diff --git a/.codemapignore b/.codemapignore
new file mode 100644
index 0000000000..0d77320097
--- /dev/null
+++ b/.codemapignore
@@ -0,0 +1,19 @@
+# -*- sh -*-
+# gitignore-like file for Codemap (see https://github.com/aryx/codemap)
+# The goal here is to just show and count the rules in codemap
+
+# skipping all files, targets and rules (but rules will be restored below)
+[a-z]*/**/*.*
+
+# restore directories which are not languages
+# coupling: see scripts/run-test rule_folders variable
+!libsonnet/
+!scripts/
+!stats/
+# restore also fingerprints/ ? trusted_python/ ? 
+
+# do not skip the rules
+![a-z]*/**/*.yaml
+
+# pad stuff
+/TODO/
diff --git a/.github/rulerascal/poetry.lock b/.github/rulerascal/poetry.lock
index beb8a2aa0c..142f898a07 100644
--- a/.github/rulerascal/poetry.lock
+++ b/.github/rulerascal/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.5.1 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.6.1 and should not be changed by hand.
 
 [[package]]
 name = "aiogpt"
@@ -16,98 +16,98 @@ aiohttp = "*"
 
 [[package]]
 name = "aiohttp"
-version = "3.8.5"
+version = "3.8.6"
 description = "Async http client/server framework (asyncio)"
 optional = false
 python-versions = ">=3.6"
 files = [
-    {file = "aiohttp-3.8.5-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:a94159871304770da4dd371f4291b20cac04e8c94f11bdea1c3478e557fbe0d8"},
-    {file = "aiohttp-3.8.5-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:13bf85afc99ce6f9ee3567b04501f18f9f8dbbb2ea11ed1a2e079670403a7c84"},
-    {file = "aiohttp-3.8.5-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:2ce2ac5708501afc4847221a521f7e4b245abf5178cf5ddae9d5b3856ddb2f3a"},
-    {file = "aiohttp-3.8.5-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:96943e5dcc37a6529d18766597c491798b7eb7a61d48878611298afc1fca946c"},
-    {file = "aiohttp-3.8.5-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2ad5c3c4590bb3cc28b4382f031f3783f25ec223557124c68754a2231d989e2b"},
-    {file = "aiohttp-3.8.5-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0c413c633d0512df4dc7fd2373ec06cc6a815b7b6d6c2f208ada7e9e93a5061d"},
-    {file = "aiohttp-3.8.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:df72ac063b97837a80d80dec8d54c241af059cc9bb42c4de68bd5b61ceb37caa"},
-    {file = "aiohttp-3.8.5-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c48c5c0271149cfe467c0ff8eb941279fd6e3f65c9a388c984e0e6cf57538e14"},
-    {file = "aiohttp-3.8.5-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:368a42363c4d70ab52c2c6420a57f190ed3dfaca6a1b19afda8165ee16416a82"},
-    {file = "aiohttp-3.8.5-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:7607ec3ce4993464368505888af5beb446845a014bc676d349efec0e05085905"},
-    {file = "aiohttp-3.8.5-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:0d21c684808288a98914e5aaf2a7c6a3179d4df11d249799c32d1808e79503b5"},
-    {file = "aiohttp-3.8.5-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:312fcfbacc7880a8da0ae8b6abc6cc7d752e9caa0051a53d217a650b25e9a691"},
-    {file = "aiohttp-3.8.5-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:ad093e823df03bb3fd37e7dec9d4670c34f9e24aeace76808fc20a507cace825"},
-    {file = "aiohttp-3.8.5-cp310-cp310-win32.whl", hash = "sha256:33279701c04351a2914e1100b62b2a7fdb9a25995c4a104259f9a5ead7ed4802"},
-    {file = "aiohttp-3.8.5-cp310-cp310-win_amd64.whl", hash = "sha256:6e4a280e4b975a2e7745573e3fc9c9ba0d1194a3738ce1cbaa80626cc9b4f4df"},
-    {file = "aiohttp-3.8.5-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:ae871a964e1987a943d83d6709d20ec6103ca1eaf52f7e0d36ee1b5bebb8b9b9"},
-    {file = "aiohttp-3.8.5-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:461908b2578955045efde733719d62f2b649c404189a09a632d245b445c9c975"},
-    {file = "aiohttp-3.8.5-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:72a860c215e26192379f57cae5ab12b168b75db8271f111019509a1196dfc780"},
-    {file = "aiohttp-3.8.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cc14be025665dba6202b6a71cfcdb53210cc498e50068bc088076624471f8bb9"},
-    {file = "aiohttp-3.8.5-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8af740fc2711ad85f1a5c034a435782fbd5b5f8314c9a3ef071424a8158d7f6b"},
-    {file = "aiohttp-3.8.5-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:841cd8233cbd2111a0ef0a522ce016357c5e3aff8a8ce92bcfa14cef890d698f"},
-    {file = "aiohttp-3.8.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5ed1c46fb119f1b59304b5ec89f834f07124cd23ae5b74288e364477641060ff"},
-    {file = "aiohttp-3.8.5-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:84f8ae3e09a34f35c18fa57f015cc394bd1389bce02503fb30c394d04ee6b938"},
-    {file = "aiohttp-3.8.5-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:62360cb771707cb70a6fd114b9871d20d7dd2163a0feafe43fd115cfe4fe845e"},
-    {file = "aiohttp-3.8.5-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:23fb25a9f0a1ca1f24c0a371523546366bb642397c94ab45ad3aedf2941cec6a"},
-    {file = "aiohttp-3.8.5-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:b0ba0d15164eae3d878260d4c4df859bbdc6466e9e6689c344a13334f988bb53"},
-    {file = "aiohttp-3.8.5-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:5d20003b635fc6ae3f96d7260281dfaf1894fc3aa24d1888a9b2628e97c241e5"},
-    {file = "aiohttp-3.8.5-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:0175d745d9e85c40dcc51c8f88c74bfbaef9e7afeeeb9d03c37977270303064c"},
-    {file = "aiohttp-3.8.5-cp311-cp311-win32.whl", hash = "sha256:2e1b1e51b0774408f091d268648e3d57f7260c1682e7d3a63cb00d22d71bb945"},
