codacy · heliocodacy · Mar 11, 2026 · Copilot · Mar 11, 2026 · Copilot
diff --git a/.codacy/codacy.yaml b/.codacy/codacy.yaml
@@ -10,6 +10,6 @@ tools:
     - pmd@6.55.0
     - pylint@3.3.9
     - revive@1.12.0
-    - semgrep@1.78.0
-    - trivy@0.66.0
+    - opengrep@1.16.2
+    - trivy@0.69.3
     - dartanalyzer@3.7.2
diff --git a/cmd/analyze.go b/cmd/analyze.go
@@ -273,7 +273,7 @@ var versionedToolNames = map[string]map[int]string{
 
 var simpleToolAliases = map[string]string{
 	"lizard":  "Lizard",
-	"semgrep": "Semgrep",
+	"opengrep": "Opengrep",
 	"pylint":  "pylintpython3",
 	"trivy":   "Trivy",
 }
@@ -405,9 +405,9 @@ func runToolByName(toolName string, workDirectory string, pathsToCheck []string,
 	case "dartanalyzer":
 		binaryPath := tool.Binaries[tool.Runtime]
 		return tools.RunDartAnalyzer(workDirectory, tool.InstallDir, binaryPath, pathsToCheck, outputFile, outputFormat)
-	case "semgrep":
+	case "opengrep":
-	case "opengrep":
+	case "opengrep", "semgrep":
-	case "opengrep":
+	case "opengrep", "semgrep":
 		binaryPath := tool.Binaries[toolName]
-		return tools.RunSemgrep(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)
+		return tools.RunOpengrep(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)
-		return tools.RunOpengrep(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)
+		return tools.RunOpengrep(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)
+	case "semgrep":
+		// Backwards compatibility: delegate semgrep to opengrep if available,
+		// otherwise fall back to a semgrep binary if defined.
+		binaryPath, ok := tool.Binaries["opengrep"]
+		if !ok {
+			binaryPath = tool.Binaries["semgrep"]
+		}
+		return tools.RunOpengrep(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)
-		return tools.RunOpengrep(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)
+		return tools.RunOpengrep(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)
+	case "semgrep":
+		// Backwards compatibility: delegate semgrep to opengrep if available,
+		// otherwise fall back to a semgrep binary if defined.
+		binaryPath, ok := tool.Binaries["opengrep"]
+		if !ok {
+			binaryPath = tool.Binaries["semgrep"]
+		}
+		return tools.RunOpengrep(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)
 	case "lizard":
 		binaryPath := tool.Binaries[tool.Runtime]
 		return lizard.RunLizard(workDirectory, binaryPath, pathsToCheck, outputFile, outputFormat)

diff --git a/cmd/analyze_integration_test.go b/cmd/analyze_integration_test.go
@@ -114,7 +114,7 @@ func TestToolConfigFileNameMapCompleteness(t *testing.T) {
 		"pmd":          constants.PMDConfigFileName,
 		"pylint":       constants.PylintConfigFileName,
 		"dartanalyzer": constants.DartAnalyzerConfigFileName,
-		"semgrep":      constants.SemgrepConfigFileName,
+		"opengrep":     constants.OpengrepConfigFileName,
 		"revive":       constants.ReviveConfigFileName,
 		"lizard":       constants.LizardConfigFileName,
 	}

diff --git a/cmd/analyze_test.go b/cmd/analyze_test.go
@@ -449,7 +449,7 @@ func TestToolConfigFileNameMap(t *testing.T) {
 		"pmd":          constants.PMDConfigFileName,
 		"pylint":       constants.PylintConfigFileName,
 		"dartanalyzer": constants.DartAnalyzerConfigFileName,
-		"semgrep":      constants.SemgrepConfigFileName,
+		"opengrep":     constants.OpengrepConfigFileName,
 		"revive":       constants.ReviveConfigFileName,
 		"lizard":       constants.LizardConfigFileName,
 	}

