From 7ff27bd77ee9cb3aa1d157f813ae73b912bce5c3 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Wed, 8 Apr 2026 15:07:52 +0300 Subject: [PATCH 1/2] fix(docs): Fix Semgrep OSS capability claims: has intra-procedural taint, not just pattern matching --- docs/README.md | 2 +- docs/faq.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/README.md b/docs/README.md index 90d4d1e7..8b9cecf5 100644 --- a/docs/README.md +++ b/docs/README.md @@ -48,7 +48,7 @@ The entire system is designed to work with AI agents. Formal analysis produces r ### Open source, batteries included -Engine, CLI, GitHub Action, GitLab CI, rules — the entire stack, including the deep analysis, is released under [Apache 2.0](../LICENSE.md) and [MIT](../cli/LICENSE). No paid tier to unlock taint tracking. No vendor lock-in on your rule library. Other tools make you pay for it — Semgrep gates taint tracking behind a paid Pro tier, CodeQL requires GHAS for private repos. The deep analysis should be free — and it is. +Engine, CLI, GitHub Action, GitLab CI, rules — the entire stack, including the deep analysis, is released under [Apache 2.0](../LICENSE.md) and [MIT](../cli/LICENSE). No paid tier to unlock taint tracking. No vendor lock-in on your rule library. Other tools make you pay for it — Semgrep gates inter-procedural taint tracking behind a paid Pro tier, CodeQL requires GHAS for private repos. The deep analysis should be free — and it is. --- diff --git a/docs/faq.md b/docs/faq.md index c67d9042..366627ea 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -22,7 +22,7 @@ Java and Kotlin, analyzed at the bytecode level to precisely understand inherita **How does OpenTaint compare to Semgrep?** -Semgrep's open-source engine does pattern matching. Its Pro engine adds taint analysis behind a paid tier. OpenTaint ships full inter-procedural dataflow analysis — cross-endpoint flows, persistence layers, stored injections — under Apache 2.0. Rules use a code-native format that the engine translates into complete taint configurations. Semgrep rule syntax is supported as a migration path. +Semgrep's open-source engine includes intra-procedural taint analysis — it tracks data within a single function. Its Pro engine adds inter-procedural taint analysis behind a paid tier. OpenTaint ships full inter-procedural dataflow analysis — cross-endpoint flows, persistence layers, stored injections — under Apache 2.0. Rules use a code-native format that the engine translates into complete taint configurations. Semgrep rule syntax is supported as a migration path. **How does OpenTaint compare to CodeQL?** From c21a0887efa32d908352cfb8809ac075b2db57cf Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Thu, 9 Apr 2026 10:15:37 +0300 Subject: [PATCH 2/2] fix(docs): Simplify OpenTaint OSS positioning copy --- docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/README.md b/docs/README.md index 8b9cecf5..74cf1339 100644 --- a/docs/README.md +++ b/docs/README.md @@ -48,7 +48,7 @@ The entire system is designed to work with AI agents. Formal analysis produces r ### Open source, batteries included -Engine, CLI, GitHub Action, GitLab CI, rules — the entire stack, including the deep analysis, is released under [Apache 2.0](../LICENSE.md) and [MIT](../cli/LICENSE). No paid tier to unlock taint tracking. No vendor lock-in on your rule library. Other tools make you pay for it — Semgrep gates inter-procedural taint tracking behind a paid Pro tier, CodeQL requires GHAS for private repos. The deep analysis should be free — and it is. +Engine, CLI, GitHub Action, GitLab CI, rules — the entire stack, including the deep analysis, is released under [Apache 2.0](../LICENSE.md) and [MIT](../cli/LICENSE). No paid tier to unlock taint tracking. No vendor lock-in on your rule library. Other tools make you pay for it — Semgrep gates inter-procedural taint tracking behind a paid Pro tier, CodeQL requires GHAS for private repos. OpenTaint doesn't. ---