Engineering
semgrep-rule-variant-creator avatar

semgrep-rule-variant-creator

Port Semgrep rules to new languages using a strict, test-driven methodology. Includes applicability analysis, AST-based translation, and automated validation for each target language.

Introduction

The semgrep-rule-variant-creator is a specialized tool for security engineers and developers tasked with expanding vulnerability detection coverage across polyglot codebases. This skill automates the translation of existing Semgrep rules into new target languages by enforcing a rigorous, four-phase workflow that ensures accuracy, idiomatic correctness, and reliable detection. It is designed to move beyond simple syntax changes, addressing the complexities of language-specific AST structures and data flow patterns.

  • Performs mandatory applicability analysis to determine if a vulnerability pattern holds semantic relevance in the target language before any translation begins.

  • Implements a strict test-first development loop, requiring at least two vulnerable and two safe test cases per variant, ensuring high-fidelity detection.

  • Utilizes Semgrep's --dump-ast capability to perform structural analysis, ensuring that translated patterns account for language-specific nuances and idioms.

  • Generates independent rule and test directories for each target language, maintaining organizational clarity and simplifying CI/CD integration.

  • Provides a robust validation step, requiring 100% test pass rates using semgrep --test and --validate before completion.

  • Requires an existing YAML Semgrep rule and a list of target languages as primary inputs.

  • Follows a modular workflow: Applicability Analysis, Test Creation, Rule Translation, and Validation.

  • Prevents common pitfalls like 1:1 syntax translation, which often fails to catch data flow differences or language-specific library behavior.

  • Recommended for porting patterns like SQL injection, command execution, or other common vulnerability classes across diverse stacks like Go, Java, Python, and JavaScript.

  • Strictly prohibits skipping steps; the tool ensures that developers do not take shortcuts that compromise rule quality or lead to false negatives.

  • Integrates with the broader Semgrep rule authoring ecosystem, specifically building upon principles established in the semgrep-rule-creator skill.

Repository Stats

Stars
4,910
Forks
428
Open Issues
21
Language
Python
Default Branch
main
Sync Status
Idle
Last Synced
Apr 30, 2026, 03:53 PM
View on GitHub