What is Opengrep?","type":"text"}]},{"type":"paragraph","content":[{"text":"Opengrep is a fork of Semgrep CE (Community Edition), launched in early 2025 by a consortium including JIT, Aikido Security, Endor Labs, and other companies. It was created in response to Semgrep's licensing changes that restricted community-contributed rules from being used in commercial products.","type":"text"}]},{"type":"paragraph","content":[{"text":"Key Differences from Semgrep:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Fully open-source rules (no license restrictions)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Community-driven governance","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No proprietary feature lock-in","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Compatible with Semgrep CE syntax and rules","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Focused on keeping critical features open","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Commercial integration friendly","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use Opengrep","type":"text"}]},{"type":"paragraph","content":[{"text":"Ideal scenarios:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Quick security scans (minutes, not hours)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pattern-based vulnerability detection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Using community rules without license concerns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Commercial product integration requiring open-source SAST","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Dataflow and taint analysis within files","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Multi-language security scanning","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"First-pass security analysis before deeper tools","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When Semgrep licensing is a concern","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Consider CodeQL instead when:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Need interprocedural taint tracking across files","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Complex data flow analysis across modules required","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Analyzing custom proprietary frameworks with deep integration","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When NOT to Use","type":"text"}]},{"type":"paragraph","content":[{"text":"Do NOT use this skill for:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Complex cross-file data flow analysis (use CodeQL)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Binary or compiled code analysis without source","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deep semantic analysis requiring full program analysis","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Runtime vulnerability detection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Secrets scanning (use Gitleaks)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Dependency scanning (use OSV-Scanner or Depscan)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Installation","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Homebrew\nbrew install opengrep\n\n# pip\npip install opengrep\n\n# pipx (recommended)\npipx install opengrep\n\n# Docker\ndocker pull ghcr.io/opengrep/opengrep:latest\n\n# From source\ngit clone https://github.com/opengrep/opengrep.git\ncd opengrep\npip install -e .\n\n# Verify\nopengrep --version","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Core Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"1. Quick Scan","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Auto scan with default rules\nopengrep scan .\n\n# Scan with specific ruleset\nopengrep scan -f p/security-audit .\n\n# Multiple rulesets\nopengrep scan -f p/owasp-top-ten -f p/cwe-top-25 .","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"2. SARIF Output","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Generate SARIF report\nopengrep scan --sarif -o results.sarif .\n\n# SARIF with specific rules\nopengrep scan -f p/security-audit --sarif -o results.sarif .\n\n# Filter by severity in SARIF\nopengrep scan \\\n --severity=WARNING \\\n --severity=ERROR \\\n --sarif \\\n -o results.sarif \\\n .","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"3. Advanced Scanning","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Enable dataflow traces\nopengrep scan --dataflow-traces .\n\n# Taint analysis (intra-file)\nopengrep scan --taint-intrafile .\n\n# Experimental features\nopengrep scan --experimental .\n\n# Combined: dataflow + taint + experimental\nopengrep scan \\\n --dataflow-traces \\\n --taint-intrafile \\\n --experimental \\\n .","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"4. Custom Rules","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Local rule files\nopengrep scan -f /path/to/rules .\n\n# Multiple rule directories\nopengrep scan -f ./rules -f ./custom-rules .\n\n# Exclude specific rules\nopengrep scan \\\n -f p/security-audit \\\n --exclude-rule=\"rule-id-to-skip\" \\\n .","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Rulesets","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Public Rulesets","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Ruleset","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"p/default","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"General security and code quality","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"p/security-audit","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Comprehensive security rules","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"p/owasp-top-ten","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"OWASP Top 10 vulnerabilities","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"p/cwe-top-25","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CWE Top 25 vulnerabilities","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"p/trailofbits","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Trail of Bits security rules","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"p/python","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Python-specific security","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"p/javascript","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"JavaScript/TypeScript security","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"p/golang","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Go-specific security","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"p/java","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Java security patterns","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"p/ruby","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Ruby security patterns","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Community Rules","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Clone community rules\ngit clone https://github.com/opengrep/opengrep-rules.git\n\n# Use community rules\nopengrep scan -f opengrep-rules/ .