More support for free tier to secure the sea of FOSS components
mcandre opened this issue · 3 comments
Is your feature request related to a problem? Please describe.
The semgrep system appears to exclude (FOSS) many software repositories, such as GitHub repositories managed under personal accounts rather than (enterprise) orgs. This presents obstacles to adoption.
Most of the lines of code in the software that people use everyday, derive from FOSS components. Let's remove barriers to adoption for securing the sea of FOSS projects, so that we dramatically raise the security posture of the tech industry.
Describe the solution you'd like
- Clarify the pricing page with a free tier of all security products for FOSS components.
- Enhance the registration system to support a wider variety of repositories, including personal GitHub orgs, and repositories hosted on arbitrary git services beyond GitHub.
Describe alternatives you've considered
FOSS SCA and SAST tools.
Use case
I happily introduce more SCA and SAST tools into my projects when they provide unique, meaningful reports and are convenient to integrate.
The semgrep system appears to exclude (FOSS) many software repositories, such as GitHub repositories managed under personal accounts rather than (enterprise) orgs. This presents obstacles to adoption.
I don't believe this is accurate. Are you having issues getting set up with repos under your personal account?
Clarify the pricing page with a free tier of all security products for FOSS components.
See the FAQ at https://semgrep.dev/pricing. (and of course, code in this repo is LGPL licensed)
Enhance the registration system to support a wider variety of repositories, including personal GitHub orgs, and repositories hosted on arbitrary git services beyond GitHub.
I'm not sure why you think that git-based source code managers other than github are unsupported. You can take a look at https://semgrep.dev/docs/deployment/connect-scm for instruction on how to set up with various SCMs.
Oof, that's an awkward pricing structure. That encourages bottlenecks and hit by a bus vulnerabilities, where essential components used everywhere, end up with only a few contributors.
I tried to follow the setup guide but it reported generic errors when using my personal mcandre GitHub org.
I don't really follow the comment about pricing; happy to discuss more on our community slack, which is also where I would recommend for support - happy to take a look given more details about the errors you ran into.
Since it doesn't sound like there are any code changes for this repo though, I'm going to close this issue.