A colleague and I used Semgrep to conduct some static analysis research, so this is really interesting to see. I do wonder if it’s ever going to be opened up as FOSS given its broad application.
I couldn‘t find anything about it, but I think it would be fair and beneficial for everyone if they would provide DeepSemGrep for free for open source projects. May be they could do that through their cloud offering like other providers. Otherwise bad actors could use DeepSemGrep to identify security issues in open source projects and exploit them. May be they would get caught afterwards, but still it’s in everyone‘s interest to lower the bar for open source projects to be secure.