DiscordSign up
SKILLS.SH

semgrep

Parallel static analysis scanner with automatic language detection, Pro cross-file taint tracking, and merged SARIF output. Supports two scan modes: "run all" (complete ruleset coverage) and "important only" (high-confidence security vulnerabilities filtered by severity and impact) Automatically detects Semgrep Pro availability for cross-file taint analysis; falls back to OSS mode with per-file scanning Includes third-party rulesets from Trail of Bits, 0xdea, and Decurity alongside official rules to catch vulnerabilities absent from the default registry Spawns parallel scanner subagents for multi-language codebases; merges all results into a single SARIF file with severity and category breakdown Requires explicit user approval of the scan plan (languages, rulesets, mode, target directory) before execution begins

INSTALLATION
npx skills add https://github.com/trailofbits/skills --skill semgrep
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$2a

When NOT to Use

  • Binary analysis → Use binary analysis tools
  • Already have Semgrep CI configured → Use existing pipeline
  • Need cross-file analysis but no Pro license → Consider CodeQL as alternative
  • Creating custom Semgrep rules → Use semgrep-rule-creator skill
  • Porting existing rules to other languages → Use semgrep-rule-variant-creator skill

Output Directory

All scan results, SARIF files, and temporary data are stored in a single output directory.

  • If the user specifies an output directory in their prompt, use it as OUTPUT_DIR.
  • If not specified, default to ./static_analysis_semgrep_1. If that already exists, increment to _2, _3, etc.

In both cases, always create the directory with mkdir -p before writing any files.

# Resolve output directory

if [ -n "$USER_SPECIFIED_DIR" ]; then

  OUTPUT_DIR="$USER_SPECIFIED_DIR"

else

  BASE="static_analysis_semgrep"

  N=1

  while [ -e "${BASE}_${N}" ]; do

    N=$((N + 1))

  done

  OUTPUT_DIR="${BASE}_${N}"

fi

mkdir -p "$OUTPUT_DIR/raw" "$OUTPUT_DIR/results"

The output directory is resolved once at the start of Step 1 and used throughout all subsequent steps.

$OUTPUT_DIR/

├── rulesets.txt                 # Approved rulesets (logged after Step 3)

├── raw/                         # Per-scan raw output (unfiltered)

│   ├── python-python.json

│   ├── python-python.sarif

│   ├── python-django.json

│   ├── python-django.sarif

│   └── ...

└── results/                     # Final merged output

    └── results.sarif

Prerequisites

Required: Semgrep CLI (semgrep --version). If not installed, see Semgrep installation docs.

Optional: Semgrep Pro — enables cross-file taint tracking, inter-procedural analysis, and additional languages (Apex, C#, Elixir). Check with:

semgrep --pro --validate --config p/default 2>/dev/null && echo "Pro available" || echo "OSS only"

Limitations: OSS mode cannot track data flow across files. Pro mode uses -j 1 for cross-file analysis (slower per ruleset, but parallel rulesets compensate).

Scan Modes

Select mode in Step 2 of the workflow. Mode affects both scanner flags and post-processing.

Mode

Coverage

Findings Reported

Run all

All rulesets, all severity levels

Everything

Important only

All rulesets, pre- and post-filtered

Security vulns only, medium-high confidence/impact

Important only applies two filter layers:

  • Pre-filter: --severity MEDIUM --severity HIGH --severity CRITICAL (CLI flag)
  • Post-filter: JSON metadata — keeps only category=security, confidence∈{MEDIUM,HIGH}, impact∈{MEDIUM,HIGH}

See scan-modes.md for metadata criteria and jq filter commands.

Orchestration Architecture

┌──────────────────────────────────────────────────────────────────┐

│ MAIN AGENT (this skill)                                          │

│ Step 1: Detect languages + check Pro availability                │

│ Step 2: Select scan mode + rulesets (ref: rulesets.md)           │

│ Step 3: Present plan + rulesets, get approval [⛔ HARD GATE]     │

│ Step 4: Spawn parallel scan Tasks (approved rulesets + mode)     │

│ Step 5: Merge results and report                                 │

└──────────────────────────────────────────────────────────────────┘

         │ Step 4

         ▼

┌─────────────────┐

│ Scan Tasks      │

│ (parallel)      │

├─────────────────┤

│ Python scanner  │

│ JS/TS scanner   │

│ Go scanner      │

│ Docker scanner  │

└─────────────────┘

Workflow

Follow the detailed workflow in scan-workflow.md. Summary:

Step

Action

Gate

Key Reference

1

Resolve output dir, detect languages + Pro availability

Use Glob, not Bash

2

Select scan mode + rulesets

rulesets.md

3

Present plan, get explicit approval

⛔ HARD

AskUserQuestion

4

Spawn parallel scan Tasks

scanner-task-prompt.md

5

Merge results and report

Merge script (below)

Task enforcement: On invocation, create 5 tasks with blockedBy dependencies (each step blocks the previous). Step 3 is a HARD GATE — mark complete ONLY after user explicitly approves.

