One year after forking Semgrep, Opengrep has shipped 43 releases and achieved 25–74% faster scans and up to 2× faster taint analysis. Key technical advances include migrating to OCaml 5 with shared-memory parallelism, introducing intrafile cross-function taint analysis via --taint-intrafile, adding native Windows support, and removing Python dependencies for a self-contained binary. The project has 1.74 million binary downloads, 2,000+ GitHub stars, and 10 security companies using it in production. The post also addresses a PyPI package name security incident, governance structure under LGPL-2.1, and the case for deterministic SAST alongside AI-based scanning in CI/CD pipelines. Upcoming priorities include interfile taint analysis, full removal of the Python wrapper, and broader package manager distribution.
Table of contents
Maintainer Q&AQ. What engineering work did you undertake in the first year?Governance and long-term sustainabilityWhy Opengrep matters in the age of AI security analysisWhat next for Opengrep?Sort: