From 45c2f82f0a5e25b7fe714cf545e17150296dee9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=C3=ADs=20Ventura?= Date: Thu, 19 Feb 2026 13:57:09 +0000 Subject: [PATCH 1/2] feat: Add opengrep migration docs CF-2184 --- .../config/vocabularies/Codacy/accept.txt | 2 +- .../supported-languages-and-tools.md | 116 +++++++++--------- .../managing-security-and-risk.md | 39 +++--- .../cloud/cloud-2026-02-migrating-semgrep.md | 11 ++ docs/release-notes/index.md | 1 + .../codacy-configuration-file.md | 4 +- .../configuring-code-patterns.md | 2 +- docs/repositories-configure/languages.md | 2 +- 8 files changed, 94 insertions(+), 83 deletions(-) create mode 100644 docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md diff --git a/.github/styles/config/vocabularies/Codacy/accept.txt b/.github/styles/config/vocabularies/Codacy/accept.txt index 6368c90471..8333378248 100644 --- a/.github/styles/config/vocabularies/Codacy/accept.txt +++ b/.github/styles/config/vocabularies/Codacy/accept.txt @@ -57,6 +57,7 @@ monorepo namespace OAuth onboarding +Opengrep PHP_CodeSniffer PHPUnit plaintext @@ -75,7 +76,6 @@ sbt Scalameta Scalastyle SCSSLint -Semgrep Serverless severities ShellCheck diff --git a/docs/getting-started/supported-languages-and-tools.md b/docs/getting-started/supported-languages-and-tools.md index 579af57aa2..65c7db44ed 100644 --- a/docs/getting-started/supported-languages-and-tools.md +++ b/docs/getting-started/supported-languages-and-tools.md @@ -45,9 +45,9 @@ The table below lists all languages that Codacy supports and the corresponding t Apex .cls, .trigger PMD, - Semgrep 1 + Opengrep 1 - - Semgrep + Opengrep - - PMD CPD 10 @@ -72,7 +72,7 @@ The table below lists all languages that Codacy supports and the corresponding t Checkov - Checkov, - Semgrep 2, + Opengrep 2, Trivy 2 - - @@ -98,9 +98,9 @@ The table below lists all languages that Codacy supports and the corresponding t Clang-Tidy 3, Cppcheck, Flawfinder, - Semgrep 1 - Semgrep 🔧 - Semgrep, + Opengrep 1 + Opengrep 🔧 + Opengrep, Trivy Trivy, scans
conan.lock (Conan) - @@ -114,9 +114,9 @@ The table below lists all languages that Codacy supports and the corresponding t Clang-Tidy 3, Cppcheck 4, Flawfinder, - Semgrep 1 + Opengrep 1 - - Semgrep, + Opengrep, Trivy Trivy, scans
conan.lock (Conan) - @@ -127,10 +127,10 @@ The table below lists all languages that Codacy supports and the corresponding t C# .cs - Semgrep 1, + Opengrep 1, SonarC# - Semgrep 🔧 - Semgrep, + Opengrep 🔧 + Opengrep, Trivy Trivy, scans
.deps.json (.Net), packages.lock.json (NuGet) Trivy, scans packages.lock.json for malicious packages published in NuGet @@ -190,9 +190,9 @@ The table below lists all languages that Codacy supports and the corresponding t Dockerfile .dockerfile Hadolint, - Semgrep 1 - Semgrep 🔧 - Semgrep, + Opengrep 1 + Opengrep 🔧 + Opengrep, Trivy - - @@ -204,7 +204,7 @@ The table below lists all languages that Codacy supports and the corresponding t Elixir .ex, .exs Credo, - Semgrep 1 + Opengrep 1 - Trivy Trivy, scans
mix.lock (Mix) @@ -216,9 +216,9 @@ The table below lists all languages that Codacy supports and the corresponding t GitHub Actions - - Semgrep 1 + Opengrep 1 - - Semgrep, + Opengrep, Trivy - - @@ -233,10 +233,10 @@ The table below lists all languages that Codacy supports and the corresponding t deadcode 3, Gosec 3, Revive, - Semgrep 1, + Opengrep 1, Staticcheck 3 - Semgrep 🔧 - Semgrep, + Opengrep 🔧 + Opengrep, Trivy Trivy, scans
go.mod Trivy, scans
