replace semgrep with opengrep

[heliocodacy]

No description provided.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ -0.19% (target: -0.50%)	❌ 9.78% (target: 50.00%)

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (da0cd76)	5948	1305	21.94%
Head commit (03e501f)	5990 (+42)	1303 (-2)	21.75% (-0.19%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#195)	92	9	9.78%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[codacy-production]

Codacy's Analysis Summary

0 new issue (≤ 1 medium issue)
0 new security issue (≤ 0 issue)
12 complexity
-1 duplications
More details

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[Copilot]

Pull request overview

This PR updates the CLI’s static-analysis integration to use Opengrep (a Semgrep-compatible fork) and adjusts plugin/tooling infrastructure to support downloading Opengrep as a standalone binary.

Changes:

• Add a new opengrep tool plugin (download-based, bare-binary install) and wire the analyzer runner to execute Opengrep.
• Update config generation and integration-test fixtures to use opengrep@1.16.2 in place of semgrep@1.78.0.
• Extend tool download processing to support OS+arch-specific arch overrides and non-archive (“bare”) binaries; extend Codacy client requests to support project-token auth.

Reviewed changes

Copilot reviewed 32 out of 32 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
tools/semgrepRunner.go	Renames Semgrep runner to RunOpengrep and updates messages/config detection.
tools/semgrepConfigCreator.go	Renames Semgrep config helpers to Opengrep equivalents; uses Opengrep embedded rules.
tools/semgrepConfigCreator_test.go	Updates tests to use Opengrep embedded rules + renamed types/functions.
plugins/tools/opengrep/plugin.yaml	New Opengrep plugin definition (download-based).
plugins/tools/opengrep/embedded/opengrep.go	Exposes Opengrep rules by reusing Semgrep embedded rules.
plugins/tools/opengrep/test/src/test_file.py	Adds a Python fixture file intended to trigger Opengrep rules.
plugins/tools/opengrep/test/src/.codacy/tools-configs/semgrep.yml	Adds a Semgrep-format rules file for Opengrep tool tests.
plugins/tools/opengrep/test/src/.codacy/codacy.yaml	Adds Opengrep tool test config pinned to opengrep@1.16.2.
plugins/tool-utils.go	Adds OS+arch override support when mapping architectures for downloads.
plugins/shared.go	Extends DownloadConfig with os_arch_mapping.
plugins/tool-utils_test.go	Updates supported-tools test expectations to include opengrep.
config/tools-installer.go	Adds support for installing tools distributed as a bare binary (non-archive).
domain/tool.go	Renames tool UUID constant/metadata from Semgrep to Opengrep.
domain/initFlags.go	Adds ProjectToken to init flags struct.
codacy-client/client.go	Adds project-token support for GET requests and selects token type from flags.
codacy-client/client_test.go	Updates tests for new getRequest signature.
cmd/analyze.go	Switches tool execution wiring from semgrep to opengrep.
cmd/configsetup/tool_creators.go	Switches config creator registry from Semgrep to Opengrep.
cmd/configsetup/default_config.go	Allows remote config generation if project token is present.
cmd/init.go	Treats presence of ProjectToken as non-local mode.
cmd/upload.go	Updates SARIF tool-name mapping for Opengrep.
constants/tool_configs.go	Renames Semgrep config constant/key to Opengrep (still uses semgrep.yaml).
cmd/analyze_test.go	Updates tool config filename map expectations for Opengrep.
cmd/analyze_integration_test.go	Updates tool config filename map expectations for Opengrep.
plugins/tools/trivy/test/src/.codacy/tools-configs/languages-config.yaml	Replaces semgrep tool entry with opengrep in fixture config.
integration-tests/init-without-token/expected/tools-configs/languages-config.yaml	Replaces semgrep with opengrep in expected output.
integration-tests/init-without-token/expected/codacy.yaml	Updates expected default tool list to opengrep@1.16.2.
integration-tests/init-with-token/expected/tools-configs/languages-config.yaml	Replaces semgrep with opengrep in expected output.
integration-tests/init-with-token/expected/codacy.yaml	Updates expected tool list to opengrep@1.16.2.
integration-tests/config-discover/expected/tools-configs/languages-config.yaml	Replaces semgrep with opengrep in expected output.
integration-tests/config-discover/expected/codacy.yaml	Updates expected tool list to opengrep@1.16.2.
.codacy/codacy.yaml	Updates repo’s own Codacy config to use Opengrep (also removes Flutter runtime and dartanalyzer).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

This PR is titled "replace semgrep with opengrep", but this file also removes the Flutter runtime from the repo’s Codacy configuration. If Flutter is still needed (e.g., for dartanalyzer or other checks), this change will alter CI/tool installation behavior and looks out of scope for the PR title—consider keeping it or moving it to a separate PR with justification.

