Semgrep
Skill AktivRun Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes — "run all" (full ruleset coverage) and "important only" (high-confidence security vulnerabilities). Automatically detects and uses Semgrep Pro for cross-file taint analysis when available. Use when asked to scan code for vulnerabilities, run a security audit with Semgrep, find bugs, or perform static analysis. Spawns parallel workers for multi-language codebases.
To automate the process of scanning codebases for vulnerabilities and bugs using Semgrep, providing detailed reports for security audits.
Funktionen
- Parallel Semgrep scans with language detection
- Configurable scan modes: 'run all' and 'important only'
- Automatic Semgrep Pro detection for cross-file taint analysis
- Integration of official, third-party, and custom rulesets
- SARIF output generation for vulnerability reporting
Anwendungsfälle
- Perform a security audit of a codebase.
- Scan for vulnerabilities before code review.
- Identify known bug patterns in a project.
- Integrate static analysis into a development workflow.
Nicht-Ziele
- Performing binary analysis.
- Replacing existing CI/CD Semgrep configurations.
- Creating new Semgrep rules (use `semgrep-rule-creator` skill).
- Porting rules to other languages (use `semgrep-rule-variant-creator` skill).
Workflow
- Resolve output directory and detect languages/Pro availability.
- Select scan mode and rulesets.
- Present plan to user and obtain explicit approval (HARD GATE).
- Spawn parallel scan tasks for approved rulesets and mode.
- Merge scan results into a single SARIF file and report.
Voraussetzungen
- Semgrep CLI installed
- Optional: Semgrep Pro for enhanced analysis
Trust
- warning:Issues Attention13 issues opened and 4 closed in the last 90 days, indicating a low closure rate and potentially slow maintainer response.
Installation
Zuerst Marketplace hinzufügen
/plugin marketplace add trailofbits/skills/plugin install static-analysis@trailofbitsQualitätspunktzahl
Vertrauenssignale
Ähnliche Erweiterungen
Semgrep Rule Creator
100Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Use when writing Semgrep rules or building custom static analysis detections.
Clawsec Scanner
100Automated vulnerability scanner for agent platforms. Performs dependency scanning (npm audit, pip-audit), multi-database CVE lookup (OSV, NVD, GitHub Advisory), SAST analysis (Semgrep, Bandit), and agent-specific DAST hook execution testing for OpenClaw hooks.
CodeQL Static Analysis
99Scans a codebase for security vulnerabilities using CodeQL's interprocedural data flow and taint tracking analysis. Triggers on "run codeql", "codeql scan", "codeql analysis", "build codeql database", or "find vulnerabilities with codeql". Supports "run all" (security-and-quality + security-experimental suites) and "important only" (high-precision security findings) scan modes. Also handles creating data extension models and processing CodeQL SARIF output.
Fp Check
98Systematically verifies suspected security bugs to eliminate false positives. Produces TRUE POSITIVE or FALSE POSITIVE verdicts with documented evidence for each bug.
Variant Analysis
75Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL/Semgrep queries, analyzing security vulnerabilities, or performing systematic code audits after finding an initial issue.
Janitor Usage
100Zeigt, welche Skills Sie verwenden und welche Sie nie verwenden