go.mod for malicious packages published in github.com @@ -262,7 +262,7 @@ The table below lists all languages that Codacy supports and the corresponding t - - - Semgrep 2, + Opengrep 2, Trivy 2 - - @@ -275,11 +275,11 @@ The table below lists all languages that Codacy supports and the corresponding t .java Checkstyle, PMD, - Semgrep 1, + Opengrep 1, SpotBugs 3 - Semgrep 🔧 + Opengrep 🔧 PMD, - Semgrep, + Opengrep, Trivy Trivy, scans
pom.xml and gradle.lockfile Trivy, scans
pom.xml and gradle.lockfile for malicious packages published in maven @@ -292,9 +292,9 @@ The table below lists all languages that Codacy supports and the corresponding t .js, .jsx, .jsm, .vue, .mjs ESLint, PMD, - Semgrep 1 + Opengrep 1 ESLint 🔧 - Semgrep, + Opengrep, Trivy Trivy, scans
package.json and package-lock.json (npm),
yarn.lock (Yarn) Trivy, scans
package.json and package-lock.json for malicious packages published in npm @@ -332,11 +332,11 @@ The table below lists all languages that Codacy supports and the corresponding t .kt, .kts detekt, - Semgrep 1, + Opengrep 1, PMD - - Semgrep + Opengrep Trivy, scans
pom.xml and gradle.lockfile Trivy, scans
pom.xml and gradle.lockfile for malicious packages published in maven jscpd @@ -347,10 +347,10 @@ The table below lists all languages that Codacy supports and the corresponding t Kubernetes - Checkov, - Semgrep 2 - Semgrep 🔧 + Opengrep 2 + Opengrep 🔧 Checkov, - Semgrep 2, + Opengrep 2, Trivy 2 - - @@ -411,9 +411,9 @@ The table below lists all languages that Codacy supports and the corresponding t .php PHP_CodeSniffer, PHP Mess Detector, - Semgrep 1 + Opengrep 1 - - Semgrep, + Opengrep, Trivy Trivy, scans
composer.lock (Composer) - @@ -465,15 +465,15 @@ The table below lists all languages that Codacy supports and the corresponding t Prospector, Pylint, Ruff, - Semgrep 1 + Opengrep 1 - Semgrep 🔧 + Opengrep 🔧 Bandit, Prospector, - Semgrep, + Opengrep, Trivy @@ -494,12 +494,12 @@ The table below lists all languages that Codacy supports and the corresponding t .rb, .gemspec, .podspec, .jbuilder, .rake, .opal Reek, Brakeman - 7, + 7, RuboCop, - Semgrep 1 + Opengrep 1 - Semgrep 🔧 - Semgrep, + Opengrep 🔧 + Opengrep, Trivy Trivy, scans
Gemfile.lock (Bundler) Trivy, scans
Gemfile.lock for malicious packages published in rubygems.org @@ -510,9 +510,9 @@ The table below lists all languages that Codacy supports and the corresponding t Rust .rs, .rlib - Semgrep 1 + Opengrep 1 - - Semgrep, + Opengrep, Trivy Trivy, scans
Cargo.lock (Cargo) Trivy, scans
Cargo.lock for malicious packages published in crates.io @@ -537,10 +537,10 @@ The table below lists all languages that Codacy supports and the corresponding t .scala Codacy Scalameta Pro, Scalastyle, - Semgrep 1, + Opengrep 1, SpotBugs 3 - - Semgrep, + Opengrep, Trivy Trivy, scans
build.sbt.lock (sbt) 9 Trivy, scans
build.sbt.lock for malicious packages published in maven 9 @@ -564,9 +564,9 @@ The table below lists all languages that Codacy supports and the corresponding t Shell .sh, .bash ShellCheck, - Semgrep 1 + Opengrep 1 - - Semgrep + Opengrep - - - @@ -577,12 +577,12 @@ The table below lists all languages that Codacy supports and the corresponding t Swift .swift - Semgrep 1, + Opengrep 1, SwiftLint, PMD - - Semgrep, + Opengrep, Trivy Trivy, scans
Package.resolved (SwiftPM) - @@ -598,7 +598,7 @@ The table below lists all languages that Codacy supports and the corresponding t SQLint, TSQLLint, SQLFluff, - Semgrep 1 + Opengrep 1 - - @@ -612,10 +612,10 @@ The table below lists all languages that Codacy supports and the corresponding t Terraform .tf Checkov, - Semgrep 1 + Opengrep 1 - Checkov, - Semgrep, + Opengrep, Trivy - - @@ -639,9 +639,9 @@ The table below lists all languages that Codacy supports and the corresponding t TypeScript .ts, .tsx ESLint, - Semgrep 1 + Opengrep 1 ESLint 🔧 - Semgrep, + Opengrep, Trivy Trivy, scans