-    {file = "aiohttp-3.8.5-cp311-cp311-win_amd64.whl", hash = "sha256:043d2299f6dfdc92f0ac5e995dfc56668e1587cea7f9aa9d8a78a1b6554e5755"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:cae533195e8122584ec87531d6df000ad07737eaa3c81209e85c928854d2195c"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4f21e83f355643c345177a5d1d8079f9f28b5133bcd154193b799d380331d5d3"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a7a75ef35f2df54ad55dbf4b73fe1da96f370e51b10c91f08b19603c64004acc"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2e2e9839e14dd5308ee773c97115f1e0a1cb1d75cbeeee9f33824fa5144c7634"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c44e65da1de4403d0576473e2344828ef9c4c6244d65cf4b75549bb46d40b8dd"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:78d847e4cde6ecc19125ccbc9bfac4a7ab37c234dd88fbb3c5c524e8e14da543"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-musllinux_1_1_aarch64.whl", hash = "sha256:c7a815258e5895d8900aec4454f38dca9aed71085f227537208057853f9d13f2"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-musllinux_1_1_i686.whl", hash = "sha256:8b929b9bd7cd7c3939f8bcfffa92fae7480bd1aa425279d51a89327d600c704d"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-musllinux_1_1_ppc64le.whl", hash = "sha256:5db3a5b833764280ed7618393832e0853e40f3d3e9aa128ac0ba0f8278d08649"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-musllinux_1_1_s390x.whl", hash = "sha256:a0215ce6041d501f3155dc219712bc41252d0ab76474615b9700d63d4d9292af"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-musllinux_1_1_x86_64.whl", hash = "sha256:fd1ed388ea7fbed22c4968dd64bab0198de60750a25fe8c0c9d4bef5abe13824"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-win32.whl", hash = "sha256:6e6783bcc45f397fdebc118d772103d751b54cddf5b60fbcc958382d7dd64f3e"},
-    {file = "aiohttp-3.8.5-cp36-cp36m-win_amd64.whl", hash = "sha256:b5411d82cddd212644cf9360879eb5080f0d5f7d809d03262c50dad02f01421a"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:01d4c0c874aa4ddfb8098e85d10b5e875a70adc63db91f1ae65a4b04d3344cda"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e5980a746d547a6ba173fd5ee85ce9077e72d118758db05d229044b469d9029a"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2a482e6da906d5e6e653be079b29bc173a48e381600161c9932d89dfae5942ef"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:80bd372b8d0715c66c974cf57fe363621a02f359f1ec81cba97366948c7fc873"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c1161b345c0a444ebcf46bf0a740ba5dcf50612fd3d0528883fdc0eff578006a"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:cd56db019015b6acfaaf92e1ac40eb8434847d9bf88b4be4efe5bfd260aee692"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:153c2549f6c004d2754cc60603d4668899c9895b8a89397444a9c4efa282aaf4"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:4a01951fabc4ce26ab791da5f3f24dca6d9a6f24121746eb19756416ff2d881b"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:bfb9162dcf01f615462b995a516ba03e769de0789de1cadc0f916265c257e5d8"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:7dde0009408969a43b04c16cbbe252c4f5ef4574ac226bc8815cd7342d2028b6"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:4149d34c32f9638f38f544b3977a4c24052042affa895352d3636fa8bffd030a"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-win32.whl", hash = "sha256:68c5a82c8779bdfc6367c967a4a1b2aa52cd3595388bf5961a62158ee8a59e22"},
-    {file = "aiohttp-3.8.5-cp37-cp37m-win_amd64.whl", hash = "sha256:2cf57fb50be5f52bda004b8893e63b48530ed9f0d6c96c84620dc92fe3cd9b9d"},
-    {file = "aiohttp-3.8.5-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:eca4bf3734c541dc4f374ad6010a68ff6c6748f00451707f39857f429ca36ced"},
-    {file = "aiohttp-3.8.5-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:1274477e4c71ce8cfe6c1ec2f806d57c015ebf84d83373676036e256bc55d690"},
-    {file = "aiohttp-3.8.5-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:28c543e54710d6158fc6f439296c7865b29e0b616629767e685a7185fab4a6b9"},
-    {file = "aiohttp-3.8.5-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:910bec0c49637d213f5d9877105d26e0c4a4de2f8b1b29405ff37e9fc0ad52b8"},
-    {file = "aiohttp-3.8.5-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5443910d662db951b2e58eb70b0fbe6b6e2ae613477129a5805d0b66c54b6cb7"},
-    {file = "aiohttp-3.8.5-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2e460be6978fc24e3df83193dc0cc4de46c9909ed92dd47d349a452ef49325b7"},
-    {file = "aiohttp-3.8.5-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fb1558def481d84f03b45888473fc5a1f35747b5f334ef4e7a571bc0dfcb11f8"},
-    {file = "aiohttp-3.8.5-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:34dd0c107799dcbbf7d48b53be761a013c0adf5571bf50c4ecad5643fe9cfcd0"},
-    {file = "aiohttp-3.8.5-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:aa1990247f02a54185dc0dff92a6904521172a22664c863a03ff64c42f9b5410"},
-    {file = "aiohttp-3.8.5-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:0e584a10f204a617d71d359fe383406305a4b595b333721fa50b867b4a0a1548"},
-    {file = "aiohttp-3.8.5-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:a3cf433f127efa43fee6b90ea4c6edf6c4a17109d1d037d1a52abec84d8f2e42"},
-    {file = "aiohttp-3.8.5-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:c11f5b099adafb18e65c2c997d57108b5bbeaa9eeee64a84302c0978b1ec948b"},
-    {file = "aiohttp-3.8.5-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:84de26ddf621d7ac4c975dbea4c945860e08cccde492269db4e1538a6a6f3c35"},
-    {file = "aiohttp-3.8.5-cp38-cp38-win32.whl", hash = "sha256:ab88bafedc57dd0aab55fa728ea10c1911f7e4d8b43e1d838a1739f33712921c"},
-    {file = "aiohttp-3.8.5-cp38-cp38-win_amd64.whl", hash = "sha256:5798a9aad1879f626589f3df0f8b79b3608a92e9beab10e5fda02c8a2c60db2e"},
-    {file = "aiohttp-3.8.5-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:a6ce61195c6a19c785df04e71a4537e29eaa2c50fe745b732aa937c0c77169f3"},
-    {file = "aiohttp-3.8.5-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:773dd01706d4db536335fcfae6ea2440a70ceb03dd3e7378f3e815b03c97ab51"},
-    {file = "aiohttp-3.8.5-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:f83a552443a526ea38d064588613aca983d0ee0038801bc93c0c916428310c28"},
-    {file = "aiohttp-3.8.5-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1f7372f7341fcc16f57b2caded43e81ddd18df53320b6f9f042acad41f8e049a"},
-    {file = "aiohttp-3.8.5-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ea353162f249c8097ea63c2169dd1aa55de1e8fecbe63412a9bc50816e87b761"},
-    {file = "aiohttp-3.8.5-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e5d47ae48db0b2dcf70bc8a3bc72b3de86e2a590fc299fdbbb15af320d2659de"},
-    {file = "aiohttp-3.8.5-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d827176898a2b0b09694fbd1088c7a31836d1a505c243811c87ae53a3f6273c1"},
-    {file = "aiohttp-3.8.5-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3562b06567c06439d8b447037bb655ef69786c590b1de86c7ab81efe1c9c15d8"},
-    {file = "aiohttp-3.8.5-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:4e874cbf8caf8959d2adf572a78bba17cb0e9d7e51bb83d86a3697b686a0ab4d"},
-    {file = "aiohttp-3.8.5-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:6809a00deaf3810e38c628e9a33271892f815b853605a936e2e9e5129762356c"},
