codacy
diff --git a/‎codacy-client/client.go‎
Lines changed: 13 additions & 1 deletion b/‎codacy-client/client.go‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎integration-tests/config-discover/expected/tools-configs/semgrep.yaml‎
Lines changed: 43 additions & 2 deletions b/‎integration-tests/config-discover/expected/tools-configs/semgrep.yaml‎
Lines changed: 43 additions & 2 deletions
diff --git a/‎integration-tests/init-with-token/expected/tools-configs/semgrep.yaml‎
Lines changed: 31 additions & 1 deletion b/‎integration-tests/init-with-token/expected/tools-configs/semgrep.yaml‎
Lines changed: 31 additions & 1 deletion
@@ -177,7 +177,19 @@ func GetDefaultToolPatternsConfig(initFlags domain.InitFlags, toolUUID string, o
 		baseURL += "?enabled=true"
 	}
 
-	return getAllPages(baseURL, initFlags, parseDefaultPatternConfigurations)
+	allPaterns, err := getAllPages(baseURL, initFlags, parseDefaultPatternConfigurations)
+	if err != nil {
+		return nil, err
+	}
+
+	onlyRecommendedPatterns := make([]domain.PatternConfiguration, 0)
+	for _, pattern := range allPaterns {
+		if pattern.PatternDefinition.Enabled {
+			onlyRecommendedPatterns = append(onlyRecommendedPatterns, pattern)
+		}
+	}
+
+	return onlyRecommendedPatterns, nil
 }
 
 // GetRepositoryToolPatterns fetches the patterns for a tool in a repository
 
@@ -29501,6 +29501,43 @@ rules:
             }
         - focus-metavariable: $SECRET
       severity: WARNING
+    - id: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec
+      languages:
+        - terraform
+      message: Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.
+      metadata:
+        category: security
+        confidence: HIGH
+        cwe:
+            - 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command Injection'')'
+            - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')'
+        impact: MEDIUM
+        likelihood: HIGH
+        owasp:
+            - A03:2021 - Injection
+            - A01:2017 - Injection
+        references:
+            - https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec
+            - https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec
+        subcategory:
+            - guardrail
+        technology:
+            - terraform
+      patterns:
+        - pattern-either:
+            - pattern: |
+                provisioner "remote-exec" {
+                    ...
+                }
+            - pattern: |
+                provisioner "local-exec" {
+                    ...
+                }
+        - pattern-inside: |
+            resource "aws_instance" "..." {
+                ...
+            }
+      severity: WARNING
     - id: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention
       languages:
         - hcl
@@ -34374,8 +34411,12 @@ rules:
             - A3:2017 Sensitive Data Exposure
       options:
         generic_ellipsis_max_span: 0
-      pattern: |
-        $PASSWORD VARCHAR2($LENGTH) := $...VALUE;
+      patterns:
+        - pattern: |
+            $PASSWORD VARCHAR2($LENGTH) := $...VALUE;
+        - metavariable-regex:
+            metavariable: $PASSWORD
+            regex: (?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd).*
       severity: ERROR
     - id: codacy.generic.plsql.resource-injection
       languages:
 
@@ -1,4 +1,21 @@
-rules:
+    - id: bash.lang.correctness.unquoted-expansion.unquoted-variable-expansion-in-command
+        - bash
+      message: Variable expansions must be double-quoted so as to prevent being split into multiple pieces according to whitespace or whichever separator is specified by the IFS variable. If you really wish to split the variable's contents, you may use a variable that starts with an underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array, consider using a proper bash array.
+        category: correctness
+            - bash
+      patterns:
+        technology:
+      languages:
+      metadata:
+        - pattern-either:
+            - pattern: |
+                ... ${$VAR} ...
+            - pattern: |
+                ... ...${$VAR}... ...
+        - metavariable-regex:
+            metavariable: $VAR
+            regex: '[*@0-9]|[A-Za-z].*'
+      severity: INFO
     - id: clojure.lang.security.use-of-md5.use-of-md5
       languages:
         - clojure
@@ -30,6 +47,19 @@ rules:
         - pattern: (java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)
         - pattern: (java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
       severity: WARNING
+    - fix: Bitwise.bnot($VAL)
+      id: elixir.lang.best-practice.deprecated-bnot-operator.deprecated_bnot_operator
+      languages:
+        - elixir
+      message: The bitwise operator (`^^^`) is already deprecated. Please use `Bitwise.bnot($VAL)` instead.
+      metadata:
+        category: best-practice
+        references:
+            - https://github.com/elixir-lang/elixir/commit/f1b9d3e818e5bebd44540f87be85979f24b9abfc
+        technology:
+            - elixir
+      pattern: ~~~$VAL
+      severity: WARNING
     - id: codacy.generic.plsql.empty-strings
       languages:
         - generic