DeepSource Releases Globstar Amid Semgrep Licensing Backlash
Security platform provider DeepSource says its Globstar toolkit for writing SAST checkers offers an alternative to Semgrep, which recently changed the terms of its open source license for security observability.
Globstar’s creators are quick to note that Globstar is not a fork of Semgrep. It was developed in parallel as a homegrown, internally sourced observability platform that DeepSource has relied on for its security observability.
When Semgrep changed its licensing terms, Globstar was about 80% ready, Sanket Saurav, co-founder and CEO of DeepSource, told me.
“We had it in our roadmap to launch Globstar already, and 80% of the work was done. When we saw the license change, it seemed like a good opportunity to push through the remaining 20% and make it live,” Saurav told me. “The team worked for a couple of weeks, and we announced the first version publicly in the last week of January 2025.”
The company has been building static analysis tools for over five years, nearly six, since its inception. After joining Y Combinator in 2019, its development began a year earlier. While Semgrep has been around slightly longer, DeepSource took a different approach, Saurav said.
“Despite developing a static analysis runtime internally, all components are homegrown. This approach enables customers to write custom checkers and rules directly on DeepSource, offering a fresh alternative to existing solutions like Semgrep,” Saurav said. “Unlike Semgrep, this solution introduces a completely new approach to rule creation and execution.”
The system is built from first principles, without reusing or forking existing codebases, Saurav said. “Globstar is developed from scratch to address a fundamental question: If a team wants to write a checker, what is needed, and how can it be done most efficiently?” Saurav said.
The company has open sourced Globstar under an API license, providing two APIs: a YAML-based API and a Go-based API. The YAML-based API allows teams to create simple checkers with ease, while the Go-based API offers full flexibility for more complex and sophisticated implementations. By leveraging Go, users can achieve advanced functionality and customization, Saurav said.
Security Check
In a blog post, Saurav wrote that DeepSource “initially built an internal framework using tree-sitter for our proprietary infrastructure-as-code analyzers, which enabled us to rapidly create new checkers. We realized that making the framework open-source could solve this problem for everyone,” Saurav wrote.
“Our key insight was that writing checkers isn’t the hard part anymore. Modern AI assistants like ChatGPT and Claude are excellent at generating tree-sitter queries with very high accuracy. We realized that the tree-sitters’ gnarly s-expression syntax isn’t a problem anymore (since the AI will be doing all the generation anyway), and we can instead focus on building a fast, flexible, and reliable checker runtime around it.
“Instead of creating yet another DSL, a tree-sitter’s native query syntax is used. Yes, the expressions look more complex than simplified DSLs, but they give you direct access to your code’s actual AST structure — which means your rules work exactly as you’d expect them to,” Saurav wrote. “When you need to debug a rule, you’re working with the actual structure of your code, not an abstraction that might hide important details.”
The key features of Globstar that DeepSeek communicated include:
- Written using the high-level, general-purpose programming language Go, with native tree-sitter bindings (described above), distributed as a single binary.
- Users can run Globstar by writing all their checkers in a “.globstar” folder in their repo, in YAML or Go, and running “globstar check.”
- Multilanguage support through tree-sitter (20+ languages today).
- Gradual learning curve: coders can start with the YAML interface for simple patterns and graduate to the Go Interface when they need sophisticated features like cross-file analysis and scope resolution.
Open Source Forking
The release of Globstar follows how Semgrep “doubled down” on commercial usage restrictions to its widely popular open source code scanner tool, Saurav said. Some companies and end users were concerned that this might restrict their ability to secure their code, Saurav said.
Under the new terms of use, Semgrep users will only have access to new features introduced as part of the community-contributed rules through its paid or commercial offering. Essentially, users will have to pay for those features. Additionally, other features have been moved behind a pay-for Software as a Service (SaaS) platform. Semgrep has downplayed the new restrictions attached to the use of the Static Application Security Testing (SAST).
In a blog post, Luke O’Malley, founder and chief product officer of Semgrep, wrote:
“We’re making a few updates to the Semgrep OSS engine and rules — now collectively named Semgrep Community Edition — to better distinguish their free community-focused nature from our commercial offerings, and to clarify that other vendors may not use Semgrep Community Edition rules as part of a competing Software as a Service offering. Starting today:
- Semgrep Community Edition: Semgrep OSS is now named Semgrep Community Edition, reflecting its role as a free, community-focused tool.
- Rule License Change: Semgrep-maintained rules are now licensed under Semgrep Rules License v.1.0 so that they’re available only for internal, non-competing, and non-SaaS contexts.
- Output Clean-up: Certain Semgrep-internal fields in JSON and SARIF outputs are now reserved for our logged-in commercial engine.
- Experimental Features: Features previously marked experimental are now part of our logged-in commercial engine.”