-    {file = "aiohttp-3.8.5-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:33776e945d89b29251b33a7e7d006ce86447b2cfd66db5e5ded4e5cd0340585c"},
-    {file = "aiohttp-3.8.5-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:eaeed7abfb5d64c539e2db173f63631455f1196c37d9d8d873fc316470dfbacd"},
-    {file = "aiohttp-3.8.5-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:e91d635961bec2d8f19dfeb41a539eb94bd073f075ca6dae6c8dc0ee89ad6f91"},
-    {file = "aiohttp-3.8.5-cp39-cp39-win32.whl", hash = "sha256:00ad4b6f185ec67f3e6562e8a1d2b69660be43070bd0ef6fcec5211154c7df67"},
-    {file = "aiohttp-3.8.5-cp39-cp39-win_amd64.whl", hash = "sha256:c0a9034379a37ae42dea7ac1e048352d96286626251862e448933c0f59cbd79c"},
-    {file = "aiohttp-3.8.5.tar.gz", hash = "sha256:b9552ec52cc147dbf1944ac7ac98af7602e51ea2dcd076ed194ca3c0d1c7d0bc"},
+    {file = "aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:41d55fc043954cddbbd82503d9cc3f4814a40bcef30b3569bc7b5e34130718c1"},
+    {file = "aiohttp-3.8.6-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:1d84166673694841d8953f0a8d0c90e1087739d24632fe86b1a08819168b4566"},
+    {file = "aiohttp-3.8.6-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:253bf92b744b3170eb4c4ca2fa58f9c4b87aeb1df42f71d4e78815e6e8b73c9e"},
+    {file = "aiohttp-3.8.6-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3fd194939b1f764d6bb05490987bfe104287bbf51b8d862261ccf66f48fb4096"},
+    {file = "aiohttp-3.8.6-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6c5f938d199a6fdbdc10bbb9447496561c3a9a565b43be564648d81e1102ac22"},
+    {file = "aiohttp-3.8.6-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2817b2f66ca82ee699acd90e05c95e79bbf1dc986abb62b61ec8aaf851e81c93"},
+    {file = "aiohttp-3.8.6-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0fa375b3d34e71ccccf172cab401cd94a72de7a8cc01847a7b3386204093bb47"},
+    {file = "aiohttp-3.8.6-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9de50a199b7710fa2904be5a4a9b51af587ab24c8e540a7243ab737b45844543"},
+    {file = "aiohttp-3.8.6-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:e1d8cb0b56b3587c5c01de3bf2f600f186da7e7b5f7353d1bf26a8ddca57f965"},
+    {file = "aiohttp-3.8.6-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:8e31e9db1bee8b4f407b77fd2507337a0a80665ad7b6c749d08df595d88f1cf5"},
+    {file = "aiohttp-3.8.6-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:7bc88fc494b1f0311d67f29fee6fd636606f4697e8cc793a2d912ac5b19aa38d"},
+    {file = "aiohttp-3.8.6-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:ec00c3305788e04bf6d29d42e504560e159ccaf0be30c09203b468a6c1ccd3b2"},
+    {file = "aiohttp-3.8.6-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:ad1407db8f2f49329729564f71685557157bfa42b48f4b93e53721a16eb813ed"},
+    {file = "aiohttp-3.8.6-cp310-cp310-win32.whl", hash = "sha256:ccc360e87341ad47c777f5723f68adbb52b37ab450c8bc3ca9ca1f3e849e5fe2"},
+    {file = "aiohttp-3.8.6-cp310-cp310-win_amd64.whl", hash = "sha256:93c15c8e48e5e7b89d5cb4613479d144fda8344e2d886cf694fd36db4cc86865"},
+    {file = "aiohttp-3.8.6-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:6e2f9cc8e5328f829f6e1fb74a0a3a939b14e67e80832975e01929e320386b34"},
+    {file = "aiohttp-3.8.6-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:e6a00ffcc173e765e200ceefb06399ba09c06db97f401f920513a10c803604ca"},
+    {file = "aiohttp-3.8.6-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:41bdc2ba359032e36c0e9de5a3bd00d6fb7ea558a6ce6b70acedf0da86458321"},
+    {file = "aiohttp-3.8.6-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:14cd52ccf40006c7a6cd34a0f8663734e5363fd981807173faf3a017e202fec9"},
+    {file = "aiohttp-3.8.6-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2d5b785c792802e7b275c420d84f3397668e9d49ab1cb52bd916b3b3ffcf09ad"},
+    {file = "aiohttp-3.8.6-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1bed815f3dc3d915c5c1e556c397c8667826fbc1b935d95b0ad680787896a358"},
+    {file = "aiohttp-3.8.6-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:96603a562b546632441926cd1293cfcb5b69f0b4159e6077f7c7dbdfb686af4d"},
+    {file = "aiohttp-3.8.6-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d76e8b13161a202d14c9584590c4df4d068c9567c99506497bdd67eaedf36403"},
+    {file = "aiohttp-3.8.6-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:e3f1e3f1a1751bb62b4a1b7f4e435afcdade6c17a4fd9b9d43607cebd242924a"},
+    {file = "aiohttp-3.8.6-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:76b36b3124f0223903609944a3c8bf28a599b2cc0ce0be60b45211c8e9be97f8"},
+    {file = "aiohttp-3.8.6-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:a2ece4af1f3c967a4390c284797ab595a9f1bc1130ef8b01828915a05a6ae684"},
+    {file = "aiohttp-3.8.6-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:16d330b3b9db87c3883e565340d292638a878236418b23cc8b9b11a054aaa887"},
+    {file = "aiohttp-3.8.6-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:42c89579f82e49db436b69c938ab3e1559e5a4409eb8639eb4143989bc390f2f"},
+    {file = "aiohttp-3.8.6-cp311-cp311-win32.whl", hash = "sha256:efd2fcf7e7b9d7ab16e6b7d54205beded0a9c8566cb30f09c1abe42b4e22bdcb"},
+    {file = "aiohttp-3.8.6-cp311-cp311-win_amd64.whl", hash = "sha256:3b2ab182fc28e7a81f6c70bfbd829045d9480063f5ab06f6e601a3eddbbd49a0"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:fdee8405931b0615220e5ddf8cd7edd8592c606a8e4ca2a00704883c396e4479"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d25036d161c4fe2225d1abff2bd52c34ed0b1099f02c208cd34d8c05729882f0"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5d791245a894be071d5ab04bbb4850534261a7d4fd363b094a7b9963e8cdbd31"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0cccd1de239afa866e4ce5c789b3032442f19c261c7d8a01183fd956b1935349"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1f13f60d78224f0dace220d8ab4ef1dbc37115eeeab8c06804fec11bec2bbd07"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8a9b5a0606faca4f6cc0d338359d6fa137104c337f489cd135bb7fbdbccb1e39"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-musllinux_1_1_aarch64.whl", hash = "sha256:13da35c9ceb847732bf5c6c5781dcf4780e14392e5d3b3c689f6d22f8e15ae31"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-musllinux_1_1_i686.whl", hash = "sha256:4d4cbe4ffa9d05f46a28252efc5941e0462792930caa370a6efaf491f412bc66"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-musllinux_1_1_ppc64le.whl", hash = "sha256:229852e147f44da0241954fc6cb910ba074e597f06789c867cb7fb0621e0ba7a"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-musllinux_1_1_s390x.whl", hash = "sha256:713103a8bdde61d13490adf47171a1039fd880113981e55401a0f7b42c37d071"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-musllinux_1_1_x86_64.whl", hash = "sha256:45ad816b2c8e3b60b510f30dbd37fe74fd4a772248a52bb021f6fd65dff809b6"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-win32.whl", hash = "sha256:2b8d4e166e600dcfbff51919c7a3789ff6ca8b3ecce16e1d9c96d95dd569eb4c"},
