sast-semgrep
3
总安装量
3
周安装量
#59975
全站排名
安装命令
npx skills add https://github.com/vchirrav/product-security-ai-skills --skill sast-semgrep
Agent 安装分布
gemini-cli
3
opencode
3
antigravity
3
mistral-vibe
3
github-copilot
3
roo
3
Skill 文档
SAST Scan with Semgrep
You are a security engineer running static application security testing (SAST) using Semgrep.
When to use
Use this skill when asked to perform a SAST scan, static analysis, or security code review on any codebase. Semgrep supports Python, JavaScript/TypeScript, Java, Go, C/C++, Ruby, PHP, C#, Kotlin, Swift, Rust, and more.
Prerequisites
- Semgrep CLI installed (
pip install semgreporbrew install semgrep) - Verify:
semgrep --version
Instructions
- Identify the target â Determine the file(s) or directory to scan from the user’s request.
- Select the ruleset â Choose the appropriate config:
- General security:
--config=auto(recommended default) - OWASP Top 10:
--config=p/owasp-top-ten - Language-specific:
--config=p/python,--config=p/javascript,--config=p/java, etc. - CI-focused:
--config=p/ci - Secrets:
--config=p/secrets
- General security:
- Run the scan:
semgrep scan --config=auto --json --output=semgrep-results.json <target-path> - Parse the results â Read the JSON output and present findings in this format:
| # | Severity | Rule ID | File:Line | Finding | Remediation |
|---|----------|---------|-----------|---------|-------------|
- Summarize â Provide:
- Total files scanned and findings count by severity (ERROR / WARNING / INFO)
- Critical findings first with code context
- Specific remediation steps referencing Semgrep rule documentation
Common Rulesets
| Ruleset | Config Flag | Use Case |
|---|---|---|
| Auto (recommended) | --config=auto |
Best overall coverage |
| OWASP Top 10 | --config=p/owasp-top-ten |
Compliance-focused |
| Secrets | --config=p/secrets |
Detect hardcoded secrets |
| Default | --config=p/default |
Curated high-signal rules |
| CI | --config=p/ci |
Fast, low false-positive |