diff --git a/.github/styles/config/vocabularies/Codacy/accept.txt b/.github/styles/config/vocabularies/Codacy/accept.txt
index 6368c90471..8333378248 100644
--- a/.github/styles/config/vocabularies/Codacy/accept.txt
+++ b/.github/styles/config/vocabularies/Codacy/accept.txt
@@ -57,6 +57,7 @@ monorepo
namespace
OAuth
onboarding
+Opengrep
PHP_CodeSniffer
PHPUnit
plaintext
@@ -75,7 +76,6 @@ sbt
Scalameta
Scalastyle
SCSSLint
-Semgrep
Serverless
severities
ShellCheck
diff --git a/docs/getting-started/supported-languages-and-tools.md b/docs/getting-started/supported-languages-and-tools.md
index 579af57aa2..65c7db44ed 100644
--- a/docs/getting-started/supported-languages-and-tools.md
+++ b/docs/getting-started/supported-languages-and-tools.md
@@ -45,9 +45,9 @@ The table below lists all languages that Codacy supports and the corresponding t
| Apex |
.cls, .trigger |
PMD,
- Semgrep 1 |
+ Opengrep 1
- |
- Semgrep |
+ Opengrep |
- |
- |
PMD CPD 10 |
@@ -72,7 +72,7 @@ The table below lists all languages that Codacy supports and the corresponding t
Checkov |
- |
Checkov,
- Semgrep 2,
+ Opengrep 2,
Trivy 2 |
- |
- |
@@ -98,9 +98,9 @@ The table below lists all languages that Codacy supports and the corresponding t
Clang-Tidy 3,
Cppcheck,
Flawfinder,
- Semgrep 1 |
- Semgrep 🔧 |
- Semgrep,
+ Opengrep 1 |
+ Opengrep 🔧 |
+ Opengrep,
Trivy |
Trivy, scans
conan.lock (Conan) |
- |
@@ -114,9 +114,9 @@ The table below lists all languages that Codacy supports and the corresponding t
Clang-Tidy 3,
Cppcheck 4,
Flawfinder,
- Semgrep 1 |
+ Opengrep 1
- |
- Semgrep,
+ | Opengrep,
Trivy |
Trivy, scans
conan.lock (Conan) |
- |
@@ -127,10 +127,10 @@ The table below lists all languages that Codacy supports and the corresponding t
| C# |
.cs |
- Semgrep 1,
+ | Opengrep 1,
SonarC# |
- Semgrep 🔧 |
- Semgrep,
+ | Opengrep 🔧 |
+ Opengrep,
Trivy |
Trivy, scans
.deps.json (.Net), packages.lock.json (NuGet) |
Trivy, scans packages.lock.json for malicious packages published in NuGet |
@@ -190,9 +190,9 @@ The table below lists all languages that Codacy supports and the corresponding t
Dockerfile |
.dockerfile |
Hadolint,
- Semgrep 1 |
- Semgrep 🔧 |
- Semgrep,
+ Opengrep 1 |
+ Opengrep 🔧 |
+ Opengrep,
Trivy |
- |
- |
@@ -204,7 +204,7 @@ The table below lists all languages that Codacy supports and the corresponding t
Elixir |
.ex, .exs |
Credo,
- Semgrep 1 |
+ Opengrep 1
- |
Trivy |
Trivy, scans
mix.lock (Mix) |
@@ -216,9 +216,9 @@ The table below lists all languages that Codacy supports and the corresponding t
| GitHub Actions |
- |
- Semgrep 1 |
+ Opengrep 1 |
- |
- Semgrep,
+ | Opengrep,
Trivy |
- |
- |
@@ -233,10 +233,10 @@ The table below lists all languages that Codacy supports and the corresponding t
deadcode 3,
Gosec 3,
Revive,
- Semgrep 1,
+ Opengrep 1,
Staticcheck 3
- Semgrep 🔧 |
- Semgrep,
+ | Opengrep 🔧 |
+ Opengrep,
Trivy |
Trivy, scans
go.mod |
Trivy, scans
go.mod for malicious packages published in github.com |
@@ -262,7 +262,7 @@ The table below lists all languages that Codacy supports and the corresponding t
- |
- |
- Semgrep 2,
+ Opengrep 2,
Trivy 2 |
- |
- |
@@ -275,11 +275,11 @@ The table below lists all languages that Codacy supports and the corresponding t
.java |
Checkstyle,
PMD,
- Semgrep 1,
+ Opengrep 1,
SpotBugs 3 |
- Semgrep 🔧 |
+ Opengrep 🔧 |
PMD,
- Semgrep,
+ Opengrep,
Trivy |
Trivy, scans
pom.xml and gradle.lockfile |
Trivy, scans
pom.xml and gradle.lockfile for malicious packages published in maven |
@@ -292,9 +292,9 @@ The table below lists all languages that Codacy supports and the corresponding t
.js, .jsx, .jsm, .vue, .mjs |
ESLint,
PMD,
- Semgrep 1 |
+ Opengrep 1
ESLint 🔧 |