diff --git a/cmd/configsetup/tool_creators.go b/cmd/configsetup/tool_creators.go
@@ -24,7 +24,7 @@ var toolConfigRegistry = map[string]ToolConfigCreator{
 	domain.PMD7:         &pmd7ConfigCreator{},
 	domain.PyLint:       &pylintConfigCreator{},
 	domain.DartAnalyzer: &dartAnalyzerConfigCreator{},
-	domain.Semgrep:      &semgrepConfigCreator{},
+	domain.Opengrep:     &opengrepConfigCreator{},
 	domain.Lizard:       &lizardConfigCreator{},
 	domain.Revive:       &reviveConfigCreator{},
 }
@@ -121,23 +121,23 @@ func (d *dartAnalyzerConfigCreator) GetConfigFileName() string {
 }
 func (d *dartAnalyzerConfigCreator) GetToolName() string { return "Dart Analyzer" }
 
-// semgrepConfigCreator implements ToolConfigCreator for Semgrep
-type semgrepConfigCreator struct{}
+// opengrepConfigCreator implements ToolConfigCreator for Opengrep
+type opengrepConfigCreator struct{}
 
-func (s *semgrepConfigCreator) CreateConfig(toolsConfigDir string, patterns []domain.PatternConfiguration) error {
-	configData, err := tools.GetSemgrepConfig(patterns)
+func (s *opengrepConfigCreator) CreateConfig(toolsConfigDir string, patterns []domain.PatternConfiguration) error {
+	configData, err := tools.GetOpengrepConfig(patterns)
 	if err != nil {
-		return fmt.Errorf("failed to create Semgrep config: %v", err)
+		return fmt.Errorf("failed to create Opengrep config: %v", err)
-		return fmt.Errorf("failed to create Opengrep config: %v", err)
+		return fmt.Errorf("failed to create Opengrep config: %w", err)
-		return fmt.Errorf("failed to create Opengrep config: %v", err)
+		return fmt.Errorf("failed to create Opengrep config: %w", err)
 	}
-	err = writeConfigFile(filepath.Join(toolsConfigDir, constants.SemgrepConfigFileName), configData)
+	err = writeConfigFile(filepath.Join(toolsConfigDir, constants.OpengrepConfigFileName), configData)
 	if err == nil {
-		fmt.Println("Semgrep configuration created based on Codacy settings")
+		fmt.Println("Opengrep configuration created based on Codacy settings")
 	}
 	return err
 }
 
-func (s *semgrepConfigCreator) GetConfigFileName() string { return constants.SemgrepConfigFileName }
-func (s *semgrepConfigCreator) GetToolName() string       { return "Semgrep" }
+func (s *opengrepConfigCreator) GetConfigFileName() string { return constants.OpengrepConfigFileName }
+func (s *opengrepConfigCreator) GetToolName() string       { return "Opengrep" }
 
 // lizardConfigCreator implements ToolConfigCreator for Lizard
 type lizardConfigCreator struct{}

diff --git a/cmd/init_test.go b/cmd/init_test.go
@@ -25,7 +25,7 @@ func TestConfigFileTemplate(t *testing.T) {
 				"node@22.2.0",
 				"python@3.11.11",
 				"eslint@8.57.0",
-				"trivy@0.66.0",
+				"trivy@0.69.3",
 				"pylint@3.3.6",
 				"pmd@7.11.0",
 			},

diff --git a/cmd/upload.go b/cmd/upload.go
@@ -55,7 +55,7 @@ var sarifShortNameMap = map[string]string{
 	"Trivy":               "trivy",
 	"Pylint":              "pylintpython3",
 	"dartanalyzer":        "dartanalyzer",
-	"Semgrep":             "semgrep",
+	"Opengrep":            "opengrep",
 	"Lizard":              "lizard",
 	"revive":              "revive",
-	"revive":              "revive",
+	"revive":              "revive",
+	"Semgrep":             "semgrep",
-	"revive":              "revive",
+	"revive":              "revive",
+	"Semgrep":             "semgrep",
 }

diff --git a/config/tools-installer.go b/config/tools-installer.go
@@ -7,6 +7,7 @@ import (
 	"codacy/cli-v2/utils"
 	"codacy/cli-v2/utils/logger"
 	"fmt"
+	"io"
 	"log"
 	"os"
 	"os/exec"
@@ -297,29 +298,43 @@ func installDownloadBasedTool(toolInfo *plugins.ToolInfo) error {
 		return fmt.Errorf("failed to create installation directory: %w", err)
 	}
 
