feat: Add opengrep migration docs CF-2184

lventura-codacy · lventura-codacy · commit 45c2f82f0a5e · 2026-02-19T13:57:09.000Z
diff --git a/.github/styles/config/vocabularies/Codacy/accept.txt b/.github/styles/config/vocabularies/Codacy/accept.txt
@@ -57,6 +57,7 @@ monorepo
 namespace
 OAuth
 onboarding
+Opengrep
 PHP_CodeSniffer
 PHPUnit
 plaintext
@@ -75,7 +76,6 @@ sbt
 Scalameta
 Scalastyle
 SCSSLint
-Semgrep
 Serverless
 severities
 ShellCheck
diff --git a/docs/getting-started/supported-languages-and-tools.md b/docs/getting-started/supported-languages-and-tools.md
diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md
@@ -369,7 +369,7 @@ Security and risk management supports checking the languages and infrastructure-
     <tr>
       <td>Apex</td>
       <td><a href="https://pmd.github.io/">PMD</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a> </td>
     </tr>
     <tr>
       <td>AWS CloudFormation</td>
@@ -381,21 +381,21 @@ Security and risk management supports checking the languages and infrastructure-
       <td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>3</sup></a>,
           <a href="http://cppcheck.sourceforge.net/">Cppcheck</a>,
           <a href="https://dwheeler.com/flawfinder/">Flawfinder</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>C#</td>
       <td><a href="https://github.com/SonarSource/sonar-dotnet">SonarC#</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>C++</td>
       <td><a href="https://clang.llvm.org/extra/clang-tidy/">Clang-Tidy</a><a href="#client-side"> <sup>3</sup></a>,
           <a href="http://cppcheck.sourceforge.net/">Cppcheck</a>,
           <a href="https://dwheeler.com/flawfinder/">Flawfinder</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -405,7 +405,7 @@ Security and risk management supports checking the languages and infrastructure-
     <tr>
       <td>Dockerfile</td>
       <td><a href="https://github.com/hadolint/hadolint">Hadolint</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -415,12 +415,12 @@ Security and risk management supports checking the languages and infrastructure-
     </tr>
     <tr>
       <td>GitHub Actions</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
     </tr>
     <tr>
       <td>Go</td>
       <td><a href="https://github.com/securego/gosec">Gosec</a><a href="#client-side"> <sup>3</sup></a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -433,14 +433,14 @@ Security and risk management supports checking the languages and infrastructure-
     </tr>
     <tr>
       <td>Java</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://spotbugs.github.io/">SpotBugs</a><a href="#client-side"> <sup>3</sup></a><a href="#spotbugs-plugin"> <sup>4</sup></a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>JavaScript</td>
       <td><a href="https://eslint.org/">ESLint</a> <a href="#eslint-plugin"><sup>5</sup></a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -449,7 +449,7 @@ Security and risk management supports checking the languages and infrastructure-
     </tr>
     <tr>
       <td>Kotlin</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
     </tr>
     <tr>
       <td>Kubernetes</td>
@@ -463,7 +463,7 @@ Security and risk management supports checking the languages and infrastructure-
       <td>PHP</td>
       <td><a href="https://github.com/squizlabs/PHP_CodeSniffer">PHP_CodeSniffer</a>,
           <a href="https://phpmd.org/">PHP Mess Detector</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -476,39 +476,39 @@ Security and risk management supports checking the languages and infrastructure-
           <a href="https://github.com/landscapeio/prospector">Prospector</a>,
           <a href="https://github.com/pylint-dev/pylint">Pylint</a>,
           <a href="https://docs.astral.sh/ruff/">Ruff</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>Ruby</td>
       <td><a href="https://brakemanscanner.org/">Brakeman</a>,
           <a href="https://github.com/rubocop/rubocop">RuboCop</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>Rust</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
       <td>Scala</td>
       <td><a href="https://github.com/codacy/codacy-scalameta">Codacy Scalameta Pro</a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://spotbugs.github.io/">SpotBugs</a><a href="#client-side"> <sup>3</sup></a><a href="#spotbugs-plugin"> <sup>4</sup></a></td>
     </tr>
     <tr>
       <td>Swift</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
     </tr>
     <tr>
       <td>Shell</td>
       <td><a href="https://www.shellcheck.net/">ShellCheck</a>
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a></td>
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a></td>
     </tr>
     <tr>
       <td>Terraform</td>
-      <td><a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+      <td><a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -518,7 +518,7 @@ Security and risk management supports checking the languages and infrastructure-
     <tr>
       <td>TypeScript</td>
       <td><a href="https://eslint.org/">ESLint</a> <a href="#eslint-plugin"><sup>5</sup></a>,
-          <a href="https://semgrep.dev/">Semgrep</a> <a href="#semgrep"><sup>1</sup></a>,
+          <a href="https://github.com/opengrep/opengrep/">Opengrep</a>,
           <a href="https://trivy.dev">Trivy</a></td>
     </tr>
     <tr>
@@ -577,7 +577,6 @@ This information helps you make informed decisions about the security risks asso
 ![Security and risk management OSSF scorecard report](images/security-risk-management-ossf-scorecard.png)
 