package.json and package-lock.json (npm),
yarn.lock (Yarn) Trivy, scans
package.json and package-lock.json for malicious packages published in npm @@ -763,7 +763,7 @@ The following table lists the Codacy GitHub repositories corresponding to each s codacy/codacy-bandit -Brakeman 7 +Brakeman 7 codacy/codacy-brakeman @@ -883,8 +883,8 @@ The following table lists the Codacy GitHub repositories corresponding to each s codacy/codacy-scalastyle -Semgrep 1 -codacy/codacy-semgrep +Opengrep 1 +codacy/codacy-opengrep ShellCheck @@ -937,13 +937,13 @@ The following table lists the Codacy GitHub repositories corresponding to each s -1: Semgrep supports additional security rules when signing up for [Semgrep Pro](https://semgrep.dev/pricing/). This tool doesn't support [custom file extensions](../repositories-configure/languages.md#configuring-file-extensions). +1: This tool doesn't support [custom file extensions](../repositories-configure/languages.md#configuring-file-extensions). 2: Currently, only YAML file scanning is supported on this platform. 3: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md). 4: Currently, Cppcheck only supports the MISRA guidelines for C. 5: Currently, Codacy only supports including the packages [lints](https://pub.dev/packages/lints) and [flutter_lints](https://pub.dev/packages/flutter_lints) on dartanalyzer configuration files. 6: Doesn't calculate [the number of methods and the complexity per method](../repositories/files.md#file-details) for each file. -7: Due to licensing limitations, Codacy doesn't support the latest version of Brakeman. To analyze your Ruby code for the latest security vulnerabilities, use [Semgrep](https://semgrep.dev/), which provides comprehensive and up-to-date security scanning. +7: Due to licensing limitations, Codacy doesn't support the latest version of Brakeman. To analyze your Ruby code for the latest security vulnerabilities, use [Opengrep](https://github.com/opengrep/opengrep), which provides comprehensive and up-to-date security scanning. 8: Supports [reporting warnings or errors](https://realm.github.io/SwiftLint/cyclomatic_complexity.html) on functions above specific complexity thresholds. Enable the rule **Cyclomatic Complexity** on the [Code patterns page](../repositories-configure/configuring-code-patterns.md), or use a [configuration file](https://realm.github.io/SwiftLint/index.html#configuration) to customize the thresholds. 9: Requires the [sbt-dependency-lock](https://github.com/stringbean/sbt-dependency-lock) plugin for generating the lockfile. 10: Codacy may use a different version of this tool for measuring complexity and duplication. diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index ea762c5b32..25b97a60e2 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -369,7 +369,7 @@ Security and risk management supports checking the languages and infrastructure- Apex PMD, - Semgrep 1 + Opengrep AWS CloudFormation @@ -381,13 +381,13 @@ Security and risk management supports checking the languages and infrastructure- Clang-Tidy 3, Cppcheck, Flawfinder, - Semgrep 1, + Opengrep, Trivy C# SonarC#, - Semgrep 1, + Opengrep, Trivy @@ -395,7 +395,7 @@ Security and risk management supports checking the languages and infrastructure- Clang-Tidy 3, Cppcheck, Flawfinder, - Semgrep 1, + Opengrep, Trivy @@ -405,7 +405,7 @@ Security and risk management supports checking the languages and infrastructure- Dockerfile Hadolint, - Semgrep 1, + Opengrep, Trivy @@ -415,12 +415,12 @@ Security