Security
447 installs
Semgrep Security Scan
by trailofbits/skills
Run Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes - "run all" (full ruleset coverage) and "important only"…
Skill content
Semgrep Security Scan Run a Semgrep scan with automatic language detection, parallel execution via Task subagents, and merged SARIF output. Essential Principles - Always use --metrics=off - Semgrep sends telemetry by default; --config auto also phones home. Every semgrep command must include --metrics=off to prevent data leakage during security audits. - User must approve the scan plan (Step 3 is a hard gate) - The original "scan this codebase" request is NOT approval. Present exact rulesets, target, engine, and mode; wait for explicit "yes"/"proceed" before spawning scanners. - Third-party rulesets are required, not optional - Trail of Bits, 0xdea, and Decurity rules catch vulnerabilities absent from the official registry. Include them whenever the detected language matches. - Spawn all scan Tasks in a single message - Parallel execution is the core performance advantage. Never spawn Tasks sequentially; always emit all Task tool calls in one response. - Always check for Semgrep Pro before scanning - Pro enables cross-file taint tracking and catches ~250% more true positives. Skipping the check means silently missing critical inter-file vulnerabilities. When to Use - Security audit of a codebase - Finding vulnerabilities before code review - Scanning for known bug patterns - First-pass static analysis