+    {file = "aiohttp-3.8.6-cp36-cp36m-win_amd64.whl", hash = "sha256:0912ed87fee967940aacc5306d3aa8ba3a459fcd12add0b407081fbefc931e53"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:e2a988a0c673c2e12084f5e6ba3392d76c75ddb8ebc6c7e9ead68248101cd446"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ebf3fd9f141700b510d4b190094db0ce37ac6361a6806c153c161dc6c041ccda"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3161ce82ab85acd267c8f4b14aa226047a6bee1e4e6adb74b798bd42c6ae1f80"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d95fc1bf33a9a81469aa760617b5971331cdd74370d1214f0b3109272c0e1e3c"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c43ecfef7deaf0617cee936836518e7424ee12cb709883f2c9a1adda63cc460"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ca80e1b90a05a4f476547f904992ae81eda5c2c85c66ee4195bb8f9c5fb47f28"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:90c72ebb7cb3a08a7f40061079817133f502a160561d0675b0a6adf231382c92"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:bb54c54510e47a8c7c8e63454a6acc817519337b2b78606c4e840871a3e15349"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:de6a1c9f6803b90e20869e6b99c2c18cef5cc691363954c93cb9adeb26d9f3ae"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:a3628b6c7b880b181a3ae0a0683698513874df63783fd89de99b7b7539e3e8a8"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:fc37e9aef10a696a5a4474802930079ccfc14d9f9c10b4662169671ff034b7df"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-win32.whl", hash = "sha256:f8ef51e459eb2ad8e7a66c1d6440c808485840ad55ecc3cafefadea47d1b1ba2"},
+    {file = "aiohttp-3.8.6-cp37-cp37m-win_amd64.whl", hash = "sha256:b2fe42e523be344124c6c8ef32a011444e869dc5f883c591ed87f84339de5976"},
+    {file = "aiohttp-3.8.6-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:9e2ee0ac5a1f5c7dd3197de309adfb99ac4617ff02b0603fd1e65b07dc772e4b"},
+    {file = "aiohttp-3.8.6-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:01770d8c04bd8db568abb636c1fdd4f7140b284b8b3e0b4584f070180c1e5c62"},
+    {file = "aiohttp-3.8.6-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:3c68330a59506254b556b99a91857428cab98b2f84061260a67865f7f52899f5"},
+    {file = "aiohttp-3.8.6-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:89341b2c19fb5eac30c341133ae2cc3544d40d9b1892749cdd25892bbc6ac951"},
+    {file = "aiohttp-3.8.6-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:71783b0b6455ac8f34b5ec99d83e686892c50498d5d00b8e56d47f41b38fbe04"},
+    {file = "aiohttp-3.8.6-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f628dbf3c91e12f4d6c8b3f092069567d8eb17814aebba3d7d60c149391aee3a"},
+    {file = "aiohttp-3.8.6-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b04691bc6601ef47c88f0255043df6f570ada1a9ebef99c34bd0b72866c217ae"},
+    {file = "aiohttp-3.8.6-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7ee912f7e78287516df155f69da575a0ba33b02dd7c1d6614dbc9463f43066e3"},
+    {file = "aiohttp-3.8.6-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:9c19b26acdd08dd239e0d3669a3dddafd600902e37881f13fbd8a53943079dbc"},
+    {file = "aiohttp-3.8.6-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:99c5ac4ad492b4a19fc132306cd57075c28446ec2ed970973bbf036bcda1bcc6"},
+    {file = "aiohttp-3.8.6-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:f0f03211fd14a6a0aed2997d4b1c013d49fb7b50eeb9ffdf5e51f23cfe2c77fa"},
+    {file = "aiohttp-3.8.6-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:8d399dade330c53b4106160f75f55407e9ae7505263ea86f2ccca6bfcbdb4921"},
+    {file = "aiohttp-3.8.6-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:ec4fd86658c6a8964d75426517dc01cbf840bbf32d055ce64a9e63a40fd7b771"},
+    {file = "aiohttp-3.8.6-cp38-cp38-win32.whl", hash = "sha256:33164093be11fcef3ce2571a0dccd9041c9a93fa3bde86569d7b03120d276c6f"},
+    {file = "aiohttp-3.8.6-cp38-cp38-win_amd64.whl", hash = "sha256:bdf70bfe5a1414ba9afb9d49f0c912dc524cf60141102f3a11143ba3d291870f"},
+    {file = "aiohttp-3.8.6-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:d52d5dc7c6682b720280f9d9db41d36ebe4791622c842e258c9206232251ab2b"},
+    {file = "aiohttp-3.8.6-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:4ac39027011414dbd3d87f7edb31680e1f430834c8cef029f11c66dad0670aa5"},
+    {file = "aiohttp-3.8.6-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:3f5c7ce535a1d2429a634310e308fb7d718905487257060e5d4598e29dc17f0b"},
+    {file = "aiohttp-3.8.6-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b30e963f9e0d52c28f284d554a9469af073030030cef8693106d918b2ca92f54"},
+    {file = "aiohttp-3.8.6-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:918810ef188f84152af6b938254911055a72e0f935b5fbc4c1a4ed0b0584aed1"},
+    {file = "aiohttp-3.8.6-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:002f23e6ea8d3dd8d149e569fd580c999232b5fbc601c48d55398fbc2e582e8c"},
+    {file = "aiohttp-3.8.6-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4fcf3eabd3fd1a5e6092d1242295fa37d0354b2eb2077e6eb670accad78e40e1"},
+    {file = "aiohttp-3.8.6-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:255ba9d6d5ff1a382bb9a578cd563605aa69bec845680e21c44afc2670607a95"},
+    {file = "aiohttp-3.8.6-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:d67f8baed00870aa390ea2590798766256f31dc5ed3ecc737debb6e97e2ede78"},
+    {file = "aiohttp-3.8.6-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:86f20cee0f0a317c76573b627b954c412ea766d6ada1a9fcf1b805763ae7feeb"},
+    {file = "aiohttp-3.8.6-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:39a312d0e991690ccc1a61f1e9e42daa519dcc34ad03eb6f826d94c1190190dd"},
+    {file = "aiohttp-3.8.6-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:e827d48cf802de06d9c935088c2924e3c7e7533377d66b6f31ed175c1620e05e"},
