Herr Bischoff

Semgrep Spam Email

I’m constantly amazed by trying to walk through the possible trains of thought leading people to justify behaviour they would no doubt criticise in others. In today’s installment of Junk Email Wall of Shame, I present a seemingly reputable company named Semgrep. For some reason that I can only imagine to be a misguided attempt at “business development”, founder Drew Dennison saw himself not above spamming project maintainers with a heroically selfless free offer of their paid services.

Here’s the thing: offering a supposedly valuable product for free, unprompted and uninvited, can be fine when your motives are. Do so without an identifiable motivation beyond self-marketing and you come across as disingenuous and a bit thirsty for attention. When you make that offer look like a personal message but it’s in fact a mass email, you enter spam territory. If the offer presented is entirely not applicable to the project you feign to be impressed by, you’re just being a dick.

You lose me at spam level but being a dick gets you this.

I received the following message for my text-only project Awesome macOS Command Line, which I had moved off GitHub two years ago, sporting 27.3k stars, which probably puts it into the top 1% or so of GitHub repositories by stargazers. Which is an entirely useless metric anyway. It consists of a single commit with a redirection note.

Date: Tue, 4 Apr 2023 12:36:20 -0500 (CDT)
From: Drew Dennison <drew@r2c.dev>
Cc: raja@r2c.dev
Subject: Inviting awesome-macos-command-line to the Semgrep OSS program


My name is Drew Dennison. I’m a maintainer of an open source (LGPL) tool, Semgrep and work at the company by the same name that builds application security products. I’m a big believer in open source and I’m impressed with the work you’re doing on awesome-macos-command-line.

Semgrep is used by hundreds of thousands of developers at companies like Gitlab, Snowflake, Slack and many others.

At Semgrep, we’re on a mission to build developer tools that have positive security side-effects. To that end, we’re launching a program to partner with top OSS projects like yours.

We have two main tools that may interest you:

  • Semgrep Code is like a code linter, but instead of checking for syntax errors, it scans for security vulnerabilities. And it’s easy to write rules that look for things that are unique to your project.
  • Semgrep Supply Chain is similar to Dependabot or npm audit, but with an added bonus: it only flags vulnerable dependencies that are actually being used by your code, so you don’t get bogged down with false positives and unnecessary upgrades.

The Program:
These products together usually sell for $80 /month /developer. For a project with 100 contributors, that would cost $96,000 per year. But I’d like to support OSS software security efforts by offering them for free to you.

Our request is that if you do try Semgrep and find it valuable, we’d love for you to add a badge to your GitHub repo. An example badge:


Adding Semgrep takes under a minute: Sign up to Semgrep cloud, Go to Projects > New Project > Scan New Project > Run scan in CI and add your projects. I’d love to hear back from you. I’m Cc’ng Raja Rao who is our VP of Growth to help with this. Please reply-all to this email so that either me or Raja can enable our team-tier for your project.


The email did not contain a plain text part, just HTML, complete with obfuscated links for tracking and everything.

I was intrigued for once to see how a selfless samaritan champion for Open Source Software, entirely unknown to me before receiving his unsolicited offer, would react to a couple of direct questions. Here’s what I wrote:

Dear Drew,

Would you care to elaborate on how a text-only project is supposed to benefit from security software in a CI pipeline? I see no way for malicious or insecure code to endanger a reader of a plain text document. It’s of course always possible a high-end attack vector exists that I’m not yet aware of. I’ll be delighted to be enlightened by your expertise.

While you’re at it, could you explain how you did not simply scrape email addresses from GitHub projects with lots of stars and ran a mass email campaign with them, effectively spamming project maintainers with an unsolicited offer? You’re offering the same deal on your website.

How can you be impressed with my work when you clearly didn’t take the 20 seconds it takes to check if your words are even applicable to the recipient? Being honest goes a long way. Demonstrating being valued does as well. Sorry to see you decided to go the other way on both accounts.


The unsurprising answer is: not at all.