and risk management supports checking the languages and infrastructure- GitHub Actions - Semgrep 1 + Opengrep Go Gosec 3, - Semgrep 1, + Opengrep, Trivy @@ -433,14 +433,14 @@ Security and risk management supports checking the languages and infrastructure- Java - Semgrep 1, + Opengrep, SpotBugs 3 4, Trivy JavaScript ESLint 5, - Semgrep 1, + Opengrep, Trivy @@ -449,7 +449,7 @@ Security and risk management supports checking the languages and infrastructure- Kotlin - Semgrep 1 + Opengrep Kubernetes @@ -463,7 +463,7 @@ Security and risk management supports checking the languages and infrastructure- PHP PHP_CodeSniffer, PHP Mess Detector, - Semgrep 1, + Opengrep, Trivy @@ -476,39 +476,39 @@ Security and risk management supports checking the languages and infrastructure- Prospector, Pylint, Ruff, - Semgrep 1, + Opengrep, Trivy Ruby Brakeman, RuboCop, - Semgrep 1, + Opengrep, Trivy Rust - Semgrep 1, + Opengrep, Trivy Scala Codacy Scalameta Pro, - Semgrep 1, + Opengrep, SpotBugs 3 4 Swift - Semgrep 1 + Opengrep Shell ShellCheck - Semgrep 1 + Opengrep Terraform - Semgrep 1, + Opengrep, Trivy @@ -518,7 +518,7 @@ Security and risk management supports checking the languages and infrastructure- TypeScript ESLint 5, - Semgrep 1, + Opengrep, Trivy @@ -577,7 +577,6 @@ This information helps you make informed decisions about the security risks asso ![Security and risk management OSSF scorecard report](images/security-risk-management-ossf-scorecard.png) -1: Semgrep supports additional security rules when signing up for [Semgrep Pro](https://semgrep.dev/pricing/). 2: Currently, Trivy only supports scanning YAML files on this platform. 3: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md). 4: Includes the plugin [Find Security Bugs](https://find-sec-bugs.github.io/). diff --git a/docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md b/docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md new file mode 100644 index 0000000000..cf1ca0376f --- /dev/null +++ b/docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md @@ -0,0 +1,11 @@ +--- +rss_title: Codacy release notes RSS feed +rss_href: /feed_rss_created.xml +--- + + +# Semgrep to Opengrep migration – February 2026 + +As we previously discussed on our [blog](https://blog.codacy.com/opengrep-vs-semgrep), there have been licensing changes to Semgrep, and Opengrep has emerged as an open-source fork of the Semgrep engine. To ensure your continued access to the existing patterns we have switched to Opengrep. + +This change has been performed as a 1:1 replacement, preserving all existing patterns, issue history, and configuration. Going forward, we'll also be able to keep delivering custom Codacy rules to protect you against emerging threats, such as [hidden Unicode character vulnerabilities in rules files](https://blog.codacy.com/vulnerability-in-rules-files-with-hidden-unicode-characters). \ No newline at end of file diff --git a/docs/release-notes/index.md b/docs/release-notes/index.md index abb84b86ad..28c0f10496 100644 --- a/docs/release-notes/index.md +++ b/docs/release-notes/index.md @@ -18,6 +18,7 @@ For product updates that are in progress or planned [visit the Codacy public roa 2026 +- [Semgrep to Opengrep migration February, 2026](cloud/cloud-2026-02-migrating-semgrep.md) - [Cloud January 2026](cloud/cloud-2026-01.md) - [Adding GolangCI-Lint as new supported tool January, 2026](cloud/cloud-2026-01-adding-golangci-lint.md) diff --git a/docs/repositories-configure/codacy-configuration-file.md b/docs/repositories-configure/codacy-configuration-file.md index 31b54db3e4..2e40d339ca 100644 --- a/docs/repositories-configure/codacy-configuration-file.md +++ b/docs/repositories-configure/codacy-configuration-file.md @@ -203,7 +203,7 @@ roslyn rubocop ruff scalastyle -semgrep +opengrep shellcheck sonarcsharp sonarvb @@ -217,7 +217,7 @@ tsqllint The following names are **deprecated** and shouldn't be used, although they're still accepted in the Codacy configuration file: -- `bundleraudit` - The tool **bundler-audit** [is deprecated](../release-notes/cloud/cloud-2023-10-13-bundler-audit-deprecation.md). If you are using **Semprep** or **Trivy** instead, use the names `trivy` or `semgrep`. +- `bundleraudit` - The tool **bundler-audit** [is deprecated](../release-notes/cloud/cloud-2023-10-13-bundler-audit-deprecation.md). If you are using **Opengrep** or **Trivy** instead, use the names `trivy` or `opengrep`. - `csslint` - The tool **CSSLint** [is deprecated](../release-notes/cloud/cloud-2023-10-25-csslint-jshint-fauxpas-tailor-tslint-deprecation.md). If you are using **Stylelint** instead, use the name `stylelint`. - `eslint` - Use the name `eslint-8` for **ESLint**. - `jshint`, `tslint` - The tools **JSHint** and **TSLint** [are deprecated](../release-notes/cloud/cloud-2023-10-25-csslint-jshint-fauxpas-tailor-tslint-deprecation.md). If you are using **ESLint** instead, use the name `eslint-8`. diff --git a/docs/repositories-configure/configuring-code-patterns.md b/docs/repositories-configure/configuring-code-patterns.md index 86485f8438..7566a6268d 100644 --- a/docs/repositories-configure/configuring-code-patterns.md +++ b/docs/repositories-configure/configuring-code-patterns.md @@ -242,7 +242,7 @@ The table below lists the configuration file names that Codacy detects and suppo - Semgrep + Opengrep Apex, C++, C#, Dockerfile, Elixir, GitHub Actions, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Shell, Swift, Terraform, TypeScript .semgrep.yaml diff --git a/docs/repositories-configure/languages.md b/docs/repositories-configure/languages.md index e26aba23ca..94d3d97260 100644 --- a/docs/repositories-configure/languages.md +++ b/docs/repositories-configure/languages.md @@ -31,7 +31,7 @@ If your repository contains source files with extensions not supported by Codacy {% include-markdown "../assets/includes/update-file-extensions-reanalyze.md" %} !!! note - Currently, the [Semgrep](https://github.com/codacy/codacy-semgrep) static analysis tool doesn't support custom file extensions. + Currently, the [Opengrep](https://github.com/codacy/codacy-opengrep) static analysis tool doesn't support custom file extensions. ## Disabling analysis of a language {: id="disable-language"} From f0123654c3fc4593abf219bcdc61c40b0b7694fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=C3=ADs=20Ventura?= Date: Thu, 19 Feb 2026 14:19:21 +0000 Subject: [PATCH 2/2] fix sup references and add missing comma --- .../managing-security-and-risk.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index 25b97a60e2..619f6f7f6f 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -369,16 +369,16 @@ Security and risk management supports checking the languages and infrastructure- Apex PMD, - Opengrep + Opengrep AWS CloudFormation Checkov, - Trivy 2 + Trivy 1 C - Clang-Tidy 3, + Clang-Tidy 2, Cppcheck, Flawfinder, Opengrep, @@ -392,7 +392,7 @@ Security and risk management supports checking the languages and infrastructure- C++ - Clang-Tidy 3, + Clang-Tidy 2, Cppcheck, Flawfinder, Opengrep, @@ -419,7 +419,7 @@ Security and risk management supports checking the languages and infrastructure- Go - Gosec 3, + Gosec 2, Opengrep, Trivy @@ -429,17 +429,17 @@ Security