-	// Extract based on file extension
-	logger.Debug("Extracting tool", logrus.Fields{
-		"tool":             toolInfo.Name,
-		"version":          toolInfo.Version,
-		"fileName":         fileName,
-		"extractDirectory": toolInfo.InstallDir,
-	})
+	isArchive := strings.HasSuffix(fileName, ".zip") || strings.HasSuffix(fileName, ".tar.gz") || strings.HasSuffix(fileName, ".tgz")
 
-	if strings.HasSuffix(fileName, ".zip") {
-		err = utils.ExtractZip(file.Name(), toolInfo.InstallDir)
-	} else {
-		err = utils.ExtractTarGz(file, toolInfo.InstallDir)
-	}
+	if isArchive {
+		// Extract based on file extension
+		logger.Debug("Extracting tool", logrus.Fields{
+			"tool":             toolInfo.Name,
+			"version":          toolInfo.Version,
+			"fileName":         fileName,
+			"extractDirectory": toolInfo.InstallDir,
+		})
 
-	if err != nil {
-		return fmt.Errorf("failed to extract tool: %w", err)
-	}
+		if strings.HasSuffix(fileName, ".zip") {
+			err = utils.ExtractZip(file.Name(), toolInfo.InstallDir)
+		} else {
+			err = utils.ExtractTarGz(file, toolInfo.InstallDir)
+		}
+
+		if err != nil {
+			return fmt.Errorf("failed to extract tool: %w", err)
+		}
 
-	// Make sure all binaries are executable
-	for _, binaryPath := range toolInfo.Binaries {
-		err = os.Chmod(filepath.Join(toolInfo.InstallDir, filepath.Base(binaryPath)), constants.DefaultDirPerms)
-		if err != nil && !os.IsNotExist(err) {
-			return fmt.Errorf("failed to make binary executable: %w", err)
+		// Make sure all binaries are executable
+		for _, binaryPath := range toolInfo.Binaries {
+			err = os.Chmod(filepath.Join(toolInfo.InstallDir, filepath.Base(binaryPath)), constants.DefaultDirPerms)
+			if err != nil && !os.IsNotExist(err) {
+				return fmt.Errorf("failed to make binary executable: %w", err)
+			}
+		}
+	} else {
+		// Bare binary — copy directly to the binary destination path
+		logger.Debug("Installing bare binary", logrus.Fields{
+			"tool":         toolInfo.Name,
+			"version":      toolInfo.Version,
+			"downloadPath": downloadPath,
+		})
+		if err = installBareBinary(downloadPath, toolInfo); err != nil {
+			return fmt.Errorf("failed to install binary: %w", err)
 		}
 	}
 
@@ -330,6 +345,44 @@ func installDownloadBasedTool(toolInfo *plugins.ToolInfo) error {
 	return nil
 }
 