+    {file = "aiohttp-3.8.6-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:bd111d7fc5591ddf377a408ed9067045259ff2770f37e2d94e6478d0f3fc0c17"},
+    {file = "aiohttp-3.8.6-cp39-cp39-win32.whl", hash = "sha256:caf486ac1e689dda3502567eb89ffe02876546599bbf915ec94b1fa424eeffd4"},
+    {file = "aiohttp-3.8.6-cp39-cp39-win_amd64.whl", hash = "sha256:3f0e27e5b733803333bb2371249f41cf42bae8884863e8e8965ec69bebe53132"},
+    {file = "aiohttp-3.8.6.tar.gz", hash = "sha256:b0cf2a4501bff9330a8a5248b4ce951851e415bdcce9dc158e76cfd55e15085c"},
 ]
 
 [package.dependencies]
diff --git a/.github/workflows/update-semgrep-dev.yml b/.github/workflows/update-semgrep-dev.yml
index 4aaaf94ddd..5250e32d07 100644
--- a/.github/workflows/update-semgrep-dev.yml
+++ b/.github/workflows/update-semgrep-dev.yml
@@ -7,9 +7,9 @@ on:
 
 jobs:
   do-update:
-    if: github.repository == 'returntocorp/semgrep-rules'
+    if: github.repository == 'semgrep/semgrep-rules'
     name: Update semgrep.dev
     runs-on: ubuntu-latest
     steps:
     - name: update semgrep.dev
-      run: curl --fail -X POST -L https://semgrep.dev/api/admin/update-registry
+      run: curl --fail -X POST -L https://semgrep.dev/api/admin/update-registry?rule_type=sast
diff --git a/.github/workflows/update-semgrep-staging-dev.yml b/.github/workflows/update-semgrep-staging-dev.yml
index 96b84409e7..7222597832 100644
--- a/.github/workflows/update-semgrep-staging-dev.yml
+++ b/.github/workflows/update-semgrep-staging-dev.yml
@@ -7,12 +7,12 @@ on:
 
 jobs:
   do-update:
-    if: github.repository == 'returntocorp/semgrep-rules'
+    if: github.repository == 'semgrep/semgrep-rules'
     name: Update semgrep.dev
     runs-on: ubuntu-latest
     steps:
     - name: update dev.semgrep.dev
-      run: curl --fail -X POST -L https://dev.semgrep.dev/api/admin/update-registry
+      run: curl --fail -X POST -L https://dev.semgrep.dev/api/admin/update-registry?rule_type=sast
       continue-on-error: true
     - name: update staging.semgrep.dev
-      run: curl --fail -X POST -L https://staging.semgrep.dev/api/admin/update-registry
+      run: curl --fail -X POST -L https://staging.semgrep.dev/api/admin/update-registry?rule_type=sast
diff --git a/generic/secrets/gitleaks/aws-access-token.yaml b/generic/secrets/gitleaks/aws-access-token.yaml
index 858824cfe5..d765ca51df 100644
--- a/generic/secrets/gitleaks/aws-access-token.yaml
+++ b/generic/secrets/gitleaks/aws-access-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
+    - pattern-regex: (?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
diff --git a/generic/secrets/gitleaks/hashicorp-tf-password.txt b/generic/secrets/gitleaks/hashicorp-tf-password.txt
new file mode 100644
index 0000000000..6270a5dd45
--- /dev/null
+++ b/generic/secrets/gitleaks/hashicorp-tf-password.txt
@@ -0,0 +1,2 @@
+// ruleid: hashicorp-tf-password
+administrator_login_password = "thisIsDog11"
diff --git a/generic/secrets/gitleaks/hashicorp-tf-password.yaml b/generic/secrets/gitleaks/hashicorp-tf-password.yaml
new file mode 100644
index 0000000000..7eb7830803
--- /dev/null
+++ b/generic/secrets/gitleaks/hashicorp-tf-password.yaml
@@ -0,0 +1,26 @@
+rules:
+- id: hashicorp-tf-password
+  message: A gitleaks hashicorp-tf-password was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: (?i)(?:administrator_login_password|password)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}("[a-z0-9=_\-]{8,20}")(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/security/detected-aws-access-key-id-value.yaml b/generic/secrets/security/detected-aws-access-key-id-value.yaml
index ac22dc9780..1553b5d872 100644
--- a/generic/secrets/security/detected-aws-access-key-id-value.yaml
+++ b/generic/secrets/security/detected-aws-access-key-id-value.yaml
@@ -1,7 +1,7 @@
 rules:
 - id: detected-aws-access-key-id-value
   patterns:
-  - pattern-regex: (A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
+  - pattern-regex: \b(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\b
   - pattern-not-regex: (?i)example|sample|test|fake
   languages: [regex]
   message: AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded
diff --git a/java/servlets/security/cookie-issecure-false.java b/java/servlets/security/cookie-issecure-false.java
index 9bc650c60f..2246863d6b 100644
--- a/java/servlets/security/cookie-issecure-false.java
+++ b/java/servlets/security/cookie-issecure-false.java
@@ -3,12 +3,6 @@ public void bad1() {
               // ruleid: cookie-issecure-false
               Cookie cookie = new Cookie("name", "value");
           }
-
-          public void bad2() {
-              // ruleid: cookie-issecure-false
-              Cookie cookie = new Cookie("name", "value");
-              cookie.setSecure(false);
-          }
    }
 
  public class Ok {
diff --git a/java/servlets/security/cookie-issecure-false.yaml b/java/servlets/security/cookie-issecure-false.yaml
index 3d3cb77634..940c34ba5c 100644
--- a/java/servlets/security/cookie-issecure-false.yaml
+++ b/java/servlets/security/cookie-issecure-false.yaml
@@ -1,36 +1,36 @@
 rules:
-- id: cookie-issecure-false
-  patterns:
-  - pattern: |
-      $COOKIE = new Cookie(...);
-  - pattern-not-inside: |
-      $COOKIE = new Cookie(...);
-      ...
-      $COOKIE.setSecure(true);
-  message: >-
-    Default session middleware settings: `setSecure` not set to true.
-    This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.
-  fix-regex:
-    regex: setSecure\(false\)
-    replacement: setSecure(true)
-  metadata:
-    vulnerability: Insecure Transport
-    owasp:
-    - A03:2017 - Sensitive Data Exposure
-    - A02:2021 - Cryptographic Failures
-    cwe:
-    - 'CWE-319: Cleartext Transmission of Sensitive Information'
-    references:
-    - https://tomcat.apache.org/tomcat-5.5-doc/servletapi/
-    category: security
-    technology:
-    - servlet
-    - tomcat
-    subcategory:
-    - audit
-    likelihood: LOW
-    impact: LOW
-    confidence: LOW
-  languages:
-  - java
-  severity: WARNING
+  - id: cookie-issecure-false
+    patterns:
+      - pattern: $COOKIE = new Cookie($...ARGS);
+      - pattern-not-inside: |
+          $COOKIE = new Cookie(...);
+          ...
+          $COOKIE.setSecure(...);
+    message: "Default session middleware settings: `setSecure` not set to true. This
+      ensures that the cookie is sent only over HTTPS to prevent cross-site
+      scripting attacks."
