yellow-semgrep

Fix multiple 'to-fix' Semgrep findings with human approval between each fix. Use when user says 'fix all findings', 'batch fix', 'remediate everything', or wants to work through the to-fix queue.

Fix a single Semgrep finding: fetch details, analyze vulnerability, apply fix (autofix or LLM), verify via re-scan, and update triage state. Use when user says 'fix finding 12345', 'remediate this issue', or references a specific finding ID.

Run local Semgrep scan and compare results with platform findings. Use when user says 'scan for issues', 'check security', 'run semgrep', or wants to verify local code against the Semgrep platform.

Validate SEMGREP_APP_TOKEN, test MCP connection, detect deployment slug, and cache configuration. Use when first installing the plugin, after token rotation, or on auth errors.

Show findings dashboard grouped by triage state and severity. Use when user asks 'semgrep status', 'what needs fixing', 'how many findings', or wants to see the current state of security findings.

Security finding fix specialist. Applies deterministic autofix first, falls back to LLM-generated fix. Shows diff for approval before applying. Spawned by /semgrep:fix and /semgrep:fix-batch.

Post-fix verification specialist. Re-scans with the specific rule to confirm finding is resolved, then full-scans for regressions. Spawned by /semgrep:fix after a fix is applied.

Shared conventions for Semgrep integration — triage state mappings, API patterns, fix strategy decision tree, rate limits, and security rules. Use when commands or agents need Semgrep-specific validation, error handling, or API reference.