+// installBareBinary copies a downloaded bare binary to its destination path and makes it executable.
+func installBareBinary(downloadPath string, toolInfo *plugins.ToolInfo) error {
+	var destPath string
+	for _, p := range toolInfo.Binaries {
+		destPath = p
+		break
+	}
-	for _, p := range toolInfo.Binaries {
-		destPath = p
-		break
-	}
+
+	// Prefer a binary whose key matches the tool name, if present.
+	if p, ok := toolInfo.Binaries[toolInfo.Name]; ok && p != "" {
+		destPath = p
+	} else {
+		// Fallback: if there is exactly one binary entry, use that.
+		switch len(toolInfo.Binaries) {
+		case 0:
+			// Handled below as "no binary destination defined".
+		case 1:
+			for _, p := range toolInfo.Binaries {
+				destPath = p
+				break
+			}
+		default:
+			return fmt.Errorf("multiple binary destinations defined for tool %s and none matches its name", toolInfo.Name)
+		}
+	}
-	for _, p := range toolInfo.Binaries {
-		destPath = p
-		break
-	}
+
+	// Prefer a binary whose key matches the tool name, if present.
+	if p, ok := toolInfo.Binaries[toolInfo.Name]; ok && p != "" {
+		destPath = p
+	} else {
+		// Fallback: if there is exactly one binary entry, use that.
+		switch len(toolInfo.Binaries) {
+		case 0:
+			// Handled below as "no binary destination defined".
+		case 1:
+			for _, p := range toolInfo.Binaries {
+				destPath = p
+				break
+			}
+		default:
+			return fmt.Errorf("multiple binary destinations defined for tool %s and none matches its name", toolInfo.Name)
+		}
+	}
+	if destPath == "" {
+		return fmt.Errorf("no binary destination defined for tool %s", toolInfo.Name)
+	}
-	var destPath string
-	for _, p := range toolInfo.Binaries {
-		destPath = p
-		break
-	}
-	if destPath == "" {
-		return fmt.Errorf("no binary destination defined for tool %s", toolInfo.Name)
-	}
+	if len(toolInfo.Binaries) == 0 {
+		return fmt.Errorf("no binary destination defined for tool %s", toolInfo.Name)
+	}
+	if len(toolInfo.Binaries) > 1 {
+		return fmt.Errorf("multiple binary destinations defined for tool %s; bare binary install supports exactly one", toolInfo.Name)
+	}
+
+	var destPath string
+	for _, p := range toolInfo.Binaries {
+		destPath = p
+	}
-	var destPath string
-	for _, p := range toolInfo.Binaries {
-		destPath = p
-		break
-	}
-	if destPath == "" {
-		return fmt.Errorf("no binary destination defined for tool %s", toolInfo.Name)
-	}
+	if len(toolInfo.Binaries) == 0 {
+		return fmt.Errorf("no binary destination defined for tool %s", toolInfo.Name)
+	}
+	if len(toolInfo.Binaries) > 1 {
+		return fmt.Errorf("multiple binary destinations defined for tool %s; bare binary install supports exactly one", toolInfo.Name)
+	}
+
+	var destPath string
+	for _, p := range toolInfo.Binaries {
+		destPath = p
+	}
+
+	if err := os.MkdirAll(filepath.Dir(destPath), constants.DefaultDirPerms); err != nil {
+		return fmt.Errorf("failed to create binary directory: %w", err)
+	}
+
+	src, err := os.Open(downloadPath)
+	if err != nil {
+		return fmt.Errorf("failed to open downloaded binary: %w", err)
+	}
+	defer src.Close()
+
+	dst, err := os.Create(destPath)
+	if err != nil {
+		return fmt.Errorf("failed to create binary file: %w", err)
+	}
+	defer dst.Close()
+
+	if _, err = io.Copy(dst, src); err != nil {
+		return fmt.Errorf("failed to copy binary: %w", err)
+	}
+
+	if err = os.Chmod(destPath, constants.DefaultDirPerms); err != nil {
+		return fmt.Errorf("failed to make binary executable: %w", err)
+	}
+
+	return nil
+}
+
 func installPythonTool(name string, toolInfo *plugins.ToolInfo) error {
 	logger.Debug("Starting Python tool installation", logrus.Fields{
 		"tool":    toolInfo.Name,