\n\n# Trail of Bits rules (fully open)\ngit clone https://github.com/trailofbits/semgrep-rules.git\nopengrep scan -f semgrep-rules/rules .","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Output Formats","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Text output (default)\nopengrep scan .\n\n# SARIF (for CI/CD)\nopengrep scan --sarif .\n\n# JSON\nopengrep scan --json .\n\n# JUnit XML\nopengrep scan --junit-xml .\n\n# GitLab SAST format\nopengrep scan --gitlab-sast .\n\n# Vim quickfix\nopengrep scan --vim .\n\n# Emacs format\nopengrep scan --emacs .","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Configuration","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":".opengrepignore","type":"text"}]},{"type":"paragraph","content":[{"text":"Create ","type":"text"},{"text":".opengrepignore","type":"text","marks":[{"type":"code_inline"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"tests/fixtures/\n**/testdata/\ngenerated/\nvendor/\nnode_modules/\n__pycache__/\n*.test.js\n*.spec.ts","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Project Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"Create ","type":"text"},{"text":".opengrep.yml","type":"text","marks":[{"type":"code_inline"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"rules:\n - id: custom-hardcoded-secret\n languages: [python, javascript]\n message: \"Hardcoded secret detected\"\n severity: ERROR\n pattern: |\n $VAR = \"$SECRET\"\n metadata:\n cwe: \"CWE-798\"\n owasp: \"A07:2021 - Identification and Authentication Failures\"\n\n - id: sql-injection-risk\n languages: [python]\n message: \"Potential SQL injection\"\n severity: ERROR\n mode: taint\n pattern-sources:\n - pattern: request.args.get(...)\n pattern-sinks:\n - pattern: cursor.execute($QUERY)\n pattern-sanitizers:\n - pattern: int(...)\n\nexclude:\n - tests/\n - vendor/","type":"text"}]},{"type":"paragraph","content":[{"text":"Use config:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"opengrep scan --config .opengrep.yml .","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"CI/CD Integration (GitHub Actions)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"name: Opengrep Security Scan\n\non:\n push:\n branches: [main]\n pull_request:\n schedule:\n - cron: '0 0 * * 1' # Weekly\n\njobs:\n opengrep:\n runs-on: ubuntu-latest\n\n steps:\n - uses: actions/checkout@v4\n\n - name: Setup Python\n uses: actions/setup-python@v5\n with:\n python-version: '3.11'\n\n - name: Install Opengrep\n run: pip install opengrep\n\n - name: Run Opengrep\n run: |\n opengrep scan \\\n -f p/security-audit \\\n -f p/owasp-top-ten \\\n --dataflow-traces \\\n --taint-intrafile \\\n --experimental \\\n --sarif \\\n -o opengrep-results.sarif \\\n --severity=WARNING \\\n --severity=ERROR \\\n --exclude=test \\\n --exclude=tests \\\n .\n\n - name: Upload SARIF\n if: always()\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: opengrep-results.sarif\n category: opengrep\n\n - name: Upload Results\n if: always()\n uses: actions/upload-artifact@v4\n with:\n name: opengrep-results\n path: opengrep-results.sarif","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Writing Custom Rules","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Basic Rule Structure","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"rules:\n - id: dangerous-eval\n languages: [javascript, python]\n message: \"Use of eval() is dangerous\"\n severity: ERROR\n patterns:\n - pattern: eval($CODE)\n - pattern-not: eval(\"...\") # Literal strings okay","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern Syntax","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Syntax","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Example","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"...","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Match anything","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"func(...)","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$VAR","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Capture metavariable","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"$FUNC($INPUT)","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\u003c... ...>","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Deep expression match","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\u003c... user_input ...>","type":"text","marks":[{"type":"code_inline"}]}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern Operators","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Operator","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pattern","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Match exact pattern","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"patterns","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"All must match (AND)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pattern-either","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Any matches (OR)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pattern-not","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Exclude matches","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pattern-inside","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Match only inside context","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pattern-not-inside","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Match only outside context","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pattern-regex","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Regex matching","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"metavariable-regex","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Regex on captured value","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Taint Mode","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"rules:\n - id: xss-vulnerability\n languages: [javascript]\n message: \"User input flows to innerHTML (XSS risk)\"\n severity: ERROR\n mode: taint\n pattern-sources:\n - pattern: req.query.$PARAM\n - pattern: req.body.