Merge branch 'master' into doc-ai-instructions

alerizzo · web-flow · commit 2683195fe76a · 2026-02-19T15:47:21.000Z
diff --git a/.github/styles/config/vocabularies/Codacy/accept.txt b/.github/styles/config/vocabularies/Codacy/accept.txt
@@ -57,6 +57,7 @@ monorepo
 namespace
 OAuth
 onboarding
+Opengrep
 PHP_CodeSniffer
 PHPUnit
 plaintext
@@ -75,7 +76,6 @@ sbt
 Scalameta
 Scalastyle
 SCSSLint
-Semgrep
 Serverless
 severities
 ShellCheck
diff --git a/docs/getting-started/supported-languages-and-tools.md b/docs/getting-started/supported-languages-and-tools.md
diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md
@@ -369,33 +369,33 @@ Security and risk management supports checking the languages and infrastructure-
     <tr>
       <td>Apex</td>
       <td><a href="https://pmd.github.io/">PMD</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
     </tr>
     <tr>
       <td>AWS CloudFormation</td>
       <td><a href="https://github.com/bridgecrewio/checkov/">Checkov</a>,
-          <a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>2</sup></a></td>
+          <a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>1</sup></a></td>
     </tr>
     <tr>
       <td>C</td>
-      <td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>3</sup></a>,
+      <td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>2</sup></a>,
           <a href="http://cppcheck.sourceforge.net/">Cppcheck</a>,
           <a href="https://dwheeler.com/flawfinder/">Flawfinder</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>C#</td>
       <td><a href="https://github.com/SonarSource/sonar-dotnet">SonarC#</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>C++</td>
-      <td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>3</sup></a>,
+      <td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>2</sup></a>,
           <a href="http://cppcheck.sourceforge.net/">Cppcheck</a>,
           <a href="https://dwheeler.com/flawfinder/">Flawfinder</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -405,7 +405,7 @@ Security and risk management supports checking the languages and infrastructure-
     <tr>
       <td>Dockerfile</td>
       <td><a href="https://github.com/hadolint/hadolint">Hadolint</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -415,12 +415,12 @@ Security and risk management supports checking the languages and infrastructure-
     </tr>
     <tr>
       <td>GitHub Actions</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
     </tr>
     <tr>
       <td>Go</td>
-      <td><a href="https://github.com/securego/gosec">Gosec</a><a href="#client-side"> <sup>3</sup></a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+      <td><a href="https://github.com/securego/gosec">Gosec</a><a href="#client-side"> <sup>2</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -429,18 +429,18 @@ Security and risk management supports checking the languages and infrastructure-
     </tr>
     <tr>
       <td>Helm</td>
-      <td><a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>2</sup></a></td>
+      <td><a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>1</sup></a></td>
     </tr>
     <tr>
       <td>Java</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
-          <a href="https://spotbugs.github.io/">SpotBugs</a><a href="#client-side"> <sup>3</sup></a><a href="#spotbugs-plugin"> <sup>4</sup></a>,
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
+          <a href="https://spotbugs.github.io/">SpotBugs</a><a href="#client-side"> <sup>2</sup></a><a href="#spotbugs-plugin"> <sup>3</sup></a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>JavaScript</td>
-      <td><a href="https://eslint.org/">ESLint</a> <a href="#eslint-plugin"><sup>5</sup></a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+      <td><a href="https://eslint.org/">ESLint</a> <a href="#eslint-plugin"><sup>4</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -449,21 +449,21 @@ Security and risk management supports checking the languages and infrastructure-
     </tr>
     <tr>
       <td>Kotlin</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
     </tr>
     <tr>
       <td>Kubernetes</td>
-      <td><a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>2</sup></a></td>
+      <td><a href="https://trivy.dev">Trivy</a> <a href="#yaml-only"><sup>1</sup></a></td>
     </tr>
     <tr>
       <td>Objective-C</td>
-      <td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>3</sup></a></td>
+      <td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>2</sup></a></td>
     </tr>
     <tr>
       <td>PHP</td>
       <td><a href="https://github.com/squizlabs/PHP_CodeSniffer">PHP_CodeSniffer</a>,
           <a href="https://phpmd.org/">PHP Mess Detector</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -476,39 +476,39 @@ Security and risk management supports checking the languages and infrastructure-
           <a href="https://github.com/landscapeio/prospector">Prospector</a>,
           <a href="https://github.com/pylint-dev/pylint">Pylint</a>,
           <a href="https://docs.astral.sh/ruff/">Ruff</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>Ruby</td>
       <td><a href="https://brakemanscanner.org/">Brakeman</a>,
           <a href="https://github.com/rubocop/rubocop">RuboCop</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>Rust</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>Scala</td>
       <td><a href="https://github.com/codacy/codacy-scalameta">Codacy Scalameta Pro</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
-          <a href="https://spotbugs.github.io/">SpotBugs</a><a href="#client-side"> <sup>3</sup></a><a href="#spotbugs-plugin"> <sup>4</sup></a></td>
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
+          <a href="https://spotbugs.github.io/">SpotBugs</a><a href="#client-side"> <sup>2</sup></a><a href="#spotbugs-plugin"> <sup>3</sup></a></td>
     </tr>
     <tr>
       <td>Swift</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
     </tr>
     <tr>
       <td>Shell</td>
-      <td><a href="https://www.shellcheck.net/">ShellCheck</a>
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
+      <td><a href="https://www.shellcheck.net/">ShellCheck</a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
     </tr>
     <tr>
       <td>Terraform</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -517,8 +517,8 @@ Security and risk management supports checking the languages and infrastructure-
     </tr>
     <tr>
       <td>TypeScript</td>
-      <td><a href="https://eslint.org/">ESLint</a> <a href="#eslint-plugin"><sup>5</sup></a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+      <td><a href="https://eslint.org/">ESLint</a> <a href="#eslint-plugin"><sup>4</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -551,7 +551,7 @@ You're also able to click any dependency to find out more information about it.
 
