Skip to content

feat: Add opengrep migration docs CF-2184 #2586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lventura-codacy merged 2 commits into from
Feb 19, 2026
Merged

feat: Add opengrep migration docs CF-2184 #2586

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
45c2f82
feat: Add opengrep migration docs CF-2184
lventura-codacy Feb 19, 2026
f012365
fix sup references and add missing comma
lventura-codacy Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/styles/config/vocabularies/Codacy/accept.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ monorepo
namespace
OAuth
onboarding
Opengrep
PHP_CodeSniffer
PHPUnit
plaintext
Expand All @@ -75,7 +76,6 @@ sbt
Scalameta
Scalastyle
SCSSLint
Semgrep
Serverless
severities
ShellCheck
Expand Down
116 changes: 58 additions & 58 deletions docs/getting-started/supported-languages-and-tools.md
View file
Open in desktop

Large diffs are not rendered by default.

75 changes: 37 additions & 38 deletions docs/organizations/managing-security-and-risk.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -369,33 +369,33 @@
<tr>
<td>Apex</td>
<td><a href="https://pmd.github.io/">PMD</a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
<a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
</tr>
<tr>
<td>AWS CloudFormation</td>
<td><a href="https://github.com/bridgecrewio/checkov/">Checkov</a>,
<a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>2</sup></a></td>
<a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>1</sup></a></td>
</tr>
<tr>
<td>C</td>
<td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>3</sup></a>,
<td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>2</sup></a>,
<a href="http://cppcheck.sourceforge.net/">Cppcheck</a>,
<a href="https://dwheeler.com/flawfinder/">Flawfinder</a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
<td>C#</td>
<td><a href="https://github.com/SonarSource/sonar-dotnet">SonarC#</a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
<td>C++</td>
<td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>3</sup></a>,
<td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>2</sup></a>,
<a href="http://cppcheck.sourceforge.net/">Cppcheck</a>,
<a href="https://dwheeler.com/flawfinder/">Flawfinder</a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
Expand All @@ -405,7 +405,7 @@
<tr>
<td>Dockerfile</td>
<td><a href="https://github.com/hadolint/hadolint">Hadolint</a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
Expand All @@ -415,12 +415,12 @@
</tr>
<tr>
<td>GitHub Actions</td>
<td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
<td><a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
</tr>
<tr>
<td>Go</td>
<td><a href="https://github.com/securego/gosec">Gosec</a><a href="#client-side"> <sup>3</sup></a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<td><a href="https://github.com/securego/gosec">Gosec</a><a href="#client-side"> <sup>2</sup></a>,
<a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
Expand All @@ -429,18 +429,18 @@
</tr>
<tr>
<td>Helm</td>
<td><a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>2</sup></a></td>
<td><a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>1</sup></a></td>
</tr>
<tr>
<td>Java</td>
<td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<a href="https://spotbugs.github.io/">SpotBugs</a><a href="#client-side"> <sup>3</sup></a><a href="#spotbugs-plugin"> <sup>4</sup></a>,
<td><a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://spotbugs.github.io/">SpotBugs</a><a href="#client-side"> <sup>2</sup></a><a href="#spotbugs-plugin"> <sup>3</sup></a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
<td>JavaScript</td>
<td><a href="https://eslint.org/">ESLint</a> <a href="#eslint-plugin"><sup>5</sup></a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<td><a href="https://eslint.org/">ESLint</a> <a href="#eslint-plugin"><sup>4</sup></a>,
<a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
Expand All @@ -449,21 +449,21 @@
</tr>
<tr>
<td>Kotlin</td>
<td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
<td><a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
</tr>
<tr>
<td>Kubernetes</td>
<td><a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>2</sup></a></td>
<td><a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>1</sup></a></td>
</tr>
<tr>
<td>Objective-C</td>
<td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>3</sup></a></td>
<td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>2</sup></a></td>
</tr>
<tr>
<td>PHP</td>
<td><a href="https://github.com/squizlabs/PHP_CodeSniffer">PHP_CodeSniffer</a>,
<a href="https://phpmd.org/">PHP Mess Detector</a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
Expand All @@ -476,39 +476,39 @@
<a href="https://github.com/landscapeio/prospector">Prospector</a>,
<a href="https://github.com/pylint-dev/pylint">Pylint</a>,
<a href="https://docs.astral.sh/ruff/">Ruff</a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
<td>Ruby</td>
<td><a href="https://brakemanscanner.org/">Brakeman</a>,
<a href="https://github.com/rubocop/rubocop">RuboCop</a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
<td>Rust</td>
<td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<td><a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
<td>Scala</td>
<td><a href="https://github.com/codacy/codacy-scalameta">Codacy Scalameta Pro</a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<a href="https://spotbugs.github.io/">SpotBugs</a><a href="#client-side"> <sup>3</sup></a><a href="#spotbugs-plugin"> <sup>4</sup></a></td>
<a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://spotbugs.github.io/">SpotBugs</a><a href="#client-side"> <sup>2</sup></a><a href="#spotbugs-plugin"> <sup>3</sup></a></td>
</tr>
<tr>
<td>Swift</td>
<td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
<td><a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
</tr>
<tr>
<td>Shell</td>
<td><a href="https://www.shellcheck.net/">ShellCheck</a>
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
<td><a href="https://www.shellcheck.net/">ShellCheck</a>,
<a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
</tr>
<tr>
<td>Terraform</td>
<td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<td><a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
Expand All @@ -517,8 +517,8 @@
</tr>
<tr>
<td>TypeScript</td>
<td><a href="https://eslint.org/">ESLint</a> <a href="#eslint-plugin"><sup>5</sup></a>,
<a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
<td><a href="https://eslint.org/">ESLint</a> <a href="#eslint-plugin"><sup>4</sup></a>,
<a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
<a href="https://trivy.dev">Trivy</a></td>
</tr>
<tr>
Expand Down Expand Up @@ -551,7 +551,7 @@