[Copilot]

This PR is titled "replace semgrep with opengrep", but this file also removes dartanalyzer from the repo’s Codacy tool list. Unless the intent is to stop analyzing Dart/Flutter projects, this is a behavior change that looks out of scope—consider keeping dartanalyzer here or moving this change to a separate PR with rationale.

[Copilot]

runToolByName no longer handles the "semgrep" tool name, but the repository still ships the plugins/tools/semgrep plugin and plugins.GetSupportedTools() will report it as supported. This means users with existing codacy.yaml configs that still reference semgrep will pass validation but fail at runtime with "unsupported tool". Consider keeping a case "semgrep" that routes to Opengrep (or otherwise adding an explicit alias/normalization so semgrep configs keep working).

Suggested change

	case "opengrep":
	case "opengrep", "semgrep":

[Copilot]

sarifShortNameMap no longer includes a mapping for "Semgrep". If a SARIF file was generated by Semgrep (or by older CLI versions) the upload flow may fail to resolve the tool short name/patterns. Either keep the "Semgrep": "semgrep" entry for backward compatibility, or ensure Semgrep is fully removed/unsupported end-to-end (including supported tools and docs).

Suggested change

	"revive": "revive",
	"revive": "revive",
	"Semgrep": "semgrep",

[Copilot]

cliLocalMode now depends on initFlags.ProjectToken, but cmdutils.AddCloudFlags does not define a --project-token flag for init, so ProjectToken will always be empty and remote init via project token is effectively unreachable. Add a flag (or another input mechanism) that populates InitFlags.ProjectToken, and update the local/remote mode messaging accordingly.

[Copilot]

Remote config generation now allows initFlags.ProjectToken, but there is currently no CLI flag wiring that sets InitFlags.ProjectToken for these commands (AddCloudFlags only binds api-token/provider/org/repo). As written, this branch will never be taken when users provide only a project token. Consider binding --project-token into InitFlags and ensuring remote mode works with either token type.

[Copilot]

installBareBinary selects the destination by taking the first value from toolInfo.Binaries, which is a map (iteration order is random). This can become nondeterministic/incorrect if a download-based tool ever defines multiple binaries. Consider selecting a specific key (e.g., tool name) or explicitly erroring unless exactly one binary path is defined.

Suggested change

	var destPath string
	for _, p := range toolInfo.Binaries {
	destPath = p
	break
	}
	if destPath == "" {
	return fmt.Errorf("no binary destination defined for tool %s", toolInfo.Name)
	}
	if len(toolInfo.Binaries) == 0 {
	return fmt.Errorf("no binary destination defined for tool %s", toolInfo.Name)
	}
	if len(toolInfo.Binaries) > 1 {
	return fmt.Errorf("multiple binary destinations defined for tool %s; bare binary install supports exactly one", toolInfo.Name)
	}
	var destPath string
	for _, p := range toolInfo.Binaries {
	destPath = p
	}

[machadoit]

There are some changes that I am not sure why they are mixed in this PR. Can we have separate PRs if there is a requirement for this changes to be in place or what is happening here?

[machadoit]

Why is this a change on the scope of replacing the tool?

[Copilot]

Pull request overview

Copilot reviewed 28 out of 28 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (1)

plugins/tool-utils_test.go:177

• This test asserts semgrep is a supported tool. However, the CLI’s execution switch no longer supports semgrep (only opengrep), so the current state is inconsistent: semgrep is advertised as supported but cannot be run. Either drop semgrep from the supported tools expectation (and remove/stop embedding the semgrep plugin), or reintroduce semgrep support/aliasing in the CLI.

			name: "should return supported tools",
			expectedTools: []string{
				"eslint",
				"pmd",
				"pylint",
				"trivy",
				"dartanalyzer",
				"opengrep",
				"semgrep",
				"lizard",
				"codacy-enigma-cli",
				"revive",
			},

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

cmd.Run() errors are only treated as fatal when they are not an *exec.ExitError. This means any non-zero exit code from opengrep (including genuine runtime/config failures) is silently ignored, even though the comment says only findings are expected. Consider checking the exit code (e.g., accept only the “findings” code, and treat other non-zero codes as errors) so opengrep execution failures don’t get swallowed.