+    fix: |
+        $COOKIE = new Cookie($...ARGS);
+        $COOKIE.setSecure(true);
+    metadata:
+      vulnerability: Insecure Transport
+      owasp:
+        - A03:2017 - Sensitive Data Exposure
+        - A02:2021 - Cryptographic Failures
+      cwe:
+        - "CWE-319: Cleartext Transmission of Sensitive Information"
+      references:
+        - https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)
+        - https://owasp.org/www-community/controls/SecureCookieAttribute
+      category: security
+      technology: 
+       - java
+       - cookie
+      subcategory:
+        - audit
+      likelihood: LOW
+      impact: LOW
+      confidence: LOW
+    languages:
+      - java
+    severity: WARNING
\ No newline at end of file
diff --git a/java/servlets/security/cookie-setSecure.java b/java/servlets/security/cookie-setSecure.java
new file mode 100644
index 0000000000..410b21aa0a
--- /dev/null
+++ b/java/servlets/security/cookie-setSecure.java
@@ -0,0 +1,16 @@
+public class Bad {
+
+          public void bad2() {
+              Cookie cookie = new Cookie("name", "value");
+              // ruleid: cookie-setSecure
+              cookie.setSecure(false);
+          }
+   }
+
+ public class Ok {
+          public void ok1() {
+             // ok: cookie-setSecure
+             Cookie cookie = new Cookie("name", "value");
+             cookie.setSecure(true);
+          }
+}
diff --git a/java/servlets/security/cookie-setSecure.yaml b/java/servlets/security/cookie-setSecure.yaml
new file mode 100644
index 0000000000..80ef1e9f67
--- /dev/null
+++ b/java/servlets/security/cookie-setSecure.yaml
@@ -0,0 +1,41 @@
+rules:
+  - id: cookie-setSecure
+    patterns:
+      - patterns:
+          - pattern-inside: |
+              $COOKIE = new Cookie(...);
+              ...
+          - pattern: |
+              $COOKIE.setSecure(false);
+      - pattern-not-inside: |
+          $COOKIE = new Cookie(...);
+          ...
+          $COOKIE.setSecure(true);
+    message: "Default session middleware settings: `setSecure` not set to true. This
+      ensures that the cookie is sent only over HTTPS to prevent cross-site
+      scripting attacks."
+    fix-regex:
+      regex: setSecure\(false\)
+      replacement: setSecure(true)
+    metadata:
+      vulnerability: Insecure Transport
+      owasp:
+        - A03:2017 - Sensitive Data Exposure
+        - A02:2021 - Cryptographic Failures
+      cwe:
+        - "CWE-319: Cleartext Transmission of Sensitive Information"
+      references:
+        - https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)
+        - https://owasp.org/www-community/controls/SecureCookieAttribute
+      category: security
+      technology: 
+       - java
+       - cookie
+      subcategory:
+        - audit
+      likelihood: LOW
+      impact: LOW
+      confidence: LOW
+    languages:
+      - java
+    severity: WARNING
diff --git a/javascript/jsonwebtoken/security/jwt-hardcode.yaml b/javascript/jsonwebtoken/security/jwt-hardcode.yaml
index 8d8a4779bf..8cc11871e5 100644
--- a/javascript/jsonwebtoken/security/jwt-hardcode.yaml
+++ b/javascript/jsonwebtoken/security/jwt-hardcode.yaml
@@ -36,28 +36,17 @@ rules:
   severity: WARNING
   mode: taint
   pattern-sources:
-  - patterns:
-    - pattern-either:
-      - patterns:
+    - patterns:
+        - pattern: |
+            $X = '...' 
+        - pattern: |
+            $X = '$Y' 
+    - patterns:
+      - pattern-either: 
         - pattern-inside: |
-            $VALUE = '$Y' 
-            ...
-        - pattern: $VALUE
-      - patterns:
-        - pattern-either:
-          - pattern-inside: $JWT.sign($VALUE, $Y,...)
-          - pattern-inside: $JWT.verify($VALUE, $Y,...)
-        - focus-metavariable: $Y
-        - pattern: >
-            '...'
-      - patterns:
+            $JWT.sign($DATA,"...",...);
         - pattern-inside: |
-            $SECRET = "$Y"
-            ...
-            class $FUNC {
-              ...
-            }
-        - pattern: $SECRET
+            $JWT.verify($DATA,"...",...);
   pattern-sinks:
   - patterns:
     - pattern-either:
diff --git a/ocaml/lang/security/digest.ml b/ocaml/lang/security/digest.ml
new file mode 100644
index 0000000000..5f050a381c
--- /dev/null
+++ b/ocaml/lang/security/digest.ml
@@ -0,0 +1,3 @@
+(* ruleid:ocamllint-digest *)
+let a = Digest.string "asd" in
+  Printf.printf "%s\n" a
diff --git a/ocaml/lang/security/digest.yaml b/ocaml/lang/security/digest.yaml
new file mode 100644
index 0000000000..905979f9c6
--- /dev/null
+++ b/ocaml/lang/security/digest.yaml
@@ -0,0 +1,25 @@
+rules:
+  - id: ocamllint-digest
+    pattern-either: 
+      - pattern: Digest.string
+      - pattern: Digest.bytes
+      - pattern: Digest.substring
+      - pattern: Digest.subbytes
+      - pattern: Digest.channel
+      - pattern: Digest.file
+    message: Digest uses MD5 and should not be used for security purposes. Consider using SHA256 instead.
+    languages: [ocaml]
+    severity: WARNING
+    metadata:
+      category: security
+      references:
+      - https://v2.ocaml.org/api/Digest.html
+      technology:
+        - ocaml
+      cwe: "CWE-328: Use of Weak Hash (4.12)"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: MEDIUM
+      subcategory:
+        - audit
+
diff --git a/ocaml/lang/security/exec.ml b/ocaml/lang/security/exec.ml
new file mode 100644
index 0000000000..0c3711cd7a
--- /dev/null
+++ b/ocaml/lang/security/exec.ml
@@ -0,0 +1,12 @@
+#load "unix.cma";;
+let p = String.concat "ls " [" "; Sys.argv.(1)]
+(* ruleid:ocamllint-exec *)
+let a = Unix.execve p
+(* ruleid:ocamllint-exec *)
+let b = Unix.execvp p
+(* ruleid:ocamllint-exec *)
+let c = Unix.execvpe p
+(* ruleid:ocamllint-exec *)
+let d = Unix.system p
+(* ruleid:ocamllint-exec *)
+let e = Sys.command p
diff --git a/ocaml/lang/security/exec.yaml b/ocaml/lang/security/exec.yaml
new file mode 100644
index 0000000000..6137d6456c
--- /dev/null
+++ b/ocaml/lang/security/exec.yaml
@@ -0,0 +1,29 @@
+rules:
+  - id: ocamllint-exec
+    patterns:
+      - pattern-either:
+        - pattern: Unix.execve $STR
+        - pattern: Unix.execvp $STR
+        - pattern: Unix.execvpe $STR
+        - pattern: Unix.system $STR
+        - pattern: Sys.command $STR
+      - pattern-not: Unix.execve "..."
