Opengrep is the most advanced open source SAST engine.
Let's make secure software development a shared standard. Opengrep provides every developer and organisation with open and advanced static code analysis.
Opengrep is backed by a consortium of 10+ AppSec organisations, including: Aikido, Arnica, Amplify, Endor Labs, Jit, Kodem, Legit, Mobb, Orca Security, and Phoenix Security. To learn more, read the manifesto at opengrep.dev.
Opengrep was created when Semgrep moved critical features behind a commercial licence. We believe advanced static analysis should remain open and accessible to all.
Key advantages:
- Compatible with Semgrep rules - your existing rules and rulesets work unchanged
- Standard outputs - JSON and SARIF formats for easy integration
- Open governance - contributions accepted on merit, not commercial interest
- Long-term assurance - committed to open-source under LGPL 2.1
Opengrep has introduced significant improvements since the fork. Highlights include:
Superior Taint Analysis (--taint-intrafile):
- Constructor and field assignment tracking
- Inter-method taint flow
- Higher-order function support across 12 languages
- Collection method tainting (map, filter, reduce, etc.)
See the Intrafile Tainting Tutorial and Higher-Order Functions Tutorial for details.
Language Support:
- Visual Basic - not available in Semgrep CE or Pro
- Apex, Elixir - not in Semgrep CE
- Improved: Clojure (tainting support), PHP 8.4, C# 14
Distribution:
- Self-contained binaries via Nuitka (no Python required)
- Signed releases with Cosign
See OPENGREP.md for the full list of improvements since the fork.
Opengrep is an ultra-fast static analysis tool for searching code patterns with the power of semantic grep. Analyze large code bases at the speed of thought with intuitive pattern matching and customizable rules. Find and fix security vulnerabilities, fast β ship more secure code.
Opengrep supports 30+ languages, including:
Apex Β· Bash Β· C Β· C++ Β· C# Β· Clojure Β· Dart Β· Dockerfile Β· Elixir Β· Go Β· HTML Β· Java Β· JavaScript Β· JSON Β· Jsonnet Β· JSX Β· Julia Β· Kotlin Β· Lisp Β· Lua Β· OCaml Β· PHP Β· Python Β· R Β· Ruby Β· Rust Β· Scala Β· Scheme Β· Solidity Β· Swift Β· Terraform Β· TSX Β· TypeScript Β· Visual Basic Β· XML Β· YAML Β· Generic (ERB, Jinja, etc.)
curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bashOr if you've cloned the repo:
./install.shirm https://raw.githubusercontent.com/opengrep/opengrep/main/install.ps1 | iexOr with a specific version:
& ([scriptblock]::Create((irm https://raw.githubusercontent.com/opengrep/opengrep/main/install.ps1))) -Version v1.16.0Binaries are available on the releases page.
Create rules/demo-rust-unwrap.yaml with the following content:
rules:
- id: unwrapped-result
pattern: $VAR.unwrap()
message: "Unwrap detected - potential panic risk"
languages: [rust]
severity: WARNINGand code/rust/main.rs with the following content (that contains a risky unwrap):
fn divide(a: i32, b: i32) -> Result<i32, String> {
if b == 0 {
return Err("Division by zero".to_string());
}
Ok(a / b)
}
fn main() {
let result = divide(10, 0).unwrap(); // Risky unwrap!
println!("Result: {}", result);
}You should now have:
.
βββ code
β βββ rust
β βββ main.rs
βββ rules
βββ demo-rust-unwrap.yamlNow run:
β― opengrep scan -f rules code/rust
ββββββββββββββββ
β Opengrep CLI β
ββββββββββββββββ
Scanning 1 file (only git-tracked) with 1 Code rule:
CODE RULES
Scanning 1 file.
PROGRESS
ββββββββββββββββββββββββββββββββββββββββ 100% 0:00:00
ββββββββββββββββββ
β 1 Code Finding β
ββββββββββββββββββ
code/rust/main.rs
β―β― rules.unwrapped-result
Unwrap detected - potential panic risk
9β let result = divide(10, 0).unwrap(); // Risky unwrap!
ββββββββββββββββ
β Scan Summary β
ββββββββββββββββ
Ran 1 rule on 1 file: 1 finding.To obtain SARIF output:
β― opengrep scan --sarif-output=sarif.json -f rules code
...
β― cat sarif.json | jq
{
"version": "2.1.0",
"runs": [
{
"invocations": [
{
"executionSuccessful": true,
"toolExecutionNotifications": []
}
],
"results": [
{
"fingerprints": {
"matchBasedId/v1": "a0ff5ed82149206a74ee7146b075c8cb9e79c4baf86ff4f8f1c21abea6ced504e3d33bb15a7e7dfa979230256603a379edee524cf6a5fd000bc0ab29043721d8_0"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "code/rust/main.rs",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 40,
"endLine": 9,
"snippet": {
"text": " let result = divide(10, 0).unwrap(); // Risky unwrap!"
},
"startColumn": 18,
"startLine": 9
}
}
}
],
"message": {
"text": "Unwrap detected - potential panic risk"
},
"properties": {},
"ruleId": "rules.unwrapped-result"
}
],
"tool": {
"driver": {
"name": "Opengrep OSS",
"rules": [
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "Unwrap detected - potential panic risk"
},
"help": {
"markdown": "Unwrap detected - potential panic risk",
"text": "Unwrap detected - potential panic risk"
},
"id": "rules.unwrapped-result",
"name": "rules.unwrapped-result",
"properties": {
"precision": "very-high",
"tags": []
},
"shortDescription": {
"text": "Opengrep Finding: rules.unwrapped-result"
}
}
],
"semanticVersion": "1.100.0"
}
}
}
],
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"
}- Wiki - tutorials and language guides
- Intrafile Tainting Tutorial
- Higher-Order Functions Tutorial
- C# Support (C# 12/13/14)
- PHP Support (PHP 7.1-8.4)
- Visual Basic Support
- X / Twitter
- Manifesto - why we forked
- Open roadmap sessions - join the conversation
Opengrep is a fork of Semgrep v1.100.0, created by Semgrep Inc. Opengrep is not affiliated with or endorsed by Semgrep Inc.