diff --git a/constants/tool_configs.go b/constants/tool_configs.go
@@ -12,7 +12,7 @@ const (
 	PMDConfigFileName          = "ruleset.xml"
 	PylintConfigFileName       = "pylint.rc"
 	DartAnalyzerConfigFileName = "analysis_options.yaml"
-	SemgrepConfigFileName      = "semgrep.yaml"
+	OpengrepConfigFileName     = "semgrep.yaml"
 	ReviveConfigFileName       = "revive.toml"
 	LizardConfigFileName       = "lizard.yaml"
 )
@@ -24,7 +24,7 @@ var ToolConfigFileNames = map[string]string{
 	"pmd":          PMDConfigFileName,
 	"pylint":       PylintConfigFileName,
 	"dartanalyzer": DartAnalyzerConfigFileName,
-	"semgrep":      SemgrepConfigFileName,
+	"opengrep":     OpengrepConfigFileName,
 	"revive":       ReviveConfigFileName,
 	"lizard":       LizardConfigFileName,
 }
diff --git a/domain/tool.go b/domain/tool.go
@@ -28,7 +28,7 @@ const (
 	PMD7         string = "ed7e8287-707d-485a-a0cb-e211004432c2"
 	PyLint       string = "31677b6d-4ae0-4f56-8041-606a8d7a8e61"
 	DartAnalyzer string = "d203d615-6cf1-41f9-be5f-e2f660f7850f"
-	Semgrep      string = "6792c561-236d-41b7-ba5e-9d6bee0d548b"
+	Opengrep     string = "6792c561-236d-41b7-ba5e-9d6bee0d548b"
 	Lizard       string = "76348462-84b3-409a-90d3-955e90abfb87"
 	Revive       string = "bd81d1f4-1406-402d-9181-1274ee09f1aa"
 )
@@ -48,6 +48,6 @@ var SupportedToolsMetadata = map[string]ToolInfo{
 	Trivy:        {Name: "trivy", Priority: 0},
 	DartAnalyzer: {Name: "dartanalyzer", Priority: 0},
 	Lizard:       {Name: "lizard", Priority: 0},
-	Semgrep:      {Name: "semgrep", Priority: 0},
+	Opengrep:     {Name: "opengrep", Priority: 0},
 	Revive:       {Name: "revive", Priority: 0},
 }
diff --git a/integration-tests/config-discover/expected/codacy.yaml b/integration-tests/config-discover/expected/codacy.yaml
@@ -7,7 +7,7 @@ tools:
     - dartanalyzer@3.7.2
     - eslint@8.57.0
     - lizard@1.17.31
+    - opengrep@1.16.2
     - pmd@7.11.0
     - pylint@3.3.6
-    - semgrep@1.78.0
-    - trivy@0.66.0
+    - trivy@0.69.3
diff --git a/integration-tests/config-discover/expected/tools-configs/languages-config.yaml b/integration-tests/config-discover/expected/tools-configs/languages-config.yaml
@@ -23,11 +23,11 @@ tools:
       languages: [Go]
       extensions: [.go]
       files: []
-    - name: semgrep
+    - name: opengrep
       languages: [Apex, C, CPP, CSharp, Dockerfile, Go, Java, Javascript, Kotlin, PHP, PLSQL, Python, Ruby, Rust, SQL, Scala, Shell, Swift, Terraform, TypeScript, YAML]
-      extensions: [.bash, .c, .cc, .cls, .cpp, .cs, .cxx, .dockerfile, .fnc, .gemspec, .go, .h, .hpp, .ino, .java, .jbuilder, .js, .jsm, .jsx, .kt, .kts, .mjs, .opal, .pck, .php, .pkb, .pkh, .pks, .plb, .pld, .plh, .pls, .podspec, .prc, .py, .rake, .rb, .rlib, .rs, .scala, .sh, .sql, .swift, .tf, .tpb, .tps, .trg, .trigger, .ts, .tsx, .tyb, .typ, .vue, .yaml, .yml]
