ReddRadar
Agent skill
semgrep-analyze
Analyze code with Semgrep for security vulnerabilities and code quality issues, then create a prioritized fix plan
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/semgrep-analyze
SKILL.md
Skill: Semgrep Analyze
Analyze code with Semgrep and plan fixes for identified issues.
Usage
/semgrep-analyze [path] [--rules <ruleset>]
Arguments:
path- Directory or file to analyze (default: current directory)--rules- Semgrep ruleset to use (default:auto)
Examples:
/semgrep-analyze
/semgrep-analyze src/
/semgrep-analyze --rules p/security-audit
/semgrep-analyze src/utils --rules p/javascript
Process
1. Check Semgrep Installation
First, verify semgrep is installed:
semgrep --version
If not installed, install via pip (recommended):
# Install semgrep via pip
pip install semgrep
# Or via pipx for isolated environment
pipx install semgrep
# Or via Homebrew on macOS
brew install semgrep
2. Run Semgrep Analysis
Run semgrep with appropriate rules:
# Auto-detect language and use recommended rules
semgrep scan --config auto .
# Use specific ruleset
semgrep scan --config p/javascript .
semgrep scan --config p/typescript .
semgrep scan --config p/security-audit .
semgrep scan --config p/owasp-top-ten .
# Output as JSON for parsing
semgrep scan --config auto --json -o semgrep-results.json .
# Scan specific directory
semgrep scan --config auto src/
3. Common Rulesets
| Ruleset | Description |
|---|---|
auto |
Auto-detect language, use recommended rules |
p/javascript |
JavaScript-specific rules |
p/typescript |
TypeScript-specific rules |
p/react |
React-specific rules |
p/nodejs |
Node.js security rules |
p/security-audit |
General security audit |
p/owasp-top-ten |
OWASP Top 10 vulnerabilities |
p/ci |
Rules suitable for CI/CD |
p/default |
Semgrep default ruleset |
4. Analyze Results
For each finding, document:
- Rule ID - The semgrep rule that triggered
- Severity - ERROR, WARNING, INFO
- Location - File and line number
- Message - Description of the issue
- Code snippet - The problematic code
5. Plan Fixes
For each issue, create a fix plan:
## Issue: [Rule ID]
**Severity:** [ERROR/WARNING/INFO]
**File:** [path:line]
**Problem:**
[Description of the issue]
**Current Code:**
```[language]
[code snippet]
Proposed Fix:
[fixed code]
Rationale: [Why this fix addresses the issue]
### 6. Prioritize Fixes
Order fixes by:
1. **Critical** - Security vulnerabilities, data exposure
2. **High** - Bugs that could cause runtime errors
3. **Medium** - Code quality issues, potential bugs
4. **Low** - Style issues, minor improvements
## Example Workflow
```bash
# 1. Check installation
semgrep --version
# 2. If not installed
pip install semgrep
# 3. Run scan
semgrep scan --config auto --json -o semgrep-results.json .
# 4. View summary
semgrep scan --config auto . 2>&1 | tail -20
# 5. Scan specific areas if needed
semgrep scan --config p/security-audit src/
Output Format
After analysis, provide:
- Summary - Total findings by severity
- Critical Issues - Detailed breakdown of critical/high issues
- Fix Plan - Prioritized list of fixes with code changes
- Verification - Commands to verify fixes
Semgrep Configuration
Create .semgrep.yml for custom rules or to ignore paths:
# .semgrep.yml
rules: []
# Or reference external rules
# rules:
# - p/javascript
# - p/security-audit
# Ignore paths
# paths:
# exclude:
# - node_modules
# - dist
# - "*.test.js"
Common Fixes by Category
Security
| Issue | Fix |
|---|---|
| Hardcoded secrets | Move to environment variables |
| SQL injection | Use parameterized queries |
| XSS vulnerability | Sanitize user input |
| Insecure randomness | Use crypto.randomUUID() |
Code Quality
| Issue | Fix |
|---|---|
| Unused variables | Remove or prefix with _ |
| Missing error handling | Add try/catch or error callbacks |
| Deprecated API usage | Update to modern API |
| Inefficient patterns | Refactor to optimal approach |
React/Svelte Specific
| Issue | Fix |
|---|---|
| Missing key prop | Add unique key to list items |
| Direct DOM manipulation | Use framework methods |
| Memory leaks | Clean up subscriptions/listeners |
| Unsafe innerHTML | Use safe rendering methods |
Integration with Quality Gates
After fixing issues:
# Verify fixes
semgrep scan --config auto .
# Run existing quality gates
pnpm test && pnpm build && pnpm lint
Troubleshooting
Semgrep not found
# Check if pip is available
pip --version
# If pip not found, install Python first
# macOS: brew install python
# Ubuntu: sudo apt install python3-pip
# Then install semgrep
pip install semgrep
Rate limiting
# Login to avoid rate limits
semgrep login
# Or use offline mode with local rules
semgrep scan --config ./local-rules.yml .
Memory issues on large codebases
# Scan specific directories
semgrep scan --config auto src/
# Exclude large directories
semgrep scan --config auto --exclude node_modules --exclude dist .
Done Criteria
- Semgrep installed and working
- Full scan completed
- All findings documented
- Fix plan created for each issue
- Critical/high issues addressed
- Verification scan shows no regressions
- Quality gates still pass
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
Didn't find tool you were looking for?