- Semgrep,
+ | Opengrep,
Trivy |
Trivy, scans
package.json and package-lock.json (npm),
yarn.lock (Yarn) |
Trivy, scans
package.json and package-lock.json for malicious packages published in npm |
@@ -332,11 +332,11 @@ The table below lists all languages that Codacy supports and the corresponding t
.kt, .kts |
detekt,
- Semgrep 1,
+ Opengrep 1,
PMD
|
- |
- Semgrep |
+ Opengrep |
Trivy, scans
pom.xml and gradle.lockfile |
Trivy, scans
pom.xml and gradle.lockfile for malicious packages published in maven |
jscpd |
@@ -347,10 +347,10 @@ The table below lists all languages that Codacy supports and the corresponding t
Kubernetes |
- |
Checkov,
- Semgrep 2 |
- Semgrep 🔧 |
+ Opengrep 2
+ Opengrep 🔧 |
Checkov,
- Semgrep 2,
+ Opengrep 2,
Trivy 2 |
- |
- |
@@ -411,9 +411,9 @@ The table below lists all languages that Codacy supports and the corresponding t
.php |
PHP_CodeSniffer,
PHP Mess Detector,
- Semgrep 1 |
+ Opengrep 1
- |
- Semgrep,
+ | Opengrep,
Trivy |
Trivy, scans
composer.lock (Composer) |
- |
@@ -465,15 +465,15 @@ The table below lists all languages that Codacy supports and the corresponding t
Prospector,
Pylint,
Ruff,
- Semgrep 1
+ Opengrep 1
- Semgrep 🔧
+ Opengrep 🔧
|
Bandit,
Prospector,
- Semgrep,
+ Opengrep,
Trivy
|
@@ -494,12 +494,12 @@ The table below lists all languages that Codacy supports and the corresponding t
| .rb, .gemspec, .podspec, .jbuilder, .rake, .opal |
Reek,
Brakeman
- 7,
+ 7,
RuboCop,
- Semgrep 1
+ Opengrep 1
|
- Semgrep 🔧 |
- Semgrep,
+ | Opengrep 🔧 |
+ Opengrep,
Trivy |
Trivy, scans
Gemfile.lock (Bundler) |
Trivy, scans
Gemfile.lock for malicious packages published in rubygems.org |
@@ -510,9 +510,9 @@ The table below lists all languages that Codacy supports and the corresponding t
| Rust |
.rs, .rlib |
- Semgrep 1 |
+ Opengrep 1 |
- |
- Semgrep,
+ | Opengrep,
Trivy |
Trivy, scans
Cargo.lock (Cargo) |
Trivy, scans
Cargo.lock for malicious packages published in crates.io |
@@ -537,10 +537,10 @@ The table below lists all languages that Codacy supports and the corresponding t
.scala |
Codacy Scalameta Pro,
Scalastyle,
- Semgrep 1,
+ Opengrep 1,
SpotBugs 3 |
- |
- Semgrep,
+ | Opengrep,
Trivy |
Trivy, scans
build.sbt.lock (sbt) 9 |
Trivy, scans
build.sbt.lock for malicious packages published in maven 9 |
@@ -564,9 +564,9 @@ The table below lists all languages that Codacy supports and the corresponding t
Shell |
.sh, .bash |
ShellCheck,
- Semgrep 1 |
+ Opengrep 1
- |
- Semgrep |
+ Opengrep |
- |
- |
- |
@@ -577,12 +577,12 @@ The table below lists all languages that Codacy supports and the corresponding t
Swift |
.swift |
- Semgrep 1,
+ Opengrep 1,
SwiftLint,
PMD
|
- |
- Semgrep,
+ | Opengrep,
Trivy |
Trivy, scans
Package.resolved (SwiftPM) |
- |
@@ -598,7 +598,7 @@ The table below lists all languages that Codacy supports and the corresponding t
SQLint,
TSQLLint,
SQLFluff,
- Semgrep 1
+ Opengrep 1
- |
- |
@@ -612,10 +612,10 @@ The table below lists all languages that Codacy supports and the corresponding t
Terraform |
.tf |
Checkov,
- Semgrep 1 |
+ Opengrep 1
- |
Checkov,
- Semgrep,
+ Opengrep,
Trivy |
- |
- |
@@ -639,9 +639,9 @@ The table below lists all languages that Codacy supports and the corresponding t
TypeScript |
.ts, .tsx |
ESLint,
- Semgrep 1 |
+ Opengrep 1
ESLint 🔧 |
- Semgrep,
+ | Opengrep,
Trivy |
Trivy, scans
package.json and package-lock.json (npm),
yarn.lock (Yarn) |
Trivy, scans
package.json and package-lock.json for malicious packages published in npm |
@@ -763,7 +763,7 @@ The following table lists the Codacy GitHub repositories corresponding to each s
codacy/codacy-bandit |
-| Brakeman 7 |
+Brakeman 7 |
codacy/codacy-brakeman |
