DiscordSign up
SKILLS.SH

code-security

Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for…

INSTALLATION
npx skills add https://github.com/semgrep/skills --skill code-security
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$28

Language

Priority Rules to Check

Python

SQL injection, command injection, path traversal, code injection, SSRF, insecure crypto

JavaScript/TypeScript

XSS, prototype pollution, code injection, insecure transport, CSRF

Java

SQL injection, XXE, insecure deserialization, insecure crypto, SSRF

Go

SQL injection, command injection, path traversal, insecure transport

C/C++

Memory safety, unsafe functions, command injection, path traversal

Ruby

SQL injection, command injection, code injection, insecure deserialization

PHP

SQL injection, XSS, command injection, code injection, path traversal

HCL/YAML

Terraform (AWS/Azure/GCP), Kubernetes, Docker, GitHub Actions

Categories

Critical Impact

  • SQL Injection (rules/sql-injection.md) - Use parameterized queries, never concatenate user input
  • Command Injection (rules/command-injection.md) - Avoid shell commands with user input, use safe APIs
  • XSS (rules/xss.md) - Escape output, use framework protections
  • XXE (rules/xxe.md) - Disable external entities in XML parsers
  • Path Traversal (rules/path-traversal.md) - Validate and sanitize file paths
  • Insecure Deserialization (rules/insecure-deserialization.md) - Never deserialize untrusted data
  • Code Injection (rules/code-injection.md) - Never eval() user input
  • Hardcoded Secrets (rules/secrets.md) - Use environment variables or secret managers
  • Memory Safety (rules/memory-safety.md) - Prevent buffer overflows, use-after-free (C/C++)

High Impact

  • Insecure Crypto (rules/insecure-crypto.md) - Use SHA-256+, AES-256, avoid MD5/SHA1/DES
  • Insecure Transport (rules/insecure-transport.md) - Use HTTPS, verify certificates
  • SSRF (rules/ssrf.md) - Validate URLs, use allowlists
  • JWT Issues (rules/authentication-jwt.md) - Always verify signatures
  • CSRF (rules/csrf.md) - Use CSRF tokens on state-changing requests
  • Prototype Pollution (rules/prototype-pollution.md) - Validate object keys in JavaScript

Infrastructure

  • Terraform AWS/Azure/GCP (rules/terraform-aws.md, rules/terraform-azure.md, rules/terraform-gcp.md) - Encryption, least privilege, no public access
  • Kubernetes (rules/kubernetes.md) - No privileged containers, run as non-root
  • Docker (rules/docker.md) - Don't run as root, pin image versions
  • GitHub Actions (rules/github-actions.md) - Avoid script injection, pin action versions

Medium/Low Impact

  • Regex DoS (rules/regex-dos.md) - Avoid catastrophic backtracking
  • Race Conditions (rules/race-condition.md) - Use proper synchronization
  • Correctness (rules/correctness.md) - Avoid common logic bugs
  • Best Practices (rules/best-practice.md) - General secure coding patterns

See rules/_sections.md for the full index with CWE/OWASP references.

Quick Reference

Vulnerability

Key Prevention

SQL Injection

Parameterized queries

XSS

Output encoding

Command Injection

Avoid shell, use APIs

Path Traversal

Validate paths

SSRF

URL allowlists

Secrets

Environment variables

Crypto

SHA-256, AES-256

BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

azure-compliance
3/3

Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue

Verified authormicrosoft
SKILLS.SH
293K1.1K
2026-05-22
openclaw-secure-linux-cloud
1/3

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

xixu-me
SKILLS.SH
150K53
2026-05-22
entra-agent-id
3/3

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token…

Verified authormicrosoft
SKILLS.SH
59.1K1.1K
2026-05-21
firebase-security-rules-auditor
3/3

A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are…

firebase
SKILLS.SH
23.5K292
2026-05-21

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card