![Security and risk management dependency page](images/security-risk-management-dependencies-single.png)

The dependency overview page offers a quick bird's-eye view of that particular dependency. You'll be able to see all different versions that are being used, including which repository is using them, the oldest and most recent versions you're leveraging, as well as the highest criticality of security issues, the license <a href="#license-scanning"><sup>6</sup></a> applied to any particular version of that dependency, and the [OSSF Scorecard](#ossf-scorecard) security assessment.
The dependency overview page offers a quick bird's-eye view of that particular dependency. You'll be able to see all different versions that are being used, including which repository is using them, the oldest and most recent versions you're leveraging, as well as the highest criticality of security issues, the license <a href="#license-scanning"><sup>5</sup></a> applied to any particular version of that dependency, and the [OSSF Scorecard](#ossf-scorecard) security assessment.

### OSSF Scorecard {: id="ossf-scorecard"}

Expand All @@ -577,12 +577,11 @@
![Security and risk management OSSF scorecard report](images/security-risk-management-ossf-scorecard.png)


<sup><span id="semgrep">1</span></sup>: Semgrep supports additional security rules when signing up for [Semgrep Pro](https://semgrep.dev/pricing/).
<sup><span id="yaml-only">2</span></sup>: Currently, Trivy only supports scanning YAML files on this platform.
<sup><span id="client-side">3</span></sup>: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md).
<sup><span id="spotbugs-plugin">4</span></sup>: Includes the plugin [Find Security Bugs](https://find-sec-bugs.github.io/).
<sup><span id="eslint-plugin">5</span></sup>: Includes the plugins [no-unsanitized](https://www.npmjs.com/package/eslint-plugin-no-unsanitized), [security](https://www.npmjs.com/package/eslint-plugin-security), [security-node](https://www.npmjs.com/package/eslint-plugin-security-node), and [xss](https://www.npmjs.com/package/eslint-plugin-xss).
<sup><span id="license-scanning">6</span></sup>: Visit the [supported languages and tools](../getting-started/supported-languages-and-tools.md#supported-languages-and-tools) page for a list of supported languages.
<sup><span id="yaml-only">1</span></sup>: Currently, Trivy only supports scanning YAML files on this platform.
<sup><span id="client-side">2</span></sup>: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md).
<sup><span id="spotbugs-plugin">3</span></sup>: Includes the plugin [Find Security Bugs](https://find-sec-bugs.github.io/).
<sup><span id="eslint-plugin">4</span></sup>: Includes the plugins [no-unsanitized](https://www.npmjs.com/package/eslint-plugin-no-unsanitized), [security](https://www.npmjs.com/package/eslint-plugin-security), [security-node](https://www.npmjs.com/package/eslint-plugin-security-node), and [xss](https://www.npmjs.com/package/eslint-plugin-xss).

Check failure on line 583 in docs/organizations/managing-security-and-risk.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'xss'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'xss'?", "location": {"path": "docs/organizations/managing-security-and-risk.md", "range": {"start": {"line": 583, "column": 293}}}, "severity": "ERROR"}
<sup><span id="license-scanning">5</span></sup>: Visit the [supported languages and tools](../getting-started/supported-languages-and-tools.md#supported-languages-and-tools) page for a list of supported languages.


## App scanning {: id="app-scanning"}
Expand Down
11 changes: 11 additions & 0 deletions docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
rss_title: Codacy release notes RSS feed
rss_href: /feed_rss_created.xml
---


# Semgrep to Opengrep migration – February 2026

Check failure on line 7 in docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.Dashes] Remove the spaces around ' – '.

