npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@codacy/tools-opengrep-1

v0.2.0

Published

Opengrep adapter — CLI-mode multi-language SAST scanner

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

codacy-cicodacy-cialerizzoalerizzo

Keywords

Readme

@codacy/tools-opengrep-1

Table of Contents

Overview

Multi-language SAST (Static Application Security Testing) scanner using the Opengrep binary. Supports 30+ languages via YAML rule files. Uses the CLI execution strategy.

| Property | Value | |----------|-------| | Tool ID | Semgrep (legacy, for Codacy platform compatibility) | | Display name | Opengrep | | Codacy UUID | 6792c561-236d-41b7-ba5e-9d6bee0d548b | | Strategy | CLI | | Languages | 30+ (Python, JavaScript, TypeScript, Java, Go, Ruby, C, C++, etc.) | | Binary | opengrep | | File patterns | * (auto-detects by language) | | Pattern count | ~2500 | | Extra dependency | yaml (for YAML rule config parsing/generation) |

Rule bundling

Opengrep uses YAML rule files for detection. The adapter bundles ~2200 rules into src/rules.yaml, sourced from:

  1. semgrep/semgrep-rules — community rules (pinned at commit 4ccd3b9)
  2. GitLab SAST rules — MIT-licensed rules from gitlab.com/gitlab-org/security-products/sast-rules
  3. Codacy custom rules — from codacy/codacy-opengrep wrapper repo

The bundled src/rules.yaml is committed to the repository for consistency and reproducibility.

Updating patterns

# Re-fetch pattern metadata from the Codacy API
pnpm prefetch

# Commit the result
git add src/patterns.json

Pattern IDs follow the format Semgrep_python.lang.security.audit.exec-detected.exec-detected (dot-separated rule paths).

Updating rules

# Re-fetch and bundle rules from all three sources
pnpm fetch-rules

# This clones the rule repos, extracts matching rules, and writes src/rules.yaml
# Only rules whose IDs match src/patterns.json are included

# Commit the result
git add src/rules.yaml

The fetch-rules script (scripts/fetch-rules.mjs):

  • Clones semgrep/semgrep-rules at the pinned commit
  • Clones GitLab SAST rules (latest)
  • Clones codacy/codacy-opengrep for custom rules
  • Extracts rules, assigns path-based IDs
  • Filters to only rules matching src/patterns.json
  • Writes concatenated YAML to src/rules.yaml

To update the pinned semgrep-rules commit, edit SEMGREP_RULES_COMMIT in scripts/fetch-rules.mjs.

Updating the Opengrep version

  1. Update preferredVersion in src/adapter.ts
  2. Run pnpm test to verify compatibility
  3. Consider re-running pnpm fetch-rules if the new version supports new rule syntax

Development

pnpm build        # Build with tsup
pnpm test         # Run tests (requires opengrep in PATH)
pnpm fetch-rules  # Re-bundle rules from upstream sources
pnpm prefetch     # Re-fetch pattern metadata from Codacy API

Opengrep must be installed manually:

curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash

Notes for maintainers

  • Tool ID is Semgrep for legacy compatibility with the Codacy platform. The displayName is set to Opengrep for CLI display. Never change the tool ID without coordinating with the Codacy platform team.
  • Config materialization: When Codacy patterns are specified, the adapter loads src/rules.yaml, filters to enabled rules, and writes a filtered config to .codacy/generated/opengrep-rules.yaml.
  • check_id prefix stripping: Opengrep prepends a path-based namespace to check_ids derived from the config file path relative to cwd. The adapter computes and strips this prefix (e.g. codacy.generated.) plus any tmp. legacy prefix.
  • Config file search: .semgrep.yaml, .opengrep.yaml, .semgrep.yml, .opengrep.yml (in that order).
  • Opengrep errors: Parse errors (syntax errors, partial parsing) from Opengrep's JSON errors array are converted to structured AnalysisError objects with filePath. Stderr (scan status table) is logged at debug level only.
  • Rule ID format: Semgrep-rules use {dir}.{filename}.{ruleId} (dots), GitLab rules use {dir}_{filename} (underscores), Codacy custom rules keep their original IDs.