Merge command (Step 5):

uv run {baseDir}/scripts/merge_sarif.py $OUTPUT_DIR/raw $OUTPUT_DIR/results/results.sarif

Agents

Agent

Tools

Purpose

static-analysis:semgrep-scanner

Bash

Executes parallel semgrep scans for a language category

Use subagent_type: static-analysis:semgrep-scanner in Step 4 when spawning Task subagents.

Rationalizations to Reject

Shortcut

Why It's Wrong

"User asked for scan, that's approval"

Original request ≠ plan approval. Present plan, use AskUserQuestion, await explicit "yes"

"Step 3 task is blocking, just mark complete"

Lying about task status defeats enforcement. Only mark complete after real approval

"I already know what they want"

Assumptions cause scanning wrong directories/rulesets. Present plan for verification

"Just use default rulesets"

User must see and approve exact rulesets before scan

"Add extra rulesets without asking"

Modifying approved list without consent breaks trust

"Third-party rulesets are optional"

Trail of Bits, 0xdea, Decurity catch vulnerabilities not in official registry — REQUIRED

"Use --config auto"

Sends metrics; less control over rulesets

"One Task at a time"

Defeats parallelism; spawn all Tasks together

"Pro is too slow, skip --pro"

Cross-file analysis catches 250% more true positives; worth the time

"Semgrep handles GitHub URLs natively"

URL handling fails on repos with non-standard YAML; always clone first

"Cleanup is optional"

Cloned repos pollute the user's workspace and accumulate across runs

"Use . or relative path as target"

Subagents need absolute paths to avoid ambiguity

"Let the user pick an output dir later"

Output directory must be resolved at Step 1, before any files are created

Reference Index

File

Content

rulesets.md

Complete ruleset catalog and selection algorithm

scan-modes.md

Pre/post-filter criteria and jq commands

scanner-task-prompt.md

Template for spawning scanner subagents

Workflow

Purpose

scan-workflow.md

Complete 5-step scan execution process

Success Criteria

  • Output directory resolved (user-specified or auto-incremented default)
  • All generated files stored inside $OUTPUT_DIR
  • Languages detected with file counts; Pro status checked
  • Scan mode selected by user (run all / important only)
  • Rulesets include third-party rules for all detected languages
  • User explicitly approved the scan plan (Step 3 gate passed)
  • All scan Tasks spawned in a single message and completed
  • Every semgrep command used --metrics=off
  • Approved rulesets logged to $OUTPUT_DIR/rulesets.txt
  • Raw per-scan outputs stored in $OUTPUT_DIR/raw/
  • results.sarif exists in $OUTPUT_DIR/results/ and is valid JSON
  • Important-only mode: post-filter applied before merge; unfiltered results preserved in raw/
  • Results summary reported with severity and category breakdown
  • Cloned repos (if any) cleaned up from $OUTPUT_DIR/repos/
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

find-skills
2/3

Discover and install specialized agent skills from the open ecosystem when users need extended capabilities. Helps identify relevant skills by domain and task when users ask "how do I do X" or "find a skill for X" Integrates with the Skills CLI ( npx skills find , npx skills add ) to search, verify, and install packages from the skills.sh directory Recommends skills based on install count, source reputation, and GitHub stars to ensure quality before suggesting installation Presents skill options with install commands and links to skills.sh for user review and one-click installation

Verified authorvercel-labs
SKILLS.SH
1.5M19.6K
2026-05-22
vercel-react-best-practices
3/3

React and Next.js performance optimization guide with 64 prioritized rules across 8 categories. Organized by impact level, from critical waterfalls and bundle optimization down to advanced patterns, each rule includes incorrect/correct code examples and explanations Covers eight domains: async patterns, bundle size, server-side caching, client-side data fetching, re-render optimization, rendering performance, JavaScript efficiency, and advanced patterns Designed for use during component writing, code review, refactoring, and performance audits on React and Next.js applications Each rule has a prefix code (e.g., async-parallel , bundle-barrel-imports ) for easy reference in automated tooling and documentation

Verified authorvercel-labs
SKILLS.SH
389K26.9K
2026-05-22
azure-validate
2/3

Pre-deployment validation for Azure infrastructure, configuration, and permissions before deployment. Requires .azure/plan.md from a prior azure-prepare run; stops immediately if the plan is missing Executes recipe-specific validation commands (azd provision, bicep build, terraform validate) and records proof in the plan document Performs build verification, configuration checks, and permission validation; blocks deployment if any check fails Only authorized method to set plan status to Validated ; must be followed by azure-deploy skill to execute the actual deployment

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22
appinsights-instrumentation
3/3

Guidance and reference material for instrumenting webapps with Azure Application Insights. Covers SDK setup, telemetry patterns, and configuration for ASP.NET Core and Node.js applications hosted in Azure Distinguishes between this skill (reference and guidance) and azure-prepare (actual implementation); invoke azure-prepare when the user wants to add instrumentation to their project Provides auto-instrumentation guidance for C# ASP.NET Core apps in Azure App Service, plus manual instrumentation paths for creating App Insights resources via Bicep templates or Azure CLI Includes language-specific code modification guides for ASP.NET Core, Node.js, and Python, plus quick references for OpenTelemetry SDKs and exporters

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card