+      extensions: [.bash, .c, .cc, .cls, .cpp, .cs, .cxx, .dockerfile, .env, .fnc, .gemspec, .go, .h, .hpp, .ino, .java, .jbuilder, .js, .jsm, .jsx, .kt, .kts, .mjs, .opal, .pck, .php, .pkb, .pkh, .pks, .plb, .pld, .plh, .pls, .podspec, .prc, .py, .rake, .rb, .rlib, .rs, .scala, .sh, .sql, .swift, .tf, .tpb, .tps, .trg, .trigger, .ts, .tsx, .tyb, .typ, .vue, .yaml, .yml]
       files: []
     - name: trivy
       languages: [C, CPP, CSharp, Dart, Dockerfile, Elixir, Go, JSON, Java, Javascript, PHP, Python, Ruby, Rust, Scala, Swift, Terraform, TypeScript, XML, YAML]
-      extensions: [.c, .cc, .cpp, .cs, .cxx, .dart, .dockerfile, .ex, .exs, .gemspec, .go, .h, .hpp, .ino, .java, .jbuilder, .js, .jsm, .json, .jsx, .mjs, .opal, .php, .podspec, .pom, .py, .rake, .rb, .rlib, .rs, .scala, .swift, .tf, .ts, .tsx, .vue, .wsdl, .xml, .xsl, .yaml, .yml]
-      files: [.deps.json, Berksfile, Capfile, Cargo.lock, Cheffile, Directory.Packages.props, Dockerfile, Fastfile, Gemfile, Gemfile.lock, Guardfile, Package.resolved, Packages.props, Pipfile.lock, Podfile, Podfile.lock, Rakefile, Thorfile, Vagabondfile, Vagrantfile, build.sbt.lock, composer.lock, conan.lock, config.ru, go.mod, gradle.lockfile, mix.lock, package-lock.json, package.json, packages.config, packages.lock.json, pnpm-lock.yaml, poetry.lock, pom.xml, pubspec.lock, requirements.txt, uv.lock, yarn.lock]
+      extensions: [.c, .cc, .cpp, .cs, .cxx, .dart, .dockerfile, .env, .ex, .exs, .gemspec, .go, .h, .hpp, .ino, .java, .jbuilder, .js, .jsm, .json, .jsx, .mjs, .opal, .php, .podspec, .pom, .py, .rake, .rb, .rlib, .rs, .scala, .swift, .tf, .ts, .tsx, .vue, .wsdl, .xml, .xsl, .yaml, .yml]
+      files: [.deps.json, .env, .env.dev, .env.development, .env.prod, .env.production, .env.staging, Berksfile, Capfile, Cargo.lock, Cheffile, Directory.Packages.props, Dockerfile, Fastfile, Gemfile, Gemfile.lock, Guardfile, Package.resolved, Packages.props, Pipfile.lock, Podfile, Podfile.lock, Rakefile, Thorfile, Vagabondfile, Vagrantfile, build.sbt.lock, composer.lock, conan.lock, config.ru, go.mod, gradle.lockfile, mix.lock, package-lock.json, package.json, packages.config, packages.lock.json, pnpm-lock.yaml, poetry.lock, pom.xml, pubspec.lock, requirements.txt, uv.lock, yarn.lock]
diff --git a/integration-tests/init-with-token/expected/codacy.yaml b/integration-tests/init-with-token/expected/codacy.yaml
@@ -5,7 +5,7 @@ runtimes:
 tools:
     - eslint@8.57.0
     - lizard@1.17.31
+    - opengrep@1.16.2
     - pmd@6.55.0
     - pylint@3.3.9
-    - semgrep@1.78.0
-    - trivy@0.66.0
+    - trivy@0.69.3
diff --git a/integration-tests/init-with-token/expected/tools-configs/languages-config.yaml b/integration-tests/init-with-token/expected/tools-configs/languages-config.yaml
@@ -15,7 +15,7 @@ tools:
       languages: [Python]
       extensions: [.py]
       files: []
-    - name: semgrep
+    - name: opengrep
       languages: [Java, Javascript, Python]
       extensions: [.java, .js, .jsm, .jsx, .mjs, .py, .vue]
       files: []