[Copilot]

GetSupportedTools() will still report semgrep as supported because plugins/tools/semgrep/plugin.yaml is still embedded, but runToolByName no longer has a case "semgrep". This leads to a confusing flow where validateToolName("semgrep") succeeds and then execution fails with “unsupported tool: semgrep”. Either keep a semgrep case (possibly delegating to opengrep for backwards compatibility) or remove/stop embedding the semgrep plugin so it’s not advertised as supported.

Suggested change

	return tools.RunOpengrep(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)
	return tools.RunOpengrep(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)
	case "semgrep":
	// Backwards compatibility: delegate semgrep to opengrep if available,
	// otherwise fall back to a semgrep binary if defined.
	binaryPath, ok := tool.Binaries["opengrep"]
	if !ok {
	binaryPath = tool.Binaries["semgrep"]
	}
	return tools.RunOpengrep(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)

[Copilot]

plugins/tools/opengrep/embedded currently imports plugins/tools/semgrep/embedded and re-exports its rules. If the intent is to replace semgrep, this creates an unnecessary coupling (and makes removing the semgrep plugin/rules impossible later). Consider moving rules.yaml to a shared location (or embedding a copy under opengrep) so opengrep doesn’t depend on the semgrep package.

Suggested change

	import semgrepEmbedded "codacy/cli-v2/plugins/tools/semgrep/embedded"
	// GetOpengrepRules returns the embedded Opengrep rules.
	// Opengrep is compatible with the semgrep rule format, so the same rules are used.
	func GetOpengrepRules() []byte {
	return semgrepEmbedded.GetSemgrepRules()
	import "embed"
	//go:embed rules.yaml
	var opengrepRules []byte
	// GetOpengrepRules returns the embedded Opengrep rules.
	// Opengrep is compatible with the semgrep rule format, so the same rules are used.
	func GetOpengrepRules() []byte {
	return opengrepRules

[Copilot]

The inline expectation comment for os.system(...) references subprocess-shell-true, but the provided tool config includes a dedicated python.lang.security.audit.os-system.os-system rule for os.system(...) (and semgrep’s expected SARIF uses that ruleId). Update the comment to the correct rule id to avoid misleading test fixtures / SARIF snippets.

Suggested change

	os.system(user_input) # opengrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true
	os.system(user_input) # opengrep: python.lang.security.audit.os-system.os-system

[Copilot]

InitFlags now includes ProjectToken, but cmdutils.AddCloudFlags (used by init/analyze) only binds ApiToken, Provider, Organization, and Repository. As-is, initFlags.ProjectToken will always stay empty for those commands. Add a --project-token flag binding (or a dedicated flag helper) and ensure downstream code paths use it consistently.

[Copilot]

Pull request overview

Copilot reviewed 28 out of 28 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

plugins/tool-utils_test.go:176

• The supported-tools test still expects semgrep to be present, but the CLI execution path no longer supports running semgrep (no switch case in runToolByName). Please align this test with the actual supported/runnable tool set (either remove semgrep here if it’s being replaced, or restore semgrep handling in the CLI).

			expectedTools: []string{
				"eslint",
				"pmd",
				"pylint",
				"trivy",
				"dartanalyzer",
				"opengrep",
				"semgrep",
				"lizard",
				"codacy-enigma-cli",
				"revive",

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

There’s a new tool test fixture for opengrep, but there is no corresponding plugins/tools/opengrep/test/expected.sarif. The run-tool-tests.sh harness expects that file for each tool and will fail without it. Add an expected SARIF output for this fixture (or update the harness/CI configuration if opengrep tool tests aren’t meant to run yet).

Suggested change

	tools:
	- opengrep@1.16.2
	tools: []

[Copilot]

This error wrap uses %v, which loses the underlying error for callers that want to unwrap/inspect it. Use %w when returning the error so it can be unwrapped (consistent with other error returns in this file).

Suggested change

	return fmt.Errorf("failed to create Opengrep config: %v", err)
	return fmt.Errorf("failed to create Opengrep config: %w", err)

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

The tool test harness (run-tool-tests.sh, invoked by integration-tests/test-tools.sh) expects every tool with plugins/tools/<tool>/test/src to also provide plugins/tools/<tool>/test/expected.sarif. The new plugins/tools/opengrep/test/ directory currently has no expected.sarif, so the opengrep tool tests will fail when the script tries to sort/compare the expected output. Add an expected.sarif fixture for opengrep (and ensure its driver name/version match opengrep output).

[Copilot]

This file is still named semgrepRunner.go but it now contains the Opengrep runner (RunOpengrep). Renaming the file to opengrepRunner.go (and similarly for other semgrep-* files that now implement Opengrep behavior) would keep the tools/ package consistent and make it easier to find the right implementation via filename search.