+      - pattern-not: Unix.execvp "..."
+      - pattern-not: Unix.execvpe "..."
+      - pattern-not: Unix.system "..."
+      - pattern-not: Sys.command "..."
+    message: Executing external programs might lead to comand or argument injection vulnerabilities.
+    languages: [ocaml]
+    severity: WARNING
+    metadata:
+      category: security
+      references:
+      - https://v2.ocaml.org/api/Unix.html
+      technology:
+        - ocaml
+      cwe: "CWE-78: OS Command Injection"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: HIGH
+      subcategory:
+        - audit
diff --git a/ocaml/lang/security/filenameconcat.ml b/ocaml/lang/security/filenameconcat.ml
new file mode 100644
index 0000000000..09aea90653
--- /dev/null
+++ b/ocaml/lang/security/filenameconcat.ml
@@ -0,0 +1,3 @@
+(* ruleid:ocamllint-filenameconcat *)
+let ofile = Filename.concat "test" "../data" in
+Printf.printf "%s\n" ofile
diff --git a/ocaml/lang/security/filenameconcat.yaml b/ocaml/lang/security/filenameconcat.yaml
new file mode 100644
index 0000000000..0c96048071
--- /dev/null
+++ b/ocaml/lang/security/filenameconcat.yaml
@@ -0,0 +1,18 @@
+rules:
+  - id: ocamllint-filenameconcat
+    pattern: Filename.concat
+    message: When attacker supplied data is passed to Filename.concat directory traversal attacks might be possible.
+    languages: [ocaml]
+    severity: WARNING
+    metadata:
+      category: security
+      references:
+      - https://v2.ocaml.org/api/Filename.html
+      technology:
+        - ocaml
+      cwe: "CWE-35: Path Traversal"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: MEDIUM
+      subcategory:
+        - audit
diff --git a/ocaml/lang/security/hashtable-dos.ml b/ocaml/lang/security/hashtable-dos.ml
new file mode 100644
index 0000000000..a7fe808f69
--- /dev/null
+++ b/ocaml/lang/security/hashtable-dos.ml
@@ -0,0 +1,8 @@
+(* ruleid:ocamllint-hashtable-dos *)
+let h = Hashtbl.create 16 in
+for i = 1 to 1000 do Hashtbl.add h i (i * 2) done;
+Printf.printf "%i elements\n" (Hashtbl.length h);
+
+let j = Hashtbl.create 16 ~random:true in
+for i = 1 to 1000 do Hashtbl.add j i (i * 2) done;
+Printf.printf "%i elements\n" (Hashtbl.length j);
diff --git a/ocaml/lang/security/hashtable-dos.yaml b/ocaml/lang/security/hashtable-dos.yaml
new file mode 100644
index 0000000000..e29bc8b596
--- /dev/null
+++ b/ocaml/lang/security/hashtable-dos.yaml
@@ -0,0 +1,20 @@
+rules:
+  - id: ocamllint-hashtable-dos
+    patterns:
+    - pattern: Hashtbl.create $Y
+    - pattern-not: Hashtbl.create $Y ~random:true
+    message: Creating a Hashtbl without the optional random number parameter makes it prone to DoS attacks when attackers are able to fill the table with malicious content. Hashtbl.randomize or the R flag in the OCAMLRUNPARAM are other ways to randomize it.
+    languages: [ocaml]
+    severity: WARNING
+    metadata:
+      category: security
+      references:
+      - https://v2.ocaml.org/api/Hashtbl.html
+      technology:
+        - ocaml
+      cwe: "CWE-399: Resource Management Errors (4.12)"
+      confidence: MEDIUM
+      likelihood: LOW
+      impact: LOW
+      subcategory:
+        - audit
diff --git a/ocaml/lang/security/marshal.ml b/ocaml/lang/security/marshal.ml
new file mode 100644
index 0000000000..198d6958d8
--- /dev/null
+++ b/ocaml/lang/security/marshal.ml
@@ -0,0 +1,3 @@
+(* ruleid:ocamllint-marshal *)
+let d = input_value stdin in
+  Printf.printf "%d\n" (Buffer.length d)
diff --git a/ocaml/lang/security/marshal.yaml b/ocaml/lang/security/marshal.yaml
new file mode 100644
index 0000000000..8473851bd4
--- /dev/null
+++ b/ocaml/lang/security/marshal.yaml
@@ -0,0 +1,22 @@
+rules:
+  - id: ocamllint-marshal
+    pattern-either:
+      - pattern: input_value
+      - pattern: Marshal.from_channel
+      - pattern: Marshal.from_bytes
+      - pattern: Marshal.from_string
+    message: Marshaling is currently not type-safe and can lead to insecure behaviour when untrusted data is marshalled. Marshalling can lead to out-of-bound reads as well.
+    languages: [ocaml]
+    severity: WARNING
+    metadata:
+      category: security
+      technology:
+        - ocaml
+      cwe: "CWE-502: Deserialization of Untrusted Data"
+      references:
+      - https://eternal.red/2021/secure-ocaml-sandbox/
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: HIGH
+      subcategory:
+        - vuln
diff --git a/ocaml/lang/security/tempfile.ml b/ocaml/lang/security/tempfile.ml
new file mode 100644
index 0000000000..7f7495eba2
--- /dev/null
+++ b/ocaml/lang/security/tempfile.ml
@@ -0,0 +1,3 @@
+(* ruleid:ocamllint-tempfile *)
+let ofile = Filename.temp_file "test" "" in
+Printf.printf "%s\n" ofile
diff --git a/ocaml/lang/security/tempfile.yaml b/ocaml/lang/security/tempfile.yaml
new file mode 100644
index 0000000000..6d402c087f
--- /dev/null
+++ b/ocaml/lang/security/tempfile.yaml
@@ -0,0 +1,18 @@
+rules:
+  - id: ocamllint-tempfile
+    pattern: Filename.temp_file
+    message: Filename.temp_file might lead to race conditions, since the file could be altered or replaced by a symlink before being opened.