and risk management supports checking the languages and infrastructure- Helm - Trivy 2 + Trivy 1 Java Opengrep, - SpotBugs 3 4, + SpotBugs 2 3, Trivy JavaScript - ESLint 5, + ESLint 4, Opengrep, Trivy @@ -453,11 +453,11 @@ Security and risk management supports checking the languages and infrastructure- Kubernetes - Trivy 2 + Trivy 1 Objective-C - Clang-Tidy 3 + Clang-Tidy 2 PHP @@ -495,7 +495,7 @@ Security and risk management supports checking the languages and infrastructure- Scala Codacy Scalameta Pro, Opengrep, - SpotBugs 3 4 + SpotBugs 2 3 Swift @@ -503,7 +503,7 @@ Security and risk management supports checking the languages and infrastructure- Shell - ShellCheck + ShellCheck, Opengrep @@ -517,7 +517,7 @@ Security and risk management supports checking the languages and infrastructure- TypeScript - ESLint 5, + ESLint 4, Opengrep, Trivy @@ -551,7 +551,7 @@ You're also able to click any dependency to find out more information about it. ![Security and risk management dependency page](images/security-risk-management-dependencies-single.png) - The dependency overview page offers a quick bird's-eye view of that particular dependency. You'll be able to see all different versions that are being used, including which repository is using them, the oldest and most recent versions you're leveraging, as well as the highest criticality of security issues, the license 6 applied to any particular version of that dependency, and the [OSSF Scorecard](#ossf-scorecard) security assessment. + The dependency overview page offers a quick bird's-eye view of that particular dependency. You'll be able to see all different versions that are being used, including which repository is using them, the oldest and most recent versions you're leveraging, as well as the highest criticality of security issues, the license 5 applied to any particular version of that dependency, and the [OSSF Scorecard](#ossf-scorecard) security assessment. ### OSSF Scorecard {: id="ossf-scorecard"} @@ -577,11 +577,11 @@ This information helps you make informed decisions about the security risks asso ![Security and risk management OSSF scorecard report](images/security-risk-management-ossf-scorecard.png) -2: Currently, Trivy only supports scanning YAML files on this platform. -3: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md). -4: Includes the plugin [Find Security Bugs](https://find-sec-bugs.github.io/). -5: Includes the plugins [no-unsanitized](https://www.npmjs.com/package/eslint-plugin-no-unsanitized), [security](https://www.npmjs.com/package/eslint-plugin-security), [security-node](https://www.npmjs.com/package/eslint-plugin-security-node), and [xss](https://www.npmjs.com/package/eslint-plugin-xss). -6: Visit the [supported languages and tools](../getting-started/supported-languages-and-tools.md#supported-languages-and-tools) page for a list of supported languages. +1: Currently, Trivy only supports scanning YAML files on this platform. +2: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md). +3: Includes the plugin [Find Security Bugs](https://find-sec-bugs.github.io/). +4: Includes the plugins [no-unsanitized](https://www.npmjs.com/package/eslint-plugin-no-unsanitized), [security](https://www.npmjs.com/package/eslint-plugin-security), [security-node](https://www.npmjs.com/package/eslint-plugin-security-node), and [xss](https://www.npmjs.com/package/eslint-plugin-xss). +5: Visit the [supported languages and tools](../getting-started/supported-languages-and-tools.md#supported-languages-and-tools) page for a list of supported languages. ## App scanning {: id="app-scanning"}