@@ -883,8 +883,8 @@ The following table lists the Codacy GitHub repositories corresponding to each s
| codacy/codacy-scalastyle |
-| Semgrep 1 |
-codacy/codacy-semgrep |
+Opengrep 1 |
+codacy/codacy-opengrep |
| ShellCheck |
@@ -937,13 +937,13 @@ The following table lists the Codacy GitHub repositories corresponding to each s
-1: Semgrep supports additional security rules when signing up for [Semgrep Pro](https://semgrep.dev/pricing/). This tool doesn't support [custom file extensions](../repositories-configure/languages.md#configuring-file-extensions).
+1: This tool doesn't support [custom file extensions](../repositories-configure/languages.md#configuring-file-extensions).
2: Currently, only YAML file scanning is supported on this platform.
3: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md).
4: Currently, Cppcheck only supports the MISRA guidelines for C.
5: Currently, Codacy only supports including the packages [lints](https://pub.dev/packages/lints) and [flutter_lints](https://pub.dev/packages/flutter_lints) on dartanalyzer configuration files.
6: Doesn't calculate [the number of methods and the complexity per method](../repositories/files.md#file-details) for each file.
-7: Due to licensing limitations, Codacy doesn't support the latest version of Brakeman. To analyze your Ruby code for the latest security vulnerabilities, use [Semgrep](https://semgrep.dev/), which provides comprehensive and up-to-date security scanning.
+7: Due to licensing limitations, Codacy doesn't support the latest version of Brakeman. To analyze your Ruby code for the latest security vulnerabilities, use [Opengrep](https://github.com/opengrep/opengrep), which provides comprehensive and up-to-date security scanning.
8: Supports [reporting warnings or errors](https://realm.github.io/SwiftLint/cyclomatic_complexity.html) on functions above specific complexity thresholds. Enable the rule **Cyclomatic Complexity** on the [Code patterns page](../repositories-configure/configuring-code-patterns.md), or use a [configuration file](https://realm.github.io/SwiftLint/index.html#configuration) to customize the thresholds.
9: Requires the [sbt-dependency-lock](https://github.com/stringbean/sbt-dependency-lock) plugin for generating the lockfile.
10: Codacy may use a different version of this tool for measuring complexity and duplication.
diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md
index ea762c5b32..619f6f7f6f 100644
--- a/docs/organizations/managing-security-and-risk.md
+++ b/docs/organizations/managing-security-and-risk.md
@@ -369,33 +369,33 @@ Security and risk management supports checking the languages and infrastructure-
| Apex |
PMD,
- Semgrep 1 |
+ Opengrep
| AWS CloudFormation |
Checkov,
- Trivy 2 |
+ Trivy 1
| C |
- Clang-Tidy 3,
+ | Clang-Tidy 2,
Cppcheck,
Flawfinder,
- Semgrep 1,
+ Opengrep,
Trivy |
| C# |
SonarC#,
- Semgrep 1,
+ Opengrep,
Trivy |
| C++ |
- Clang-Tidy 3,
+ | Clang-Tidy 2,
Cppcheck,
Flawfinder,
- Semgrep 1,
+ Opengrep,
Trivy |
@@ -405,7 +405,7 @@ Security and risk management supports checking the languages and infrastructure-
| Dockerfile |
Hadolint,
- Semgrep 1,
+ Opengrep,
Trivy |
@@ -415,12 +415,12 @@ Security and risk management supports checking the languages and infrastructure-
| GitHub Actions |
- Semgrep 1 |
+ Opengrep |
| Go |
- Gosec 3,
- Semgrep 1,
+ | Gosec 2,
+ Opengrep,
Trivy |
@@ -429,18 +429,18 @@ Security and risk management supports checking the languages and infrastructure-
| Helm |
- Trivy 2 |
+ Trivy 1 |
| Java |
- Semgrep 1,
- SpotBugs 3 4,
+ | Opengrep,
+ SpotBugs 2 3,
Trivy |
| JavaScript |
- ESLint 5,
- Semgrep 1,
+ | ESLint 4,