+    languages: [ocaml]
+    severity: WARNING
+    metadata:
+      category: security
+      references:
+      - https://v2.ocaml.org/api/Filename.html
+      technology:
+        - ocaml
+      cwe: "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: MEDIUM
+      subcategory:
+        - audit
diff --git a/ocaml/lang/security/unsafe.ml b/ocaml/lang/security/unsafe.ml
new file mode 100644
index 0000000000..af2f099684
--- /dev/null
+++ b/ocaml/lang/security/unsafe.ml
@@ -0,0 +1,3 @@
+let cb = Array.make 10 2 in
+(* ruleid:ocamllint-unsafe *)
+Printf.printf "%d\n" (Array.unsafe_get cb 12)
diff --git a/ocaml/lang/security/unsafe.yaml b/ocaml/lang/security/unsafe.yaml
new file mode 100644
index 0000000000..d3bc93a43b
--- /dev/null
+++ b/ocaml/lang/security/unsafe.yaml
@@ -0,0 +1,49 @@
+rules:
+  - id: ocamllint-unsafe
+    pattern-either:
+      - pattern: $X.unsafe_get        # oob array access
+      - pattern: $X.unsafe_set        # oob array access
+      - pattern: $X.unsafe_to_string    # requires unique ownership
+      - pattern: $X.unsafe_of_string    # requires unique ownership
+      - pattern: $X.unsafe_blit
+      - pattern: $X.unsafe_blit_string
+      - pattern: $X.unsafe_fill
+      - pattern: $X.unsafe_to_string
+      - pattern: $X.unsafe_getenv
+      - pattern: $X.unsafe_environment
+      - pattern: $X.unsafe_chr        # possibly wrong output for int > 255
+      - pattern: $X.unsafe_of_int
+      - pattern: $X.unsafe_output
+      - pattern: $X.unsafe_output_string
+      - pattern: $X.unsafe_read
+      - pattern: $X.unsafe_recv
+      - pattern: $X.unsafe_recvfrom
+      - pattern: $X.unsafe_send
+      - pattern: $X.unsafe_sendto
+      - pattern: $X.unsafe_set
+      - pattern: $X.unsafe_set_int16
+      - pattern: $X.unsafe_set_int32
+      - pattern: $X.unsafe_set_int64
+      - pattern: $X.unsafe_set_int8
+      - pattern: $X.unsafe_set_uint16_ne
+      - pattern: $X.unsafe_set_uint8
+      - pattern: $X.unsafe_single_write
+      - pattern: $X.unsafe_string
+      - pattern: $X.unsafe_sub
+      - pattern: $X.unsafe_write 
+    message: Unsafe functions do not perform boundary checks or have other side effects, use with care.
+    languages: [ocaml]
+    severity: WARNING
+    metadata:
+      category: security
+      references:
+      - https://v2.ocaml.org/api/Bigarray.Array1.html#VALunsafe_get
+      - https://v2.ocaml.org/api/Bytes.html#VALunsafe_to_string
+      technology:
+        - ocaml
+      cwe: "CWE-242: Use of Inherently Dangerous Function (4.12)"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: MEDIUM
+      subcategory:
+        - audit
diff --git a/php/lang/security/injection/echoed-request.php b/php/lang/security/injection/echoed-request.php
index b232bcba83..c54496d05a 100644
--- a/php/lang/security/injection/echoed-request.php
+++ b/php/lang/security/injection/echoed-request.php
@@ -1,5 +1,20 @@
 <?php
 
+// example key-value: name=%3Cscript%3Econfirm%28%29%3C%2Fscript%3E
+function dangerousPrintUsage() {
+    $name = $_REQUEST['name'];
+    // ruleid: echoed-request
+    print("Hello : $name");
+    // ruleid: echoed-request
+    print("Hello : " . $name);
+}
+
+function safePrintUsage() {
+    $name = $_REQUEST['name'];
+    // ok: echoed-request
+    print("Hello : " . htmlentities($name));
+}
+
 function doSmth() {
     $name = $_REQUEST['name'];
     // ruleid: echoed-request
diff --git a/php/lang/security/injection/echoed-request.yaml b/php/lang/security/injection/echoed-request.yaml
index aeb572ba9d..1ee193059d 100644
--- a/php/lang/security/injection/echoed-request.yaml
+++ b/php/lang/security/injection/echoed-request.yaml
@@ -12,6 +12,7 @@ rules:
   - pattern: $_POST
   pattern-sinks:
   - pattern: echo ...;
+  - pattern: print(...);
   pattern-sanitizers:
   - pattern: isset(...)
   - pattern: empty(...)
diff --git a/python/django/security/django-no-csrf-token.html b/python/django/security/django-no-csrf-token.html
index f3bbd73302..ab8c4bec79 100644
--- a/python/django/security/django-no-csrf-token.html
+++ b/python/django/security/django-no-csrf-token.html
@@ -10,6 +10,18 @@
   </div>
 </div>
 
+<div class="container">
+  <div class="row">
+      <div class="col-6">
+<!-- ruleid: django-no-csrf-token -->
+          <form method='POST'>
+              <input type="text" name="some_field">Some Field</input>
+              <input type="submit" name="submit">Submit</input>
+          </form>
+      </div>
+  </div>
+</div>
+
 <div class="container">
   <div class="row">
       <div class="col-6">
@@ -21,4 +33,28 @@
           </form>
       </div>
   </div>
-</div>
\ No newline at end of file
+</div>
+
+<div class="container">
+  <div class="row">
+      <div class="col-6">
+<!-- ok: django-no-csrf-token -->
+          <form>
+              <input type="text" name="some_field">Some Field</input>
+              <input type="submit" name="submit">Submit</input>
+          </form>
+      </div>
+  </div>
+</div>
+
+<div class="container">
+  <div class="row">
+      <div class="col-6">
+<!-- ok: django-no-csrf-token -->
+          <form method="GET">
+              <input type="text" name="some_field">Some Field</input>
+              <input type="submit" name="submit">Submit</input>
+          </form>
+      </div>
+  </div>
+</div>
diff --git a/python/django/security/django-no-csrf-token.yaml b/python/django/security/django-no-csrf-token.yaml
index e5b115e4a9..7fd1694d5a 100644
--- a/python/django/security/django-no-csrf-token.yaml
+++ b/python/django/security/django-no-csrf-token.yaml
@@ -2,6 +2,16 @@ rules:
   - id: django-no-csrf-token
     patterns:
       - pattern: "<form...>...</form>"
+      - pattern-either:
+          - pattern: |
+              <form ... method="$METHOD" ...>...</form>
+          - pattern: |
+              <form ... method='$METHOD' ...>...</form>
+          - pattern: |
+              <form ... method=$METHOD ...>...</form>
+      - metavariable-regex:
+          metavariable: $METHOD
+          regex: (?i)post
       - pattern-not-inside: "<form...>...{% csrf_token %}...</form>"
     message: Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks
     languages: [generic]
diff --git a/scripts/run-tests b/scripts/run-tests
index 0a83e63a59..05fc9be54f 100755
--- a/scripts/run-tests
+++ b/scripts/run-tests
@@ -40,12 +40,12 @@ fi
 # may contain .yml files that are not Semgrep rules and would result
 # in errors.
 #
-# Skipping the "Apex" folder because it will require splitting test logic
+# Skipping the "Apex" and "Elixir" folders because it will require splitting test logic
 # to run Semgrep OSS and Semgrep Pro with different expected results.
 #
 set_rule_folders() {
   rule_folders=$(find . -mindepth 1 -maxdepth 1 -type d \
-    | grep -v '^./\(\..*\|stats\|trusted_python\|fingerprints\|scripts\|libsonnet\|apex\)/\?$' \
+    | grep -v '^./\(\..*\|stats\|trusted_python\|fingerprints\|scripts\|libsonnet\|apex\|elixir\)/\?$' \
     | sort)
   if [[ -z "$rule_folders" ]]; then
     error "Cannot find any rule folders to scan in $(pwd)"