$PARAM\n pattern-sinks:\n - pattern: $ELEMENT.innerHTML = $DATA\n pattern-sanitizers:\n - pattern: escapeHtml(...)\n - pattern: DOMPurify.sanitize(...)","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Use Cases","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"1. Comprehensive Security Audit","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Multi-ruleset scan\nopengrep scan \\\n -f p/security-audit \\\n -f p/owasp-top-ten \\\n -f p/cwe-top-25 \\\n --dataflow-traces \\\n --experimental \\\n --sarif \\\n -o security-audit.sarif \\\n .","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"2. Language-Specific Scan","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Python security\nopengrep scan \\\n -f p/python \\\n --taint-intrafile \\\n --sarif \\\n -o python-security.sarif \\\n ./src\n\n# JavaScript/TypeScript security\nopengrep scan \\\n -f p/javascript \\\n -f p/typescript \\\n --dataflow-traces \\\n --sarif \\\n -o js-security.sarif \\\n ./frontend","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"3. Pre-commit Hook","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Scan staged files only\ngit diff --cached --name-only --diff-filter=ACMR | \\\n grep -E '\\.(py|js|ts|go|java|rb)

Opengrep - Open Source Code Security Engine What is Opengrep? Opengrep is a fork of Semgrep CE (Community Edition), launched in early 2025 by a consortium including JIT, Aikido Security, Endor Labs, and other companies. It was created in response to Semgrep's licensing changes that restricted community-contributed rules from being used in commercial products. Key Differences from Semgrep: - Fully open-source rules (no license restrictions) - Community-driven governance - No proprietary feature lock-in - Compatible with Semgrep CE syntax and rules - Focused on keeping critical features open -…

| \\\n xargs opengrep scan -f p/security-audit","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"5. Diff Scan (Changed Files Only)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Scan only modified files\ngit diff --name-only origin/main...HEAD | \\\n xargs opengrep scan -f p/security-audit --sarif -o diff-scan.sarif","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Suppressing False Positives","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Inline Suppressions","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"python"},"content":[{"text":"# nosemgrep: rule-id\npassword = get_from_vault()\n\n# Multiple rules\neval(safe_code) # nosemgrep: dangerous-eval, code-injection","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"javascript"},"content":[{"text":"// nosemgrep: xss-vulnerability\nelement.innerHTML = sanitizedContent;","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Configuration-Based Suppressions","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"# .opengrep.yml\nexclude-rules:\n - rule-id-1\n - rule-id-2\n\nexclude-paths:\n - tests/\n - generated/","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Performance Optimization","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Limit to specific file types\nopengrep scan --include='*.py' --include='*.js' .\n\n# Exclude large directories\nopengrep scan --exclude=node_modules --exclude=vendor .\n\n# Set timeout per file\nopengrep scan --timeout 60 .\n\n# Disable experimental features for speed\nopengrep scan -f p/security-audit . # No --experimental","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Comparing with Semgrep","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Compatibility","type":"text"}]},{"type":"paragraph","content":[{"text":"Opengrep maintains compatibility with Semgrep CE:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Same rule syntax (YAML)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Same pattern language","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Same command-line interface","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Can use Semgrep rules directly","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Key Differences","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Feature","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Opengrep","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Semgrep CE","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"License","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"LGPL 2.1 (fully open)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"LGPL 2.1 (engine), restrictive rules","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Rules","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Fully open, no restrictions","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Community rules have usage restrictions","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Governance","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Community consortium","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"r2c/Semgrep Inc.","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Commercial Use","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Unrestricted","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Restricted for community rules","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pro Features","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Being migrated to open","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Proprietary","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Development","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Community-driven","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Company-driven","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Migration from Semgrep","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Rules are compatible - just change binary\nalias opengrep=semgrep # For testing\nopengrep scan -f p/security-audit .