[Copilot]

This file is still named semgrepConfigCreator.go, but it now defines Opengrep-specific types/functions (e.g., opengrepRulesFile, GetOpengrepConfig). Renaming the file to opengrepConfigCreator.go would reduce confusion and keep filenames aligned with their contents.

[Copilot]

Pull request overview

Copilot reviewed 31 out of 33 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

plugins/tools/opengrep/test/src/.codacy/codacy.yaml:4

• opengrep is a download-based tool and does not require a Python runtime, but this test fixture config declares python@3.11.11. Removing the unnecessary runtime dependency will speed up cli-v2 install during tool tests and reduce the chance of runtime-install related failures.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

The opengrep tool test fixture directory does not include an expected.sarif file. run-tool-tests.sh expects plugins/tools/<tool>/test/expected.sarif to exist and will fail for opengrep without it. Add the expected SARIF output for the opengrep test (or adjust the tool test setup so it doesn’t require this file).

[Copilot]

In the bare-binary branch, the previously opened file handle is unused (and installBareBinary re-opens the same path). Consider only opening the downloaded file inside the archive-extraction branch, or change installBareBinary to accept an io.Reader/already-open *os.File to avoid redundant opens and simplify control flow.

[Copilot]

installBareBinary picks the destination by taking the first value from the toolInfo.Binaries map. Map iteration order is non-deterministic, so this can select the wrong destination if a tool ever declares multiple binaries. Consider selecting a specific key (e.g., toolInfo.Binaries[toolInfo.Name]) or explicitly erroring unless exactly one binary destination is defined.

Suggested change

	for _, p := range toolInfo.Binaries {
	destPath = p
	break
	}
	// Prefer a binary whose key matches the tool name, if present.
	if p, ok := toolInfo.Binaries[toolInfo.Name]; ok && p != "" {
	destPath = p
	} else {
	// Fallback: if there is exactly one binary entry, use that.
	switch len(toolInfo.Binaries) {
	case 0:
	// Handled below as "no binary destination defined".
	case 1:
	for _, p := range toolInfo.Binaries {
	destPath = p
	break
	}
	default:
	return fmt.Errorf("multiple binary destinations defined for tool %s and none matches its name", toolInfo.Name)
	}
	}

[Copilot]

Pull request overview

Copilot reviewed 34 out of 36 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

plugins/tools/opengrep/test/src/.codacy/codacy.yaml:4

• The tool-test harness (run-tool-tests.sh) expects an expected.sarif at plugins/tools/<tool>/test/expected.sarif. The new opengrep tool has a test/src directory but no test/expected.sarif, so tool tests will fail when they reach sort_sarif "$EXPECTED_SARIF" .... Add an expected.sarif for opengrep (or adjust the harness to skip tools without one).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

destPath comes from toolInfo.Binaries, which is built using path.Join (forward slashes). Using filepath.Dir(destPath)/os.Create(destPath) here can produce inconsistent results on Windows when paths contain mixed separators. Consider normalizing destPath with filepath.FromSlash/filepath.Clean (or constructing binary paths with filepath.Join consistently) before creating directories/files.

[Copilot]

Pull request overview

Copilot reviewed 35 out of 37 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

getToolName now has an explicit alias for Opengrep, but TestGetToolName doesn't include any cases for opengrep (or the SARIF driver variant like "opengrep oss"). Adding test cases here would help prevent regressions in SARIF upload/analyze flows that rely on this mapping.

[Copilot]

getToolName is called with strings.ToLower(run.Tool.Driver.Name) when processing SARIF uploads, but Opengrep's SARIF driver name is typically "Opengrep OSS". With the current alias map, "opengrep oss" won't be normalized to "Opengrep", so loadsToolAndPatterns won't find the tool and uploads can silently contain no issues. Consider normalizing SARIF tool names (e.g., strip a trailing " oss" / take the first token) or adding an explicit alias for "opengrep oss" -> "Opengrep".

[Copilot]

installDownloadBasedTool opens the downloaded file before checking whether it's an archive, but the file handle isn't used in the bare-binary branch (it gets reopened in installBareBinary). Consider moving os.Open(downloadPath) inside the isArchive branch (or passing the already-open file into installBareBinary) to avoid redundant I/O and simplify control flow.

[Copilot]

The file is still named semgrepRunner.go but now only exposes RunOpengrep. Renaming the file to opengrepRunner.go would keep filenames aligned with the tool name and make future navigation/searching less confusing.