semgrep

This skill provides a robust, security-focused wrapper for the Semgrep CLI, optimized for automated code auditing and vulnerability hunting. It is designed for security engineers and developers who need to perform static analysis on complex, multi-language codebases efficiently. By leveraging parallel execution via subagents, it reduces scan times for large repositories while ensuring high-confidence results. The skill manages the end-to-end lifecycle of a security audit, including automatic environment detection, ruleset management, and the merging of findings into industry-standard SARIF format for integration with existing security pipelines.

• Executes parallel Semgrep scanners across different languages to maximize performance during audit tasks.

• Automatically detects and utilizes Semgrep Pro features, such as cross-file taint analysis, to identify complex inter-procedural security vulnerabilities.

• Enforces strict security best practices, including mandatory --metrics=off flags to prevent sensitive data leakage and a hard-gate approval process for every scan plan.

• Integrates essential third-party rulesets from reputable security organizations like Trail of Bits, 0xdea, and Decurity to expand detection coverage beyond the standard registry.

• Handles output management, directory creation, and automatic SARIF result merging using specialized Python scripts.

• Use this skill for codebase-wide security audits, vulnerability discovery prior to code reviews, and identifying known bug patterns.

• The agent requires a clear scan plan approval from the user before executing any scanning tools to ensure controlled and intentional analysis.

• The skill distinguishes between 'run all' (full coverage) and 'important only' (high-confidence/impact security findings) modes to balance noise and signal.

• Requires the Semgrep CLI and optional Pro access; results are saved to a versioned output directory (e.g., ./static_analysis_semgrep_n).

• Not intended for binary analysis or where existing CI/CD pipelines are already configured; use specialized skills for custom rule creation or variant analysis.