From cf8752d268585ecc63b62d3fc01356176f2c0418 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <info@sebastianmendel.de>
Date: Sat, 18 Apr 2026 03:31:44 +0200
Subject: [PATCH 1/2] feat(catalog): add opengrep (fully-OSS Semgrep fork)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Opengrep is an LGPL-2.1 fork of Semgrep that keeps the full analysis
engine open-source and avoids the Semgrep Community rule registry's
CC-BY-NC-SA restrictions. The CLI is drop-in compatible, so existing
semgrep rules and .semgrepignore files work unchanged.

- catalog/opengrep.json: github_release_binary install, auto-update on
- catalog/COVERAGE.md: bump tool count 55 → 56
- upstream_versions.json: cache latest baseline (1.19.0)

Semgrep entry is retained; both tools coexist in the catalog so teams
can choose based on licensing needs.

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
---
 catalog/COVERAGE.md    |  8 ++++----
 catalog/opengrep.json  | 16 ++++++++++++++++
 upstream_versions.json |  9 ++++++++-
 3 files changed, 28 insertions(+), 5 deletions(-)
 create mode 100644 catalog/opengrep.json

diff --git a/catalog/COVERAGE.md b/catalog/COVERAGE.md
index 6cdb2fd..c9c7979 100644
--- a/catalog/COVERAGE.md
+++ b/catalog/COVERAGE.md
@@ -2,16 +2,16 @@
 
 This file documents which tools have catalog entries and which use dedicated install scripts.
 
-## Tools with Catalog Entries (55)
+## Tools with Catalog Entries (56)
 
 These tools use the catalog-based installation system with generic installers:
 
 - ansible, ast-grep, aws, bandit, bat, black, codex, composer, curlie, dasel
 - delta, direnv, dive, entr, fd, flake8, fx, fzf, gem, gemini, gh, git-absorb
 - git-branchless, git-lfs, gitleaks, glab, golangci-lint, httpie, isort, just
-- kubectl, ninja, npm, parallel, pip, pipx, pnpm, poetry, pre-commit, prettier
-- rga, ripgrep, ruff, sd, semgrep, shellcheck, shfmt, sponge, terraform, tfsec
-- trivy, watchexec, xsv, yarn, yq
+- kubectl, ninja, npm, opengrep, parallel, pip, pipx, pnpm, poetry, pre-commit
+- prettier, rga, ripgrep, ruff, sd, semgrep, shellcheck, shfmt, sponge, terraform
+- tfsec, trivy, watchexec, xsv, yarn, yq
 
 ## Tools with Dedicated Install Scripts
 
diff --git a/catalog/opengrep.json b/catalog/opengrep.json
new file mode 100644
index 0000000..e5776e1
--- /dev/null
+++ b/catalog/opengrep.json
@@ -0,0 +1,16 @@
+{
+  "name": "opengrep",
+  "category": "devops",
+  "install_method": "github_release_binary",
+  "description": "Fully open-source static analysis (SAST) engine — CLI-compatible fork of Semgrep (LGPL-2.1)",
+  "homepage": "https://github.com/opengrep/opengrep",
+  "github_repo": "opengrep/opengrep",
+  "binary_name": "opengrep",
+  "download_url_template": "https://github.com/opengrep/opengrep/releases/download/{version}/opengrep_manylinux_{arch}",
+  "arch_map": {
+    "x86_64": "x86",
+    "aarch64": "aarch64"
+  },
+  "version_flag": "--version",
+  "auto_update": true
+}
diff --git a/upstream_versions.json b/upstream_versions.json
index 89a8c17..d4ff5bf 100644
--- a/upstream_versions.json
+++ b/upstream_versions.json
@@ -539,6 +539,13 @@
       "latest_version": "4.50.1",
       "tool_url": "https://github.com/mikefarah/yq",
       "upstream_method": "gh"
+    },
+    "opengrep": {
+      "latest_tag": "1.19.0",
+      "latest_url": "https://github.com/opengrep/opengrep/releases/tag/1.19.0",
+      "latest_version": "1.19.0",
+      "tool_url": "https://github.com/opengrep/opengrep",
+      "upstream_method": "gh"
     }
   }
-}
\ No newline at end of file
+}

From 5ccd1dda5ce027ab7a409865829fd716a87dc6fd Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <info@sebastianmendel.de>
Date: Sat, 18 Apr 2026 03:37:49 +0200
Subject: [PATCH 2/2] =?UTF-8?q?fix(catalog):=20address=20PR=20review=20?=
 =?UTF-8?q?=E2=80=94=20COVERAGE=20totals=20and=20alphabetical=20baseline?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- COVERAGE.md: bump github_release_binary 31→32, total 69→71, catalog
  entries 54→56 (all follow-ons to the opengrep addition that were
  missed in the first commit)
- upstream_versions.json: move opengrep alphabetically between npm and
  parallel (rest of file was already sorted)

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
---
 catalog/COVERAGE.md    |  6 +++---
 upstream_versions.json | 28 ++++++++++++++--------------
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/catalog/COVERAGE.md b/catalog/COVERAGE.md
index c9c7979..21db9a0 100644
--- a/catalog/COVERAGE.md
+++ b/catalog/COVERAGE.md
@@ -46,7 +46,7 @@ Most now in catalog, one dedicated script:
 
 ## Installation Method Distribution
 
-- **github_release_binary**: 31 tools
+- **github_release_binary**: 32 tools
 - **uv_tool**: 8 tools (Python CLI tools)
 - **package_manager**: 10 tools (pip, pipx, poetry, npm, pnpm, yarn, gem, composer, sponge, entr)
 - **hashicorp_zip**: 1 tool (terraform)
@@ -56,9 +56,9 @@ Most now in catalog, one dedicated script:
 - **dedicated_script**: 10 tools (runtimes: go, rust, python, node; special: uv, docker, git, ctags, gam)
 - **system_package**: 2 tools (cscope, rename variants)
 
-## Total: 69 tools tracked
+## Total: 71 tools tracked
 
-- **54 tools** have catalog entries
+- **56 tools** have catalog entries
 - **10 tools** use dedicated scripts (runtimes + special cases)
 - **5 tools** are system packages only
 
diff --git a/upstream_versions.json b/upstream_versions.json
index d4ff5bf..af73ed7 100644
--- a/upstream_versions.json
+++ b/upstream_versions.json
@@ -175,6 +175,13 @@
       "tool_url": "https://github.com/GAM-team/GAM",
       "upstream_method": "gh"
     },
+    "gem": {
+      "latest_tag": "bundler-v4.0.2",
+      "latest_url": "https://github.com/rubygems/rubygems/releases/tag/bundler-v4.0.2",
+      "latest_version": "4.0.2",
+      "tool_url": "https://github.com/rubygems/rubygems",
+      "upstream_method": "gh"
+    },
     "gemini": {
       "latest_tag": "v0.28.2",
       "latest_url": "https://github.com/google-gemini/gemini-cli/releases/tag/v0.28.2",
@@ -183,13 +190,6 @@
       "upstream_method": "npm",
       "npm_package": "@google/gemini-cli"
     },
-    "gem": {
-      "latest_tag": "bundler-v4.0.2",
-      "latest_url": "https://github.com/rubygems/rubygems/releases/tag/bundler-v4.0.2",
-      "latest_version": "4.0.2",
-      "tool_url": "https://github.com/rubygems/rubygems",
-      "upstream_method": "gh"
-    },
     "gh": {
       "latest_tag": "2.83.2",
       "latest_url": "https://github.com/cli/cli/releases/tag/2.83.2",
@@ -330,6 +330,13 @@
       "tool_url": "https://www.npmjs.com/package/npm",
       "upstream_method": "npm"
     },
+    "opengrep": {
+      "latest_tag": "1.19.0",
+      "latest_url": "https://github.com/opengrep/opengrep/releases/tag/1.19.0",
+      "latest_version": "1.19.0",
+      "tool_url": "https://github.com/opengrep/opengrep",
+      "upstream_method": "gh"
+    },
     "parallel": {
       "latest_tag": "20251122",
       "latest_url": "",
@@ -539,13 +546,6 @@
       "latest_version": "4.50.1",
       "tool_url": "https://github.com/mikefarah/yq",
       "upstream_method": "gh"
-    },
-    "opengrep": {
-      "latest_tag": "1.19.0",
-      "latest_url": "https://github.com/opengrep/opengrep/releases/tag/1.19.0",
-      "latest_version": "1.19.0",
-      "tool_url": "https://github.com/opengrep/opengrep",
-      "upstream_method": "gh"
     }
   }
 }