playbooks

home / skills / plurigrid / asi / semgrep

semgrep skill

/skills/semgrep

This skill runs semgrep static analysis to quickly scan code, create custom rules, and integrate taint mode into CI/CD workflows.

npx playbooks add skill plurigrid/asi --skill semgrep

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
1.5 KB
---
name: semgrep
description: Run Semgrep static analysis for fast security scanning and pattern matching. Use when asked to scan code with Semgrep, write custom YAML rules, find vulnerabilities quickly, use taint mode, or set up Semgrep in CI/CD pipelines.
category: static-analysis
author: Trail of Bits
source: trailofbits/skills
license: AGPL-3.0
trit: -1
trit_label: MINUS
verified: true
featured: true
---

# Semgrep Skill

**Trit**: -1 (MINUS)
**Category**: static-analysis
**Author**: Trail of Bits
**Source**: trailofbits/skills
**License**: AGPL-3.0

## Description

Run Semgrep static analysis for fast security scanning and pattern matching. Use when asked to scan code with Semgrep, write custom YAML rules, find vulnerabilities quickly, use taint mode, or set up Semgrep in CI/CD pipelines.

## When to Use

This is a Trail of Bits security skill. Refer to the original repository for detailed usage guidelines and examples.

See: https://github.com/trailofbits/skills

## Related Skills

- audit-context-building
- codeql
- semgrep
- variant-analysis


## SDF Interleaving

This skill connects to **Software Design for Flexibility** (Hanson & Sussman, 2021):

### Primary Chapter: 4. Pattern Matching

**Concepts**: unification, match, segment variables, pattern

### GF(3) Balanced Triad

```
semgrep (+) + SDF.Ch4 (+) + [balancer] (+) = 0
```

**Skill Trit**: 1 (PLUS - generation)


### Connection Pattern

Pattern matching extracts structure. This skill recognizes and transforms patterns.

Overview

This skill runs Semgrep static analysis to deliver fast security scanning and pattern matching across codebases. It helps create and apply custom YAML rules, run taint-mode flows, and integrate Semgrep scans into CI/CD pipelines for early vulnerability detection. The focus is on fast, rule-driven findings and actionable outputs that developers can act on quickly.

How this skill works

The skill invokes Semgrep to inspect source files using built-in and custom rule sets expressed in YAML patterns. It can run standard pattern matches or taint-mode analyses to track data flows, then formats and returns findings with locations, matching snippets, and rule metadata. It supports local scans, rule generation or modification, and CI integration guidance to automate recurring scans.

When to use it

  • Scan a repository for security issues, secret leaks, or unsafe patterns quickly.
  • Write or tune custom YAML rules to detect project-specific bugs or policy violations.
  • Investigate data-flow vulnerabilities with Semgrep’s taint mode.
  • Set up or troubleshoot Semgrep scans in CI/CD pipelines (GitHub Actions, GitLab CI, etc.).
  • Prioritize fast, developer-friendly static analysis with readable pattern rules.

Best practices

  • Start with curated rule packs, then add narrow, specific custom rules to reduce false positives.
  • Use precise patterns and test rules on small samples before sweeping the whole repo.
  • Enable taint mode only where needed; it’s powerful but can be more resource-intensive.
  • Integrate Semgrep into CI to catch issues on pull requests and enforce minimal baselines.
  • Annotate rule metadata and add accurate severities and remediation guidance for each rule.

Example use cases

  • Run a quick scan to find hard-coded credentials or API keys before a release.
  • Author a YAML rule to flag insecure use of a cryptographic API across an HTML+JS codebase.
  • Use taint mode to trace user input through validation logic to detect injection risks.
  • Add Semgrep to CI so PRs fail when high-severity findings are introduced.
  • Audit third-party components for known insecure patterns with custom rule sets.

FAQ

Can this skill create custom Semgrep rules?

Yes—write or modify YAML rule files with pattern and metadata fields; the skill can suggest patterns and validate them against sample code.

How do I reduce false positives from broad rules?

Tighten your patterns, add conditionals or contextual constraints, and test rules on representative samples before running full scans.