\n\n# Update CI/CD configs\nsed -i 's/semgrep/opengrep/g' .github/workflows/security.yml","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Supported Languages","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Web","type":"text","marks":[{"type":"strong"}]},{"text":": JavaScript, TypeScript, JSX, TSX","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Backend","type":"text","marks":[{"type":"strong"}]},{"text":": Python, Go, Java, Kotlin, Scala","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Systems","type":"text","marks":[{"type":"strong"}]},{"text":": C, C++, Rust","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Mobile","type":"text","marks":[{"type":"strong"}]},{"text":": Swift, Kotlin, Java","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Scripting","type":"text","marks":[{"type":"strong"}]},{"text":": Ruby, PHP, Bash, Lua","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Infrastructure","type":"text","marks":[{"type":"strong"}]},{"text":": Terraform, Dockerfile, YAML, JSON","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Other","type":"text","marks":[{"type":"strong"}]},{"text":": C#, Elixir, Solidity, Apex","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Limitations","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Intra-file taint only","type":"text","marks":[{"type":"strong"}]},{"text":": Cross-file dataflow requires CodeQL","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pattern-based","type":"text","marks":[{"type":"strong"}]},{"text":": Can't understand complex program semantics","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No runtime analysis","type":"text","marks":[{"type":"strong"}]},{"text":": Static analysis only","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Performance","type":"text","marks":[{"type":"strong"}]},{"text":": Large codebases may be slow with all features enabled","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Experimental features","type":"text","marks":[{"type":"strong"}]},{"text":": May have bugs or incomplete coverage","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Rationalizations to Reject","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Shortcut","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Why It's Wrong","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"Opengrep found nothing = code is secure\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pattern-based analysis can miss context-specific vulnerabilities","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"Just use default rules\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Default rules are generic; custom rules for your stack are essential","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"Skip dataflow/taint analysis for speed\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"These features catch vulnerabilities simple patterns miss","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"Semgrep and Opengrep are identical\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Licensing differences matter for commercial use; feature sets diverging","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"\"Don't need both Opengrep and CodeQL\"","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Complementary: Opengrep is fast/broad, CodeQL is deep/precise","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Repository: ","type":"text"},{"text":"https://github.com/opengrep/opengrep","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/opengrep/opengrep","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Website: ","type":"text"},{"text":"https://www.opengrep.dev/","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.opengrep.dev/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Rules Repository: ","type":"text"},{"text":"https://github.com/opengrep/opengrep-rules","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/opengrep/opengrep-rules","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Documentation: ","type":"text"},{"text":"https://www.opengrep.dev/docs/","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.opengrep.dev/docs/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Trail of Bits Rules: ","type":"text"},{"text":"https://github.com/trailofbits/semgrep-rules","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/trailofbits/semgrep-rules","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Comparison with Semgrep: ","type":"text"},{"text":"https://semgrep.dev/docs/faq/comparisons/opengrep","type":"text","marks":[{"type":"link","attrs":{"href":"https://semgrep.dev/docs/faq/comparisons/opengrep","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Launch Announcement: ","type":"text"},{"text":"https://www.aikido.dev/blog/launching-opengrep-why-we-forked-semgrep","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.aikido.dev/blog/launching-opengrep-why-we-forked-semgrep","title":null}}]}]}]}]},{"type":"paragraph","content":[{"text":"Articles:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Opengrep vs. Semgrep: Some Thoughts","type":"text","marks":[{"type":"link","attrs":{"href":"https://blog.codacy.com/opengrep-vs-semgrep","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Launching Opengrep | Why we forked Semgrep","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.aikido.dev/blog/launching-opengrep-why-we-forked-semgrep","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Opengrep Launches as Free Fork After Semgrep License Shift","type":"text","marks":[{"type":"link","attrs":{"href":"https://thenewstack.io/opengrep-launches-as-free-fork-after-semgrep-license-shift/","title":null}}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"opengrep","author":"@skillopedia","source":{"stars":4,"repo_name":"grimbard","origin_url":"https://github.com/igbuend/grimbard/blob/HEAD/skills/opengrep/SKILL.md","repo_owner":"igbuend","body_sha256":"cf6e710aca7c02478240db16887aa1f4fcd5d3d55768160dbd185c775603a4b8","cluster_key":"3642286b11fd7edcfcb0142a58ec9f150c36f27caa3c843f267c99a2c3f83b27","clean_bundle":{"format":"clean-skill-bundle-v1","source":"igbuend/grimbard/skills/opengrep/SKILL.md","bundle_sha256":"d7f4f7cb9cc06ed99909ec3bd6aca98f6e2a9670fc2e0ead39ec5d6f40b569d9","attachment_count":0,"text_attachments":0,"binary_attachments":0},"cluster_size":1,"skill_md_path":"skills/opengrep/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","import_tag":"clean-skills-v1","description":"Run Opengrep static analysis for fast security scanning with open-source rules. Use when scanning with truly open-source SAST, avoiding proprietary rule licenses, using community rules freely, or requiring commercial tool integration.","allowed-tools":["Bash","Read","Glob","Grep"]}},"renderedAt":1782979885761}

Opengrep - Open Source Code Security Engine What is Opengrep? Opengrep is a fork of Semgrep CE (Community Edition), launched in early 2025 by a consortium including JIT, Aikido Security, Endor Labs, and other companies. It was created in response to Semgrep's licensing changes that restricted community-contributed rules from being used in commercial products. Key Differences from Semgrep: - Fully open-source rules (no license restrictions) - Community-driven governance - No proprietary feature lock-in - Compatible with Semgrep CE syntax and rules - Focused on keeping critical features open -…