DeepSource has released Globstar, an open-source
project bringing the most cutting-edge code security tooling to the AppSec
community, with no restrictions on commercial usage.
Globstar
is a static code analysis toolkit that enables users to write code security
checkers and run them in their CI/CD pipelines. It is fully open source using
the MIT license.
DeepSource's
mission is to help developers and companies write secure code using static
analysis and AI, identifying vulnerabilities in code and suggesting fixes.
However, the company also believes that core components of code security should
be freely available to all developers and security teams.
"After
analyzing millions of lines of code daily at DeepSource, we kept hearing a
common request from many enterprise customers: ‘How do we write custom checks
specific to our codebase?'" says Sanket
Saurav,
co-founder and CEO of DeepSource. "We used tree-sitter to write new checkers
internally for our proprietary analyzers, and it played an important role in us
rapidly responding to customer requests for new checkers. With Globstar, we
realized we can put the same capability in our customers' hands, which is why
we decided to make it open-source."
DeepSource's
existing clients can use Globstar to codify custom security patterns - but the
entire Globstar project is and will remain open to all.
Open-source
shake-up
Globstar
comes at a moment of inflection for the open-source code security landscape. At
the end of 2024, prominent open-source provider Semgrep doubled down on
commercial usage restrictions to its widely popular open-source code scanner
tool. Some companies and end users were concerned that this might restrict
their ability to secure their code.
Several
businesses decided to launch a Semgrep fork in response to the licensing
changes, but this inherently comes with the technical debt of Semgrep but
without the expertise in static analysis. Instead, Globstar is built from first
principles, with a fresh codebase using the fast, high-level programming
language Go. DeepSource also believes static analysis tools shouldn't come with
license gotchas and hard-fork drama, so it has selected the most unrestrictive
open-source license available - the MIT license.
"The
AppSec community doesn't want a rebrand of legacy software. They want a fresh
alternative," says Jai Pradeesh, co-founder of
DeepSource. "What developers need is an expert-led, open-source solution to
code security that is reliable in the long term and future-proof."
AI
and its role in code security
While
in the past writing security checkers was the hard part, now AI assistants like
ChatGPT and Claude are excellent at writing code, including highly accurate
tree-sitter queries. What developers truly need is a faster, more reliable
runtime to run checkers with sophisticated capabilities. Globstar is doing this
by using tree-sitter's native query syntax, rather than creating another DSL
like Semgrep.
This
gives developers direct access to their code's actual AST structure, so when
they're debugging a checker, they're working with the actual structure of their
code, not an abstraction that could be hiding important details. That means
rules can work exactly as users expect them to.
Key
features of Globstar are:
- Written
using the high-level general-purpose programming language Go, with native
tree-sitter bindings, distributed as a single binary.
- MIT-licensed
- Users
can run Globstar without needing to build anything, by writing all their
checkers in a ".globstar" folder in their repo, in YAML or Go, and running
"globstar check"
- Multi-language
support through tree-sitter (20+ languages today)
- Gradual
learning curve: coders can start with the YAML interface for simple
patterns (https://globstar.dev/reference/checker-yaml),
and graduate to the Go Interface (https://globstar.dev/reference/checker-go)
when they need sophisticated features like cross-file analysis and scope
resolution.