OpenRASP is the most popular open-source Runtime Application Self-Protection solution, developed and maintained by the Baidu security team with 3k GitHub stars and 623 forks.
GitHub: baidu/openrasp | Last Release: v1.3.7 (January 2022)
What is OpenRASP?
OpenRASP (Open-source Runtime Application Self-Protection) is a free, open-source security solution that protects applications from attacks at runtime.
It hooks into the application runtime to monitor and block malicious operations.
Unlike commercial RASP solutions, OpenRASP provides core protection capabilities without licensing costs, making it accessible for organizations of all sizes.
Key Features
Plugin-Based Detection
OpenRASP uses a plugin architecture for attack detection:
- JavaScript plugins define detection logic
- Easy to customize and extend
- Community-contributed plugins available
Supported Attack Types
OpenRASP protects against:
- SQL injection
- Command injection
- File operations attacks
- XXE (XML External Entity)
- SSRF (Server-Side Request Forgery)
- Deserialization attacks
Cloud Management Console
OpenRASP includes a management console for:
- Centralized policy management
- Attack event visualization
- Agent status monitoring
- Report generation
How It Works
OpenRASP instruments the application runtime using Java Agent technology (for Java) or PHP extensions:
Application Runtime
βββ OpenRASP Agent
βββ Hooks security-sensitive functions
βββ Executes JavaScript detection plugins
βββ Blocks or logs malicious operations
Installation
Java Applications
Add the OpenRASP agent to your Java application:
# Download OpenRASP
wget https://github.com/baidu/openrasp/releases/latest/download/rasp-java.tar.gz
tar -xzf rasp-java.tar.gz
# Install to application
java -jar RaspInstall.jar -install /path/to/tomcat
PHP Applications
Install the PHP extension:
# Download the latest PHP release from GitHub Releases page
# https://github.com/baidu/openrasp/releases
wget https://github.com/baidu/openrasp/releases/download/v1.3.7/rasp-php-linux.tar.bz2
tar -xjf rasp-php-linux.tar.bz2
# Run the OpenRASP installer
php rasp-php-*/install.php -d /opt/rasp
Configuration
OpenRASP is configured via JSON files:
{
"block": {
"status_code": 302,
"redirect_url": "/blocked.html"
},
"inject": {
"urlprefix": "https://cdn.example.com/openrasp"
}
}
Limitations
- Currently supports Java and PHP only
- Requires application restart for installation
- Some performance overhead (typically 1-5%)
- Active development primarily focused on Chinese documentation
Why the project stopped
OpenRASP was developed by Baidu’s Xteam security research group and released under a BSD 3-Clause license in 2017. Its last tagged release on GitHub is v1.3.7 from January 2022. Since then, the repository has seen occasional plugin updates from the community but no new agent releases or JVM compatibility fixes.
The slowdown tracks with Baidu’s broader security-team reorganization in 2022. Several maintainers moved to internal projects or left the company, and no corporate successor picked the codebase up. The cloud console component (openrasp-cloud) still runs for existing deployments but is not being actively developed.
Because RASP agents hook into the JVM and PHP runtimes, staying on an unmaintained agent is risky: new Java versions, security advisories in bundled dependencies, and changes in application-server internals all require ongoing maintenance.
When to Use OpenRASP
OpenRASP is ideal for organizations wanting open-source RASP protection for Java or PHP environments.
Teams comfortable with self-hosted security tools and budget-conscious programs may find value, though the project’s inactivity since 2022 should be considered. For actively maintained alternatives, see Contrast Protect or Datadog ASM .
OpenRASP language coverage
| Language | Status |
|---|---|
| Java | Mature β Java Agent for Tomcat, JBoss, Jetty, WebLogic |
| PHP | Supported β PHP 5.3+ via PHP extension |
| Node.js | Not supported |
| Python | Not supported |
| .NET | Not supported |
| Go | Not supported |
If you need any language outside Java or PHP, OpenRASP cannot help. The narrowness combined with the inactive maintenance signal is the single biggest reason most teams in 2026 should look at a commercial RASP product instead.
Should I deploy OpenRASP in 2026?
If you accept maintenance risk and have an in-house team that can fork-and-patch, OpenRASP still functions as a working Java/PHP RASP agent.
The architecture (Java Agent + V8 JavaScript plugin engine for detection rules) is solid, the performance overhead claim of 1-4% held up under Baidu’s own production scale, and the BSD-3-Clause license imposes no commercial restrictions.
If you need any of: vendor support, security patches for the agent itself, modern language coverage (Node, Python, . NET, Go), or compliance reporting tied to a supported product β OpenRASP is the wrong choice in 2026.
The project has not shipped a release in roughly four years and there is no public roadmap. For most teams I would treat OpenRASP as historical reference and route the live procurement budget into Contrast Protect , Datadog Application Security , or Dynatrace .
OpenRASP alternatives in 2026
Given the inactive status, this is the most important section on the page. Five RASP alternatives, ordered by how cleanly they replace OpenRASP’s positioning:
- Contrast Protect / ADR β commercial, six-language coverage including Java, .NET, Node, Ruby, Python, Go. The strongest functional successor for Java RASP buyers leaving OpenRASP.
- Datadog Application Security β commercial, seven-language coverage including PHP. The single best PHP successor since the alternative is “no PHP RASP at all.”
- Dynatrace β commercial, single-agent runtime protection bundled with the Dynatrace observability platform. Strong fit if Dynatrace is already your APM.
- Imperva RASP β commercial, Java/.NET. Note: Imperva has communicated an end-of-sale path through 2025; do not start a procurement here in 2026.
- Waratek β commercial, Java-only, virtual-patching emphasis. Narrower than OpenRASP on language coverage but stronger on Java-specific compliance use cases.
There is no actively maintained open-source RASP alternative in 2026. ModSecurity is a WAF engine (perimeter inspection, not in-runtime instrumentation), and Coraza is a Go reimplementation of ModSecurity β neither is true RASP.
If “must be OSS” is a hard procurement constraint, the honest answer is that the OSS RASP market has not produced a successor since OpenRASP went quiet.
How I evaluated OpenRASP
I reviewed the OpenRASP GitHub repository (release tags, last-commit dates, open issues, plugin sub-repos), the legacy Baidu Security X-Lab Medium post describing the original architecture, the openrasp-v8 repository for the JavaScript runtime, and the official Baidu OpenRASP docs site (note: docs are primarily Chinese-language).
OpenRASP is open-source under BSD-3-Clause; this review does not include pricing because OpenRASP has none. Author: Suphi Cankurt.
