Security 447 installs

Semgrep Security Scan

by trailofbits/skills

Run Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes - "run all" (full ruleset coverage) and "important only"…

Skill content

Semgrep Security Scan

Run a Semgrep scan with automatic language detection, parallel execution via Task subagents, and merged SARIF output.

Essential Principles

- Always use --metrics=off - Semgrep sends telemetry by default; --config auto also phones home. Every semgrep command must include --metrics=off to prevent data leakage during security audits.

- User must approve the scan plan (Step 3 is a hard gate) - The original "scan this codebase" request is NOT approval. Present exact rulesets, target, engine, and mode; wait for explicit "yes"/"proceed" before spawning scanners.

- Third-party rulesets are required, not optional - Trail of Bits, 0xdea, and Decurity rules catch vulnerabilities absent from the official registry. Include them whenever the detected language matches.

- Spawn all scan Tasks in a single message - Parallel execution is the core performance advantage. Never spawn Tasks sequentially; always emit all Task tool calls in one response.

- Always check for Semgrep Pro before scanning - Pro enables cross-file taint tracking and catches ~250% more true positives. Skipping the check means silently missing critical inter-file vulnerabilities.

When to Use

- Security audit of a codebase

- Finding vulnerabilities before code review

- Scanning for known bug patterns

- First-pass static analysis