+ Opengrep,
Trivy |
@@ -449,21 +449,21 @@ Security and risk management supports checking the languages and infrastructure-
| Kotlin |
- Semgrep 1 |
+ Opengrep |
| Kubernetes |
- Trivy 2 |
+ Trivy 1 |
| Objective-C |
- Clang-Tidy 3 |
+ Clang-Tidy 2 |
| PHP |
PHP_CodeSniffer,
PHP Mess Detector,
- Semgrep 1,
+ Opengrep,
Trivy |
@@ -476,39 +476,39 @@ Security and risk management supports checking the languages and infrastructure-
Prospector,
Pylint,
Ruff,
- Semgrep 1,
+ Opengrep,
Trivy
| Ruby |
Brakeman,
RuboCop,
- Semgrep 1,
+ Opengrep,
Trivy |
| Rust |
- Semgrep 1,
+ | Opengrep,
Trivy |
| Scala |
Codacy Scalameta Pro,
- Semgrep 1,
- SpotBugs 3 4 |
+ Opengrep,
+ SpotBugs 2 3
| Swift |
- Semgrep 1 |
+ Opengrep |
| Shell |
- ShellCheck
- Semgrep 1 |
+ ShellCheck,
+ Opengrep |
| Terraform |
- Semgrep 1,
+ | Opengrep,
Trivy |
@@ -517,8 +517,8 @@ Security and risk management supports checking the languages and infrastructure-
| TypeScript |
- ESLint 5,
- Semgrep 1,
+ | ESLint 4,
+ Opengrep,
Trivy |
@@ -551,7 +551,7 @@ You're also able to click any dependency to find out more information about it.
- The dependency overview page offers a quick bird's-eye view of that particular dependency. You'll be able to see all different versions that are being used, including which repository is using them, the oldest and most recent versions you're leveraging, as well as the highest criticality of security issues, the license 6 applied to any particular version of that dependency, and the [OSSF Scorecard](#ossf-scorecard) security assessment.
+ The dependency overview page offers a quick bird's-eye view of that particular dependency. You'll be able to see all different versions that are being used, including which repository is using them, the oldest and most recent versions you're leveraging, as well as the highest criticality of security issues, the license 5 applied to any particular version of that dependency, and the [OSSF Scorecard](#ossf-scorecard) security assessment.
### OSSF Scorecard {: id="ossf-scorecard"}
@@ -577,12 +577,11 @@ This information helps you make informed decisions about the security risks asso
-1: Semgrep supports additional security rules when signing up for [Semgrep Pro](https://semgrep.dev/pricing/).
-2: Currently, Trivy only supports scanning YAML files on this platform.
-3: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md).
-4: Includes the plugin [Find Security Bugs](https://find-sec-bugs.github.io/).
-5: Includes the plugins [no-unsanitized](https://www.npmjs.com/package/eslint-plugin-no-unsanitized), [security](https://www.npmjs.com/package/eslint-plugin-security), [security-node](https://www.npmjs.com/package/eslint-plugin-security-node), and [xss](https://www.npmjs.com/package/eslint-plugin-xss).
-6: Visit the [supported languages and tools](../getting-started/supported-languages-and-tools.md#supported-languages-and-tools) page for a list of supported languages.
+1: Currently, Trivy only supports scanning YAML files on this platform.
+2: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md).
+3: Includes the plugin [Find Security Bugs](https://find-sec-bugs.github.io/).
+4: Includes the plugins [no-unsanitized](https://www.npmjs.com/package/eslint-plugin-no-unsanitized), [security](https://www.npmjs.com/package/eslint-plugin-security), [security-node](https://www.npmjs.com/package/eslint-plugin-security-node), and [xss](https://www.npmjs.com/package/eslint-plugin-xss).
+5: Visit the [supported languages and tools](../getting-started/supported-languages-and-tools.md#supported-languages-and-tools) page for a list of supported languages.