diff --git a/integration-tests/init-without-token/expected/codacy.yaml b/integration-tests/init-without-token/expected/codacy.yaml
@@ -8,8 +8,8 @@ tools:
     - dartanalyzer@3.7.2
     - eslint@8.57.0
     - lizard@1.17.31
+    - opengrep@1.16.2
     - pmd@7.11.0
     - pylint@3.3.6
     - revive@1.7.0
-    - semgrep@1.78.0
-    - trivy@0.66.0
+    - trivy@0.69.3
diff --git a/integration-tests/init-without-token/expected/tools-configs/languages-config.yaml b/integration-tests/init-without-token/expected/tools-configs/languages-config.yaml
@@ -23,11 +23,11 @@ tools:
       languages: [Go]
       extensions: [.go]
       files: []
-    - name: semgrep
+    - name: opengrep
       languages: [Apex, C, CPP, CSharp, Dockerfile, Go, Java, Javascript, Kotlin, PHP, PLSQL, Python, Ruby, Rust, SQL, Scala, Shell, Swift, Terraform, TypeScript, YAML]
-      extensions: [.bash, .c, .cc, .cls, .cpp, .cs, .cxx, .dockerfile, .fnc, .gemspec, .go, .h, .hpp, .ino, .java, .jbuilder, .js, .jsm, .jsx, .kt, .kts, .mjs, .opal, .pck, .php, .pkb, .pkh, .pks, .plb, .pld, .plh, .pls, .podspec, .prc, .py, .rake, .rb, .rlib, .rs, .scala, .sh, .sql, .swift, .tf, .tpb, .tps, .trg, .trigger, .ts, .tsx, .tyb, .typ, .vue, .yaml, .yml]
+      extensions: [.bash, .c, .cc, .cls, .cpp, .cs, .cxx, .dockerfile, .env, .fnc, .gemspec, .go, .h, .hpp, .ino, .java, .jbuilder, .js, .jsm, .jsx, .kt, .kts, .mjs, .opal, .pck, .php, .pkb, .pkh, .pks, .plb, .pld, .plh, .pls, .podspec, .prc, .py, .rake, .rb, .rlib, .rs, .scala, .sh, .sql, .swift, .tf, .tpb, .tps, .trg, .trigger, .ts, .tsx, .tyb, .typ, .vue, .yaml, .yml]
       files: []
     - name: trivy
       languages: [C, CPP, CSharp, Dart, Dockerfile, Elixir, Go, JSON, Java, Javascript, PHP, Python, Ruby, Rust, Scala, Swift, Terraform, TypeScript, XML, YAML]
-      extensions: [.c, .cc, .cpp, .cs, .cxx, .dart, .dockerfile, .ex, .exs, .gemspec, .go, .h, .hpp, .ino, .java, .jbuilder, .js, .jsm, .json, .jsx, .mjs, .opal, .php, .podspec, .pom, .py, .rake, .rb, .rlib, .rs, .scala, .swift, .tf, .ts, .tsx, .vue, .wsdl, .xml, .xsl, .yaml, .yml]
-      files: [.deps.json, Berksfile, Capfile, Cargo.lock, Cheffile, Directory.Packages.props, Dockerfile, Fastfile, Gemfile, Gemfile.lock, Guardfile, Package.resolved, Packages.props, Pipfile.lock, Podfile, Podfile.lock, Rakefile, Thorfile, Vagabondfile, Vagrantfile, build.sbt.lock, composer.lock, conan.lock, config.ru, go.mod, gradle.lockfile, mix.lock, package-lock.json, package.json, packages.config, packages.lock.json, pnpm-lock.yaml, poetry.lock, pom.xml, pubspec.lock, requirements.txt, uv.lock, yarn.lock]
+      extensions: [.c, .cc, .cpp, .cs, .cxx, .dart, .dockerfile, .env, .ex, .exs, .gemspec, .go, .h, .hpp, .ino, .java, .jbuilder, .js, .jsm, .json, .jsx, .mjs, .opal, .php, .podspec, .pom, .py, .rake, .rb, .rlib, .rs, .scala, .swift, .tf, .ts, .tsx, .vue, .wsdl, .xml, .xsl, .yaml, .yml]
+      files: [.deps.json, .env, .env.dev, .env.development, .env.prod, .env.production, .env.staging, Berksfile, Capfile, Cargo.lock, Cheffile, Directory.Packages.props, Dockerfile, Fastfile, Gemfile, Gemfile.lock, Guardfile, Package.resolved, Packages.props, Pipfile.lock, Podfile, Podfile.lock, Rakefile, Thorfile, Vagabondfile, Vagrantfile, build.sbt.lock, composer.lock, conan.lock, config.ru, go.mod, gradle.lockfile, mix.lock, package-lock.json, package.json, packages.config, packages.lock.json, pnpm-lock.yaml, poetry.lock, pom.xml, pubspec.lock, requirements.txt, uv.lock, yarn.lock]
diff --git a/plugins/shared.go b/plugins/shared.go
@@ -27,6 +27,7 @@ type DownloadConfig struct {
 	FileNameTemplate string            `yaml:"file_name_template"`
 	Extension        ExtensionConfig   `yaml:"extension"`
 	ArchMapping      map[string]string `yaml:"arch_mapping"`
+	OSArchMapping    map[string]string `yaml:"os_arch_mapping"`
 	OSMapping        map[string]string `yaml:"os_mapping"`
 	ReleaseVersion   string            `yaml:"release_version,omitempty"`
 }

