We’re making a few updates to the Semgrep OSS engine and rules—now collectively named Semgrep Community Edition—to better distinguish their free community-focused nature from our commercial offerings, and to clarify that other vendors may not use Semgrep Community Edition rules as part of a competing Software as a Service offering. Starting today:
Semgrep Community Edition: Semgrep OSS is now named Semgrep Community Edition, reflecting its role as a free, community-focused tool.
Rule License Change: Semgrep-maintained rules are now licensed under Semgrep Rules License v.1.0, so that they’re available only for internal, non-competing, and non-SaaS contexts.
Output Clean-up: Certain Semgrep-internal fields in JSON and SARIF outputs are now reserved for our logged-in commercial engine.
Experimental Features: Features previously marked experimental are now part of our logged-in commercial engine.
We’ve chosen changes that we believe will be non-disruptive for the majority of community use cases. Striking the right balance between supporting a thriving community and growing a commercial business is important to us, and we’d love your feedback. Read on for more details and how to get in touch.
Semgrep Community Edition
Semgrep OSS is now Semgrep Community Edition. You’ll see this new name appear soon in our GitHub repository, documentation, CLI, and marketing materials.
Thank you to the 125+ community members who participated in our naming survey. I read every response, and “Semgrep Community Edition” was the overwhelming favorite, with 74% of votes. We’re pleased to adopt this new name and appreciate your input!
Semgrep Community Edition remains free, with 2800+ rules and no login required. It’s ideal for individuals, security auditors, and pentesters who need fast, one-off scans. For AppSec teams looking for a low-noise, cost-effective, and scalable security solution, see Semgrep AppSec Platform.
New rule license
Community Edition rules are Semgrep-maintained rules that are now governed by the Semgrep Rules License v.1.0, which limits their use to internal, non-competing, and non-SaaS contexts. This applies to all rules authored by Semgrep and those contributed to our public repositories, and will be visible in the license field of a rule’s metadata.
Most users will be unaffected by this change. However, this update explicitly limits certain commercial usage. We recognize this may mean adjustments for some vendors, and we encourage you to contact us for guidance.
Who is impacted?
Vendors using Semgrep-maintained rules in competing products or SaaS offerings.Who is unaffected?
Individuals, security consultants, and companies using the rules internally.
We’re providing a grace period until January 31, 2025, for vendors to phase out their use of these rules in their products. If you think this might affect your use case, please contact us at partnerships@semgrep.com.
JSON and SARIF output changes
Certain Semgrep-internal fields, modeled as unstable private APIs and primarily used for policy systems and findings tracking, are being moved to the logged-in commercial engine.
For a full list of affected fields, please visit our documentation. If you’re using these fields and need assistance transitioning, let us know at partnerships@semgrep.com.
Migrating Experimental Features
We’re moving the few remaining experimental features in the Semgrep Community Edition engine to our logged-in commercial engine. These features are typically for Semgrep-internal use during early development and are not intended for external builds or integrations.
What’s next?
For any questions or feedback, reach out at community-feedback@semgrep.com or partnerships@semgrep.com for partnership discussions.
Thank you for helping us as we navigate growing a commercial business and supporting a thriving community. Our goal is to build an enduring company with you, the community. We’re in it for the long run, because it’s going to take a long time to “profoundly improve software security and reliability”.
— Luke & your friends at Semgrep.
