DeepSource has made available an open source static code analysis tool, dubbed Globstar, that DevSecOps teams can employ to embed code checkers in their pipelines.
Company CEO Sanket Saurav, CEO said Globstar will provide DevSecOps teams with an alternative to Semgrep, a widely used Semgrep open source tool that is now being made available under more restrictive licensing terms. Globstar, in contrast, is available under a more permissive MIT license that has no commercial usage restrictions.
It’s not clear how many DevSecOps teams are affected by the recent changes to the Semgrep licensing terms, but this change is the latest in a series of moves by vendors that have sponsored an open source software project to rewrite the licensing terms under which it was originally made available.
In general, those vendors are seeking to limit the ability of competitors to use the open source code that a vendor has developed for financial gain, that comes at the expense of the company that contributed most of the code.
The number of DevSecOps teams that might be using a platform developed by a rival of Semgrep is difficult to determine. DeepSource provides a software-as-a-service (SaaS) platform for managing DevSecOps workflows that includes a code checker, that is now being made available under an open source license to both DevSecOps teams and any vendor that cares to build a commercial offering that includes Globstar.
Globstar itself can be incorporated into a DevSecOps pipeline as a set of YAML files or an application programming interface (API) written in the Go programming language.
There are, of course, forks of the original Semgrep open source project that have been made available. However, Globstar is based on a more modern codebase based on Go, and a faster tree-sitter query syntax than what can be achieved using Semgrep or any of its derivatives, noted Saurav.
That’s crucial at a time when application developers are increasingly taking advantage of artificial intelligence (AI) code writing tools to write code, added Saurav. Legacy code checking tools will not be able to keep pace without slowing down the rate at which developers are now writing code, he said. Globstar rises to that challenge by giving application developers direct access to their code’s actual abstract syntax tree (AST) structure. So, when they’re debugging a checker, they’re working with the actual structure of their code versus an abstraction that could be obfuscating important details, that could result in a vulnerability that might later be exploited by cybercriminals that are similarly using tools to scan code for flaws, noted Saurav.
While a lot of progress has been made in terms of adoption of best DevSecOps practices, there is clearly still much work to do. One of the primary reasons developers don’t scan code as often as they should is that they perceive it takes too long. That puts a lot of pressure on DevSecOps teams to ensure that code scans occur as fast as possible, at a time when the sheer volume of code being created might overwhelm their existing pipelines.