 ![Security and risk management dependency page](images/security-risk-management-dependencies-single.png)
 
- The dependency overview page offers a quick bird's-eye view of that particular dependency. You'll be able to see all different versions that are being used, including which repository is using them, the oldest and most recent versions you're leveraging, as well as the highest criticality of security issues, the license <a href="#license-scanning"><sup>6</sup></a> applied to any particular version of that dependency, and the [OSSF Scorecard](#ossf-scorecard) security assessment.
+ The dependency overview page offers a quick bird's-eye view of that particular dependency. You'll be able to see all different versions that are being used, including which repository is using them, the oldest and most recent versions you're leveraging, as well as the highest criticality of security issues, the license <a href="#license-scanning"><sup>5</sup></a> applied to any particular version of that dependency, and the [OSSF Scorecard](#ossf-scorecard) security assessment.
 
 ### OSSF Scorecard {: id="ossf-scorecard"}
 
@@ -577,12 +577,11 @@ This information helps you make informed decisions about the security risks asso
 ![Security and risk management OSSF scorecard report](images/security-risk-management-ossf-scorecard.png)
 
 
-<sup><span id="semgrep">1</span></sup>: Semgrep supports additional security rules when signing up for [Semgrep Pro](https://semgrep.dev/pricing/).  
-<sup><span id="yaml-only">2</span></sup>: Currently, Trivy only supports scanning YAML files on this platform.  
-<sup><span id="client-side">3</span></sup>: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md).  
-<sup><span id="spotbugs-plugin">4</span></sup>: Includes the plugin [Find Security Bugs](https://find-sec-bugs.github.io/).  
-<sup><span id="eslint-plugin">5</span></sup>: Includes the plugins [no-unsanitized](https://www.npmjs.com/package/eslint-plugin-no-unsanitized), [security](https://www.npmjs.com/package/eslint-plugin-security), [security-node](https://www.npmjs.com/package/eslint-plugin-security-node), and [xss](https://www.npmjs.com/package/eslint-plugin-xss).  
-<sup><span id="license-scanning">6</span></sup>: Visit the [supported languages and tools](../getting-started/supported-languages-and-tools.md#supported-languages-and-tools) page for a list of supported languages.  
+<sup><span id="yaml-only">1</span></sup>: Currently, Trivy only supports scanning YAML files on this platform.  
+<sup><span id="client-side">2</span></sup>: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md).  
+<sup><span id="spotbugs-plugin">3</span></sup>: Includes the plugin [Find Security Bugs](https://find-sec-bugs.github.io/).  
+<sup><span id="eslint-plugin">4</span></sup>: Includes the plugins [no-unsanitized](https://www.npmjs.com/package/eslint-plugin-no-unsanitized), [security](https://www.npmjs.com/package/eslint-plugin-security), [security-node](https://www.npmjs.com/package/eslint-plugin-security-node), and [xss](https://www.npmjs.com/package/eslint-plugin-xss).  
+<sup><span id="license-scanning">5</span></sup>: Visit the [supported languages and tools](../getting-started/supported-languages-and-tools.md#supported-languages-and-tools) page for a list of supported languages.  
 