diff --git a/plugins/tool-utils.go b/plugins/tool-utils.go
@@ -159,8 +159,12 @@ func ProcessTools(configs []ToolConfig, toolDir string, runtimes map[string]*Run
 
 		// Handle download configuration for directly downloaded tools
 		if pluginConfig.Download.URLTemplate != "" {
-			// Get the mapped architecture
+			// Get the mapped architecture, with optional OS-specific override
 			mappedArch := GetMappedArch(pluginConfig.Download.ArchMapping, runtime.GOARCH)
+			osArchKey := fmt.Sprintf("%s_%s", runtime.GOOS, runtime.GOARCH)
+			if override, ok := pluginConfig.Download.OSArchMapping[osArchKey]; ok {
+				mappedArch = override
+			}
 
 			// Get the mapped OS
 			mappedOS := GetMappedOS(pluginConfig.Download.OSMapping, runtime.GOOS)

diff --git a/plugins/tool-utils_test.go b/plugins/tool-utils_test.go
@@ -169,7 +169,7 @@ func TestGetSupportedTools(t *testing.T) {
 				"pylint",
 				"trivy",
 				"dartanalyzer",
-				"semgrep",
+				"opengrep",
 				"lizard",
 				"codacy-enigma-cli",
 				"revive",

diff --git a/plugins/tools/opengrep/embedded/opengrep.go b/plugins/tools/opengrep/embedded/opengrep.go
@@ -0,0 +1,17 @@
+// Package embedded provides access to embedded Opengrep rules.
+package embedded
+
+import "embed"
+
+//go:embed rules.yaml
+var rulesFS embed.FS
+
+// GetOpengrepRules returns the embedded Opengrep rules.
+// Opengrep is compatible with the semgrep rule format, so the same rules are used.
+func GetOpengrepRules() []byte {
+	data, err := rulesFS.ReadFile("rules.yaml")
+	if err != nil {
+		panic(err) // This should never happen as the file is embedded
+	}
+	return data
+}
diff --git a/plugins/tools/semgrep/embedded/rules.yaml → plugins/tools/opengrep/embedded/rules.yaml b/plugins/tools/semgrep/embedded/rules.yaml → plugins/tools/opengrep/embedded/rules.yaml