semgrep▌

Fast, pattern-based static analysis for security scanning and custom rule creation.

Custom Semgrep rule creation with test-driven validation and AST-guided pattern development. \n \n Guides iterative rule authoring: analyze problem, write tests first, inspect AST structure, build patterns, validate with semgrep --test , then optimize \n Prioritizes taint mode for data flow vulnerabilities (sources to sinks) over pattern matching to reduce false positives; supports switching between approaches as needed \n Enforces strict testing discipline: 100% test pass required, safe cases m

Integrates Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) into CI/CD pipelines using open-source tools. Covers Semgrep for SAST, Trivy for SCA and container scanning, OWASP ZAP for DAST, and Gitleaks for secrets detection. Activates for requests involving DevSecOps pipeline setup, automated security scanning in CI/CD, SAST/DAST/SCA integration, or shift-left security implementation.

Write custom Semgrep SAST rules in YAML to detect application-specific vulnerabilities, enforce coding standards, and integrate into CI/CD pipelines.

This skill covers integrating Static Application Security Testing (SAST) tools—CodeQL and Semgrep—into GitHub Actions CI/CD pipelines. It addresses configuring automated code scanning on pull requests and pushes, tuning rules to reduce false positives, uploading SARIF results to GitHub Advanced Security, and establishing quality gates that block merges when high-severity vulnerabilities are detected.

Port existing Semgrep rules to new target languages with applicability analysis and test-driven validation. \n \n Takes an existing Semgrep rule and target languages as input; produces independent rule and test directories for each applicable language \n Requires mandatory applicability analysis per language before porting, rejecting shortcuts like assuming identical patterns across different ASTs \n Enforces test-first methodology: write minimum 2 vulnerable and 2 safe test cases before creatin

Parallel static analysis scanner with automatic language detection, Pro cross-file taint tracking, and merged SARIF output. \n \n Supports two scan modes: \"run all\" (complete ruleset coverage) and \"important only\" (high-confidence security vulnerabilities filtered by severity and impact) \n Automatically detects Semgrep Pro availability for cross-file taint analysis; falls back to OSS mode with per-file scanning \n Includes third-party rulesets from Trail of Bits, 0xdea, and Decurity alongsi