## App scanning {: id="app-scanning"}
diff --git a/docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md b/docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md
new file mode 100644
index 0000000000..cf1ca0376f
--- /dev/null
+++ b/docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md
@@ -0,0 +1,11 @@
+---
+rss_title: Codacy release notes RSS feed
+rss_href: /feed_rss_created.xml
+---
+
+
+# Semgrep to Opengrep migration – February 2026
+
+As we previously discussed on our [blog](https://blog.codacy.com/opengrep-vs-semgrep), there have been licensing changes to Semgrep, and Opengrep has emerged as an open-source fork of the Semgrep engine. To ensure your continued access to the existing patterns we have switched to Opengrep.
+
+This change has been performed as a 1:1 replacement, preserving all existing patterns, issue history, and configuration. Going forward, we'll also be able to keep delivering custom Codacy rules to protect you against emerging threats, such as [hidden Unicode character vulnerabilities in rules files](https://blog.codacy.com/vulnerability-in-rules-files-with-hidden-unicode-characters).
\ No newline at end of file
diff --git a/docs/release-notes/index.md b/docs/release-notes/index.md
index abb84b86ad..28c0f10496 100644
--- a/docs/release-notes/index.md
+++ b/docs/release-notes/index.md
@@ -18,6 +18,7 @@ For product updates that are in progress or planned [visit the Codacy public roa
2026
+- [Semgrep to Opengrep migration February, 2026](cloud/cloud-2026-02-migrating-semgrep.md)
- [Cloud January 2026](cloud/cloud-2026-01.md)
- [Adding GolangCI-Lint as new supported tool January, 2026](cloud/cloud-2026-01-adding-golangci-lint.md)
diff --git a/docs/repositories-configure/codacy-configuration-file.md b/docs/repositories-configure/codacy-configuration-file.md
index 31b54db3e4..2e40d339ca 100644
--- a/docs/repositories-configure/codacy-configuration-file.md
+++ b/docs/repositories-configure/codacy-configuration-file.md
@@ -203,7 +203,7 @@ roslyn
rubocop
ruff
scalastyle
-semgrep
+opengrep
shellcheck
sonarcsharp
sonarvb
@@ -217,7 +217,7 @@ tsqllint
The following names are **deprecated** and shouldn't be used, although they're still accepted in the Codacy configuration file:
-- `bundleraudit` - The tool **bundler-audit** [is deprecated](../release-notes/cloud/cloud-2023-10-13-bundler-audit-deprecation.md). If you are using **Semprep** or **Trivy** instead, use the names `trivy` or `semgrep`.
+- `bundleraudit` - The tool **bundler-audit** [is deprecated](../release-notes/cloud/cloud-2023-10-13-bundler-audit-deprecation.md). If you are using **Opengrep** or **Trivy** instead, use the names `trivy` or `opengrep`.
- `csslint` - The tool **CSSLint** [is deprecated](../release-notes/cloud/cloud-2023-10-25-csslint-jshint-fauxpas-tailor-tslint-deprecation.md). If you are using **Stylelint** instead, use the name `stylelint`.
- `eslint` - Use the name `eslint-8` for **ESLint**.
- `jshint`, `tslint` - The tools **JSHint** and **TSLint** [are deprecated](../release-notes/cloud/cloud-2023-10-25-csslint-jshint-fauxpas-tailor-tslint-deprecation.md). If you are using **ESLint** instead, use the name `eslint-8`.
diff --git a/docs/repositories-configure/configuring-code-patterns.md b/docs/repositories-configure/configuring-code-patterns.md
index 86485f8438..7566a6268d 100644
--- a/docs/repositories-configure/configuring-code-patterns.md
+++ b/docs/repositories-configure/configuring-code-patterns.md
@@ -242,7 +242,7 @@ The table below lists the configuration file names that Codacy detects and suppo
|
- | Semgrep |
+ Opengrep |
Apex, C++, C#, Dockerfile, Elixir, GitHub Actions, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Shell, Swift, Terraform, TypeScript |
.semgrep.yaml |
|
diff --git a/docs/repositories-configure/languages.md b/docs/repositories-configure/languages.md
index e26aba23ca..94d3d97260 100644
--- a/docs/repositories-configure/languages.md
+++ b/docs/repositories-configure/languages.md
@@ -31,7 +31,7 @@ If your repository contains source files with extensions not supported by Codacy
{% include-markdown "../assets/includes/update-file-extensions-reanalyze.md" %}
!!! note
- Currently, the [Semgrep](https://github.com/codacy/codacy-semgrep) static analysis tool doesn't support custom file extensions.
+ Currently, the [Opengrep](https://github.com/codacy/codacy-opengrep) static analysis tool doesn't support custom file extensions.
## Disabling analysis of a language {: id="disable-language"}