codacy · lventura-codacy · May 28, 2026 · May 27, 2026 · May 27, 2026 · May 27, 2026
diff --git a/config/config.go b/config/config.go
@@ -182,10 +182,25 @@ func (c *ConfigType) Tools() map[string]*plugins.ToolInfo {
 	return c.tools
 }
 
+// toolNameAliases maps legacy tool names to their current equivalents
+var toolNameAliases = map[string]string{
+	"semgrep": "opengrep",
+}
+
 func (c *ConfigType) AddTools(configs []plugins.ToolConfig) error {
 	// Get the plugin manager to access tool configurations
 	pluginManager := plugins.GetPluginManager()
 
+	// Resolve any legacy tool name aliases on a copy to avoid mutating the caller's slice
+	resolved := make([]plugins.ToolConfig, len(configs))
+	copy(resolved, configs)
+	for i := range resolved {
+		if alias, ok := toolNameAliases[resolved[i].Name]; ok {
+			resolved[i].Name = alias
+		}
+	}
+	configs = resolved
+
 	// Ensure all required runtimes are present before processing tools
 	for _, toolConfig := range configs {
 		// Get the tool's plugin configuration to access runtime info
@@ -255,6 +270,10 @@ func (c *ConfigType) AddTools(configs []plugins.ToolConfig) error {
 
 // AddToolWithDefaultVersion adds a tool with its default version to the configuration
 func (c *ConfigType) AddToolWithDefaultVersion(toolName string) error {
+	if alias, ok := toolNameAliases[toolName]; ok {
+		toolName = alias
+	}
+
 	// Get the default version for the tool from plugins
 	defaultVersions := plugins.GetToolVersions()
 	version, ok := defaultVersions[toolName]

diff --git a/integration-tests/config-discover/expected/tools-configs/semgrep.yaml b/integration-tests/config-discover/expected/tools-configs/semgrep.yaml
@@ -7290,67 +7290,6 @@ rules:
                     exports.handler = $FUNC
             - pattern: $EVENT
       severity: WARNING
-    - id: javascript.aws-lambda.security.tainted-sql-string.tainted-sql-string
-      languages:
-        - javascript
-        - typescript
-      message: Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
-      metadata:
-        category: security
-        confidence: MEDIUM
-        cwe:
-            - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')'
-        cwe2021-top25: true
-        cwe2022-top25: true
-        impact: MEDIUM
-        likelihood: LOW
-        owasp:
-            - A01:2017 - Injection
-            - A03:2021 - Injection
-        references:
-            - https://owasp.org/www-community/attacks/SQL_Injection
-        subcategory:
-            - vuln
-        technology:
-            - aws-lambda
-      mode: taint
-      pattern-sinks:
-        - patterns:
-            - pattern-either:
-                - patterns:
-                    - pattern-either:
-                        - pattern: |
-                            "$SQLSTR" + $EXPR
-                        - pattern: |
-                            "$SQLSTR".concat(...)
-                        - pattern: util.format($SQLSTR, ...)
-                    - metavariable-regex:
-                        metavariable: $SQLSTR
-                        regex: .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.*
-                - patterns:
-                    - pattern: |
-                        `...${...}...`
-                    - pattern-regex: |
-                        .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.*
-            - pattern-not-inside: |
-                console.$LOG(...)
-      pattern-sources:
-        - patterns:
-            - pattern-either:
-                - pattern-inside: |
-                    exports.handler = function ($EVENT, ...) {
-                      ...
-                    }
-                - pattern-inside: |
-                    function $FUNC ($EVENT, ...) {...}
-                    ...
-                    exports.handler = $FUNC
-                - pattern-inside: |
-                    $FUNC = function ($EVENT, ...) {...}
-                    ...
-                    exports.handler = $FUNC
-            - pattern: $EVENT
-      severity: ERROR
     - id: javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection
       languages:
         - javascript

diff --git a/integration-tests/init-with-token/expected/codacy.yaml b/integration-tests/init-with-token/expected/codacy.yaml
@@ -4,8 +4,8 @@ runtimes:
     - python@3.11.11
 tools:
     - eslint@8.57.0
-    - lizard@1.17.31
-    - opengrep@1.17.0
+    - lizard@1.22.2
+    - opengrep@1.21.0
     - pmd@6.55.0
     - pylint@4.0.5
-    - trivy@0.69.3
+    - trivy@0.70.0