 
 ## App scanning {: id="app-scanning"}
diff --git a/docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md b/docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md
@@ -0,0 +1,11 @@
+---
+rss_title: Codacy release notes RSS feed
+rss_href: /feed_rss_created.xml
+---
+
+
+# Semgrep to Opengrep migration – February 2026
+
+As we previously discussed on our [blog](https://blog.codacy.com/opengrep-vs-semgrep), there have been licensing changes to Semgrep, and Opengrep has emerged as an open-source fork of the Semgrep engine. To ensure your continued access to the existing patterns we have switched to Opengrep.
+
+This change has been performed as a 1:1 replacement, preserving all existing patterns, issue history, and configuration. Going forward, we'll also be able to keep delivering custom Codacy rules to protect you against emerging threats, such as [hidden Unicode character vulnerabilities in rules files](https://blog.codacy.com/vulnerability-in-rules-files-with-hidden-unicode-characters).
diff --git a/docs/release-notes/index.md b/docs/release-notes/index.md
@@ -18,6 +18,7 @@ For product updates that are in progress or planned [visit the Codacy public roa
 
 2026
 
+-   [Semgrep to Opengrep migration February, 2026](cloud/cloud-2026-02-migrating-semgrep.md)
 -   [Cloud January 2026](cloud/cloud-2026-01.md)
 -   [Adding GolangCI-Lint as new supported tool January, 2026](cloud/cloud-2026-01-adding-golangci-lint.md)
 
diff --git a/docs/repositories-configure/codacy-configuration-file.md b/docs/repositories-configure/codacy-configuration-file.md
@@ -203,7 +203,7 @@ roslyn
 rubocop
 ruff
 scalastyle
-semgrep
+opengrep
 shellcheck
 sonarcsharp
 sonarvb
@@ -217,7 +217,7 @@ tsqllint
 
 The following names are **deprecated** and shouldn't be used, although they're still accepted in the Codacy configuration file:
 
--   `bundleraudit` - The tool **bundler-audit** [is deprecated](../release-notes/cloud/cloud-2023-10-13-bundler-audit-deprecation.md). If you are using **Semprep** or **Trivy** instead, use the names `trivy` or `semgrep`.
+-   `bundleraudit` - The tool **bundler-audit** [is deprecated](../release-notes/cloud/cloud-2023-10-13-bundler-audit-deprecation.md). If you are using **Opengrep** or **Trivy** instead, use the names `trivy` or `opengrep`.
 -   `csslint` - The tool **CSSLint** [is deprecated](../release-notes/cloud/cloud-2023-10-25-csslint-jshint-fauxpas-tailor-tslint-deprecation.md). If you are using **Stylelint** instead, use the name `stylelint`.
 -   `eslint` - Use the name `eslint-8` for **ESLint**.
 -   `jshint`, `tslint` - The tools **JSHint** and **TSLint** [are deprecated](../release-notes/cloud/cloud-2023-10-25-csslint-jshint-fauxpas-tailor-tslint-deprecation.md). If you are using **ESLint** instead, use the name `eslint-8`.
diff --git a/docs/repositories-configure/configuring-code-patterns.md b/docs/repositories-configure/configuring-code-patterns.md
@@ -242,7 +242,7 @@ The table below lists the configuration file names that Codacy detects and suppo
     <td></td>
   </tr>
   <tr>
-    <td>Semgrep</td>
+    <td>Opengrep</td>
     <td>Apex, C++, C#, Dockerfile, Elixir, GitHub Actions, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Shell, Swift, Terraform, TypeScript</td>
     <td><code>.semgrep.yaml</code></td>
     <td></td>
diff --git a/docs/repositories-configure/languages.md b/docs/repositories-configure/languages.md
@@ -31,7 +31,7 @@ If your repository contains source files with extensions not supported by Codacy
     {% include-markdown "../assets/includes/update-file-extensions-reanalyze.md" %}
 
 !!! note
-    Currently, the [Semgrep](https://github.com/codacy/codacy-semgrep) static analysis tool doesn't support custom file extensions.
+    Currently, the [Opengrep](https://github.com/codacy/codacy-opengrep) static analysis tool doesn't support custom file extensions.
 
 ## Disabling analysis of a language {: id="disable-language"}
 

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ For product updates that are in progress or planned [visit the Codacy public roa`
`18`	`18`
`19`	`19`	`2026`
`20`	`20`
	`21`	`+- [Semgrep to Opengrep migration February, 2026](cloud/cloud-2026-02-migrating-semgrep.md)`
`21`	`22`	`- [Cloud January 2026](cloud/cloud-2026-01.md)`
`22`	`23`	`- [Adding GolangCI-Lint as new supported tool January, 2026](cloud/cloud-2026-01-adding-golangci-lint.md)`
`23`	`24`