Who Let The Dogs Out 🐾1d ago

«1-РБПО для бедных»: сказ о том, как стартап безопасность прикручивал / Хабр
https://habr.com/ru/companies/bastion/articles/1038686/

«2-РБПО для бедных»: разворачиваем виртуальные машины / Хабр
https://habr.com/ru/companies/bastion/articles/1038692/

«3-РБПО для бедных»: разворачиваем сервисы безопасной разработки / Хабр
https://habr.com/ru/companies/bastion/articles/1038710/

#devops #security #DefectDojo #PostgreSQL #Redis #Nginx #uWSGI l #Celery #DependencyTrack #Checkov #Trivy #Gitleaks #OpenGrep #Nuclei

«РБПО для бедных»: сказ о том, как стартап безопасность прикручивал

Сказка — ложь, да в ней намек, разработчикам урок. В некотором опенспейсе, в некотором коворкинге завелся один стартап. С кофе-машиной, горящими дедлайнами и вечными созвонами. Решили там сделать...

Хабр
usd AGFeb 28, 2025

Better Code Scanning? Putting #Opengrep to the Test 🧐

Part of consistently improving our #pentesting procedures includes evaluating the tools we use in our assessments. When conducting code-reviews and pentests of fat-client applications we are often faced with the challenge of identifying vulnerabilities in the targets source code. 🧵

#AppSec #CyberSecurity #InfoSec #Hacking #CodeReview #SourceCode #Semgrep

Tech Cybersecurity NieuwsJan 31, 2025
Nieuwe open source code-scanner opengrep gelanceerd door beveiligingsbedrijven https://www.trendingtech.news/trending-news/2025/01/52277/nieuwe-open-source-code-scanner-opengrep-gelanceerd-door-beveiligingsbedrijven #Opengrep #Semgrep #open source #code-scanning #beveiliging #Trending #News #Nieuws
Nieuwe open source code-scanner opengrep gelanceerd door beveiligingsbedrijven

Een groep van negen beveiligingsbedrijven heeft een nieuw open source project aangekondigd, genaamd Opengrep, als reactie op de recente veranderingen in de pop

Tech Nieuws
Show threadcalcifer 🧯Jan 30, 2025

Here's what #opengrep should have said, IMO:

"Semgrep has made the decision to move some previously-open-source features under a proprietary license for any future development. This left us with a problem to solve, as our customers -- and other users of semgrep-oss -- rely on those features.

We respect Semgrep's business decision. Nevertheless, our concern about this decision and the message that we can't rely on their "open core" to continue to provide popular features has led us to exercise our rights under the LGPL and create Opengrep. We're committed to changing our products to use this fork in order to preserve the features our customers rely on, and intend place governance of the project into the hands of a non-profit foundation to ensure that no single vendor can change licenses or remove features in the future.

We believe that there's a place for both opengrep and semgrep-oss, and are hopeful that good ideas can cross-polinate between the projects."

calcifer 🧯Jan 30, 2025

Welp, #opengrep (https://www.opengrep.dev/) is a great example of something that seems like it was a reasonable thing to do, but put together by people who do not understand community relations or messaging.

It's pretty clear that what really happened is that Semgrep moved some features from their LGPL-licensed open-source core into their proprietary-licensed "pro" product (and there were some license changes around community rules, but those were never open-source anyway, so that's whatever).

A bunch of companies that compete with Semgrep at some level relied on those features. They had pretty limited choices to respond, and decided to fork semgrep-oss into opengrep, and commit to giving it to a foundation to defend against future license changes. This is the least-bad outcome for the community (more on that in 🧵 ).

However, the way they made the announcement tries to cast Semgrep as a "bad guy" and act like the opengrep cabal is somehow a champion of open-source -- which is precious because they contributed very little to the open core as it was.

Opengrep - The open-source code security engine

Mike WilliamsonJan 24, 2025

"We’re launching #Opengrep a fork of SemgrepCS (formerly SemgrepOSS), in response to recent changes by #Semgrep that affect its open-source nature and shift focus to its paid offering, limiting access and innovation for the broader community."

https://www.opengrep.dev/
https://github.com/opengrep/opengrep

Opengrep - The open-source code security engine

GaetanJan 23, 2025
OpenGrep sounds like a very interesting community initiative. I really hope this will get traction. The community needs open source tools without licensing pain.
Semgrep has been a great tool and it was just too disappointing to see it go pay walled with time.
#opengrep #semgrep
https://www.opengrep.dev/
Opengrep - The open-source code security engine