semgrep

Solid

Run Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes — "run all" (full ruleset coverage) and "important only" (high-confidence security vulnerabilities). Automatically detects and uses Semgrep Pro for cross-file taint analysis when available. Use when asked to scan code for vulnerabilities, run a security audit with Semgrep, find bugs, or perform static analysis. Spawns parallel workers for multi-language codebases.

AI & Automation 5,501 stars 484 forks Updated 4 days ago CC-BY-SA-4.0

Install

View on GitHub

Quality Score: 93/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Semgrep Security Scan Run a Semgrep scan with automatic language detection, parallel execution via Task subagents, and merged SARIF output. ## Essential Principles 1. **Always use `--metrics=off`** — Semgrep sends telemetry by default; `--config auto` also phones home. Every `semgrep` command must include `--metrics=off` to prevent data leakage during security audits. 2. **User must approve the scan plan (Step 3 is a hard gate)** — The original "scan this codebase" request is NOT approval. Present exact rulesets, target, engine, and mode; wait for explicit "yes"/"proceed" before spawning scanners. 3. **Third-party rulesets are required, not optional** — Trail of Bits, 0xdea, and Decurity rules catch vulnerabilities absent from the official registry. Include them whenever the detected language matches. 4. **Spawn all scan Tasks in a single message** — Parallel execution is the core performance advantage. Never spawn Tasks sequentially; always emit all Task tool calls in one response. 5. **Always check for Semgrep Pro before scanning** — Pro enables cross-file taint tracking and catches ~250% more true positives. Skipping the check means silently missing critical inter-file vulnerabilities. ## When to Use - Security audit of a codebase - Finding vulnerabilities before code review - Scanning for known bug patterns - First-pass static analysis ## When NOT to Use - Binary analysis → Use binary analysis tools - Already have Semgrep CI configured → Use existing pipeline - N...

Details

Author
trailofbits
Repository
trailofbits/skills
Created
4 months ago
Last Updated
4 days ago
Language
Python
License
CC-BY-SA-4.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

semgrep

Run Semgrep security and code quality analysis

10 Updated 6 days ago
jmylchreest
Testing & QA Solid

sast-semgrep

Static application security testing (SAST) using Semgrep for vulnerability detection, security code review, and secure coding guidance with OWASP and CWE framework mapping. Use when: (1) Scanning code for security vulnerabilities across multiple languages, (2) Performing security code reviews with pattern-based detection, (3) Integrating SAST checks into CI/CD pipelines, (4) Providing remediation guidance with OWASP Top 10 and CWE mappings, (5) Creating custom security rules for organization-specific patterns, (6) Analyzing dependencies for known vulnerabilities.

335 Updated today
aiskillstore
AI & Automation Featured

semgrep-rule-creator

Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Use when writing Semgrep rules or building custom static analysis detections.

39,350 Updated today
sickn33
AI & Automation Featured

implementing-semgrep-for-custom-sast-rules

Write custom Semgrep SAST rules in YAML to detect application-specific vulnerabilities, enforce coding standards, and integrate into CI/CD pipelines.

13,115 Updated today
mukul975
Web & Frontend Solid

semgrep-rule-creator

Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Use when writing Semgrep rules or building custom static analysis detections.

5,501 Updated 4 days ago
trailofbits