home / skills / multiversx / mx-ai-skills / mvx_semgrep_creator

mvx_semgrep_creator skill

safe

/antigravity/skills/mvx_semgrep_creator

This skill guides you in writing Semgrep rules to enforce MultiversX patterns and catch unsafe code early.

npx playbooks add skill multiversx/mx-ai-skills --skill mvx_semgrep_creator

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

1023 B

---
name: mvx_semgrep_creator
description: Writing custom Semgrep rules to enforce MultiversX best practices.
---

# Semgrep Rule Creator (MX)

This skill guides you in writing Semgrep rules to catch MultiversX-specific patterns automatically.

## 1. Common Patterns
- **Unsafe Math**: `x + y` where `x` is `u64`.
- **Floating Point**: `f64`.
- **Endpoint without Payment Check**: `#[payable]` function without `call_value()`.

## 2. Template
```yaml
rules:
  - id: mvx-unsafe-addition
    languages: [rust]
    message: "Potential arithmetic overflow. Use checked_add or BigUint."
    severity: ERROR
    patterns:
      - pattern: $X + $Y
      - pattern-not: $X.checked_add($Y)
      - pattern-inside: |
          #[multiversx_sc::contract]
          trait Contract {
            ...
          }
```

## 3. Workflow
1.  **Identify Pattern**: See `mvx_variant_analysis`.
2.  **Write Rule**: Use the template.
3.  **Test**: Run on the codebase using `semgrep --config rules.yaml .`
4.  **Refine**: Reduce false positives.

Overview

This skill helps you write custom Semgrep rules that enforce MultiversX-specific best practices across Rust smart contracts. It packages common detection patterns, a reusable rule template, and a short workflow to create, test, and refine rules that reduce security and correctness issues. Use it to automate code review checks and catch risky patterns early in CI.

How this skill works

The skill inspects source code patterns and generates Semgrep YAML rules tailored for MultiversX contracts. It highlights patterns such as unsafe integer arithmetic, use of floating point types, and payable endpoints that lack explicit payment handling. You can seed a rule from the template, run semgrep locally or in CI, and iterate to lower false positives.

When to use it

Add static checks for MultiversX smart contract code during CI and pre-commit.
Detect arithmetic operations on u64 that may overflow without checked ops.
Prevent use of f64 or other floating-point types in contract logic.
Flag #[payable] functions that do not verify call_value() or payment handling.
Enforce coding patterns inside #[multiversx_sc::contract] traits and impls.

Best practices

Start with narrow patterns and broaden only after validating results to avoid noise.
Use pattern-not to exclude safe helper calls like checked_add or wrappers around BigUint.
Run semgrep locally on representative code to tune severity and reduce false positives.
Organize rules by category (safety, payment, style) and document intent in the message field.
Integrate rules into CI with incremental rollouts and clear developer guidance for fixes.

Example use cases

Create mvx-unsafe-addition to detect x + y on u64 and suggest checked_add or BigUint.
Block usage of f64 by matching type declarations and erroring with a migration suggestion.
Ensure #[payable] endpoints call call_value() by detecting payable functions missing payment checks.
Bundle a rules.yaml for a repo to run semgrep --config rules.yaml . as part of pull request checks.
Iteratively refine a rule after reviewing false positives on a large codebase snapshot.

FAQ

How do I reduce false positives?

Narrow patterns, add pattern-not exclusions for known safe helpers, and test rules on representative files before enabling in CI.

Can these rules run in CI?

Yes. Add semgrep to your build pipeline and point it at the rules.yaml; start with non-blocking reporting before enforcing failures.