Raw Output:
{"message": "[Microsoft.Dashes] Remove the spaces around ' – '.", "location": {"path": "docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md", "range": {"start": {"line": 7, "column": 32}}}, "severity": "ERROR"}

Check failure on line 7 in docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Semgrep'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'Semgrep'?", "location": {"path": "docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md", "range": {"start": {"line": 7, "column": 3}}}, "severity": "ERROR"}

As we previously discussed on our [blog](https://blog.codacy.com/opengrep-vs-semgrep), there have been licensing changes to Semgrep, and Opengrep has emerged as an open-source fork of the Semgrep engine. To ensure your continued access to the existing patterns we have switched to Opengrep.

Check failure on line 9 in docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Microsoft.Contractions] Use 'we've' instead of 'we have'.

Raw Output:
{"message": "[Microsoft.Contractions] Use 'we've' instead of 'we have'.", "location": {"path": "docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md", "range": {"start": {"line": 9, "column": 262}}}, "severity": "ERROR"}

Check failure on line 9 in docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Semgrep'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'Semgrep'?", "location": {"path": "docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md", "range": {"start": {"line": 9, "column": 189}}}, "severity": "ERROR"}

Check failure on line 9 in docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Semgrep'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'Semgrep'?", "location": {"path": "docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md", "range": {"start": {"line": 9, "column": 125}}}, "severity": "ERROR"}

This change has been performed as a 1:1 replacement, preserving all existing patterns, issue history, and configuration. Going forward, we'll also be able to keep delivering custom Codacy rules to protect you against emerging threats, such as [hidden Unicode character vulnerabilities in rules files](https://blog.codacy.com/vulnerability-in-rules-files-with-hidden-unicode-characters).
1 change: 1 addition & 0 deletions docs/release-notes/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

2026

- [Semgrep to Opengrep migration February, 2026](cloud/cloud-2026-02-migrating-semgrep.md)

Check failure on line 21 in docs/release-notes/index.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Semgrep'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'Semgrep'?", "location": {"path": "docs/release-notes/index.md", "range": {"start": {"line": 21, "column": 6}}}, "severity": "ERROR"}
- [Cloud January 2026](cloud/cloud-2026-01.md)
- [Adding GolangCI-Lint as new supported tool January, 2026](cloud/cloud-2026-01-adding-golangci-lint.md)

Expand Down
4 changes: 2 additions & 2 deletions docs/repositories-configure/codacy-configuration-file.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,7 @@ roslyn
rubocop
ruff
scalastyle
semgrep
opengrep
shellcheck
sonarcsharp
sonarvb
Expand All @@ -217,7 +217,7 @@ tsqllint

The following names are **deprecated** and shouldn't be used, although they're still accepted in the Codacy configuration file:

- `bundleraudit` - The tool **bundler-audit** [is deprecated](../release-notes/cloud/cloud-2023-10-13-bundler-audit-deprecation.md). If you are using **Semprep** or **Trivy** instead, use the names `trivy` or `semgrep`.
- `bundleraudit` - The tool **bundler-audit** [is deprecated](../release-notes/cloud/cloud-2023-10-13-bundler-audit-deprecation.md). If you are using **Opengrep** or **Trivy** instead, use the names `trivy` or `opengrep`.
- `csslint` - The tool **CSSLint** [is deprecated](../release-notes/cloud/cloud-2023-10-25-csslint-jshint-fauxpas-tailor-tslint-deprecation.md). If you are using **Stylelint** instead, use the name `stylelint`.
- `eslint` - Use the name `eslint-8` for **ESLint**.
- `jshint`, `tslint` - The tools **JSHint** and **TSLint** [are deprecated](../release-notes/cloud/cloud-2023-10-25-csslint-jshint-fauxpas-tailor-tslint-deprecation.md). If you are using **ESLint** instead, use the name `eslint-8`.
Expand Down
2 changes: 1 addition & 1 deletion docs/repositories-configure/configuring-code-patterns.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,7 +242,7 @@ The table below lists the configuration file names that Codacy detects and suppo
<td></td>
</tr>
<tr>
<td>Semgrep</td>
<td>Opengrep</td>
<td>Apex, C++, C#, Dockerfile, Elixir, GitHub Actions, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Shell, Swift, Terraform, TypeScript</td>
<td><code>.semgrep.yaml</code></td>
<td></td>
Expand Down
2 changes: 1 addition & 1 deletion docs/repositories-configure/languages.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ If your repository contains source files with extensions not supported by Codacy
{% include-markdown "../assets/includes/update-file-extensions-reanalyze.md" %}

!!! note
Currently, the [Semgrep](https://github.com/codacy/codacy-semgrep) static analysis tool doesn't support custom file extensions.
Currently, the [Opengrep](https://github.com/codacy/codacy-opengrep) static analysis tool doesn't support custom file extensions.

## Disabling analysis of a language {: id="disable-language"}

Expand Down
Loading