Static Analysis
插件 活跃Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing for security vulnerability detection
To provide a robust toolkit for developers and security teams to detect vulnerabilities and analyze code quality through static analysis.
功能
- CodeQL database creation and analysis
- Semgrep scanning with language detection
- SARIF file parsing and processing
- Security vulnerability detection
- Support for multiple programming languages
使用场景
- Perform security audits on codebases
- Detect vulnerabilities before code review
- Aggregate and deduplicate security findings
- Integrate static analysis into CI/CD pipelines
非目标
- Writing custom CodeQL or Semgrep rules
- Performing binary analysis
- Replacing existing CI/CD Semgrep configurations
- Running static analysis without SARIF output
Trust
- warning:Issues Attention13 issues opened and 4 closed in the last 90 days indicates a low closure rate (approx. 24%), suggesting maintainers may respond slowly to issues.
安装
请先添加 Marketplace
/plugin marketplace add trailofbits/skills/plugin install static-analysis@trailofbits包含 3 个扩展
Skill (3)
Scans a codebase for security vulnerabilities using CodeQL's interprocedural data flow and taint tracking analysis. Triggers on "run codeql", "codeql scan", "codeql analysis", "build codeql database", or "find vulnerabilities with codeql". Supports "run all" (security-and-quality + security-experimental suites) and "important only" (high-precision security findings) scan modes. Also handles creating data extension models and processing CodeQL SARIF output.
Parses and processes SARIF files from static analysis tools like CodeQL, Semgrep, or other scanners. Triggers on "parse sarif", "read scan results", "aggregate findings", "deduplicate alerts", or "process sarif output". Handles filtering, deduplication, format conversion, and CI/CD integration of SARIF data. Does NOT run scans — use the Semgrep or CodeQL skills for that.
Run Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes — "run all" (full ruleset coverage) and "important only" (high-confidence security vulnerabilities). Automatically detects and uses Semgrep Pro for cross-file taint analysis when available. Use when asked to scan code for vulnerabilities, run a security audit with Semgrep, find bugs, or perform static analysis. Spawns parallel workers for multi-language codebases.
质量评分
类似扩展
Variant Analysis
79Find similar vulnerabilities and bugs across codebases using pattern-based analysis
Semgrep Rule Creator
79Create custom Semgrep rules for detecting bug patterns and security vulnerabilities
Trailmark Plugin
96Builds multi-language source code graphs for security analysis: call graphs, attack surface mapping, blast radius, taint propagation, complexity hotspots, and entry point enumeration. Generates Mermaid diagrams (call graphs, class hierarchies, dependency maps, heatmaps). Compares code graph snapshots for structural diff and evolution analysis. Runs graph-informed mutation testing triage (genotoxic). Generates mutation-driven test vectors (vector-forge). Extracts crypto protocol message flows and converts Mermaid diagrams to ProVerif models. Projects SARIF and weAudit findings onto code graphs. Use when analyzing call paths, mapping attack surface, visualizing code architecture, triaging survived mutants, generating cryptographic test vectors, diagramming crypto protocols, formally verifying protocols, or augmenting audits with static analysis findings.
Semgrep Rule Variant Creator
94Creates language variants of existing Semgrep rules with proper applicability analysis and test-driven validation
C Review
75Comprehensive C/C++ security code review with specialized bug-finding agents covering memory safety, type safety, concurrency, and Linux/Windows userspace-specific issues