 
-<sup><span id="semgrep">1</span></sup>: Semgrep supports additional security rules when signing up for [Semgrep Pro](https://semgrep.dev/pricing/).  
 <sup><span id="yaml-only">2</span></sup>: Currently, Trivy only supports scanning YAML files on this platform.  
 <sup><span id="client-side">3</span></sup>: Supported as a [client-side tool](../repositories-configure/local-analysis/client-side-tools.md).  
 <sup><span id="spotbugs-plugin">4</span></sup>: Includes the plugin [Find Security Bugs](https://find-sec-bugs.github.io/).  
diff --git a/docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md b/docs/release-notes/cloud/cloud-2026-02-migrating-semgrep.md
@@ -0,0 +1,11 @@
+---
+rss_title: Codacy release notes RSS feed
+rss_href: /feed_rss_created.xml
+---
+
+
+# Semgrep to Opengrep migration – February 2026
+
+As we previously discussed on our [blog](https://blog.codacy.com/opengrep-vs-semgrep), there have been licensing changes to Semgrep, and Opengrep has emerged as an open-source fork of the Semgrep engine. To ensure your continued access to the existing patterns we have switched to Opengrep.
+
+This change has been performed as a 1:1 replacement, preserving all existing patterns, issue history, and configuration. Going forward, we'll also be able to keep delivering custom Codacy rules to protect you against emerging threats, such as [hidden Unicode character vulnerabilities in rules files](https://blog.codacy.com/vulnerability-in-rules-files-with-hidden-unicode-characters).
diff --git a/docs/release-notes/index.md b/docs/release-notes/index.md
@@ -18,6 +18,7 @@ For product updates that are in progress or planned [visit the Codacy public roa
 
 2026
 
+-   [Semgrep to Opengrep migration February, 2026](cloud/cloud-2026-02-migrating-semgrep.md)
 -   [Cloud January 2026](cloud/cloud-2026-01.md)
 -   [Adding GolangCI-Lint as new supported tool January, 2026](cloud/cloud-2026-01-adding-golangci-lint.md)
 
diff --git a/docs/repositories-configure/codacy-configuration-file.md b/docs/repositories-configure/codacy-configuration-file.md
@@ -203,7 +203,7 @@ roslyn
 rubocop
 ruff
 scalastyle
-semgrep
+opengrep
 shellcheck
 sonarcsharp
 sonarvb
@@ -217,7 +217,7 @@ tsqllint
 
 The following names are **deprecated** and shouldn't be used, although they're still accepted in the Codacy configuration file:
 
--   `bundleraudit` - The tool **bundler-audit** [is deprecated](../release-notes/cloud/cloud-2023-10-13-bundler-audit-deprecation.md). If you are using **Semprep** or **Trivy** instead, use the names `trivy` or `semgrep`.
+-   `bundleraudit` - The tool **bundler-audit** [is deprecated](../release-notes/cloud/cloud-2023-10-13-bundler-audit-deprecation.md). If you are using **Opengrep** or **Trivy** instead, use the names `trivy` or `opengrep`.
 -   `csslint` - The tool **CSSLint** [is deprecated](../release-notes/cloud/cloud-2023-10-25-csslint-jshint-fauxpas-tailor-tslint-deprecation.md). If you are using **Stylelint** instead, use the name `stylelint`.
 -   `eslint` - Use the name `eslint-8` for **ESLint**.
 -   `jshint`, `tslint` - The tools **JSHint** and **TSLint** [are deprecated](../release-notes/cloud/cloud-2023-10-25-csslint-jshint-fauxpas-tailor-tslint-deprecation.md). If you are using **ESLint** instead, use the name `eslint-8`.
diff --git a/docs/repositories-configure/configuring-code-patterns.md b/docs/repositories-configure/configuring-code-patterns.md
@@ -242,7 +242,7 @@ The table below lists the configuration file names that Codacy detects and suppo
     <td></td>
   </tr>
   <tr>
-    <td>Semgrep</td>
+    <td>Opengrep</td>
     <td>Apex, C++, C#, Dockerfile, Elixir, GitHub Actions, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Shell, Swift, Terraform, TypeScript</td>
     <td><code>.semgrep.yaml</code></td>
     <td></td>
diff --git a/docs/repositories-configure/languages.md b/docs/repositories-configure/languages.md
@@ -31,7 +31,7 @@ If your repository contains source files with extensions not supported by Codacy
     {% include-markdown "../assets/includes/update-file-extensions-reanalyze.md" %}
 
 !!! note
-    Currently, the [Semgrep](https://github.com/codacy/codacy-semgrep) static analysis tool doesn't support custom file extensions.
+    Currently, the [Opengrep](https://github.com/codacy/codacy-opengrep) static analysis tool doesn't support custom file extensions.
 
 ## Disabling analysis of a language {: id="disable-language"}
 

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ For product updates that are in progress or planned [visit the Codacy public roa`
`18`	`18`
`19`	`19`	`2026`
`20`	`20`
	`21`	`+- [Semgrep to Opengrep migration February, 2026](cloud/cloud-2026-02-migrating-semgrep.md)`
`21`	`22`	`- [Cloud January 2026](cloud/cloud-2026-01.md)`
`22`	`23`	`- [Adding GolangCI-Lint as new supported tool January, 2026](cloud/cloud-2026-01-adding-golangci-lint.md)`
`23`	`24`