Writes custom Semgrep SAST rules in YAML to detect vulnerabilities like SQL injection, hardcoded secrets, taint flows across Python, JS, Go, Java. Integrates into CI/CD with JSON/SARIF output.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Semgrep 是一个开源静态分析工具,使用模式匹配来发现漏洞、执行代码标准并检测安全漏洞。自定义规则使用 Semgrep 的模式语法以 YAML 编写,无需编译器知识即可使用。支持 30+ 种语言,包括 Python、JavaScript、Go、Java 和 C。
Write custom Semgrep SAST rules in YAML to detect vulnerabilities and enforce standards in Python, JS, Go, Java codebases; run scans and integrate into CI/CD pipelines.
Write custom Semgrep SAST rules in YAML to detect application-specific vulnerabilities, enforce coding standards, and integrate into CI/CD pipelines.
Performs SAST with Semgrep to scan code for vulnerabilities across languages, provide OWASP/CWE mappings, remediation guidance, custom rules, and CI/CD integration.
Share bugs, ideas, or general feedback.
Semgrep 是一个开源静态分析工具,使用模式匹配来发现漏洞、执行代码标准并检测安全漏洞。自定义规则使用 Semgrep 的模式语法以 YAML 编写,无需编译器知识即可使用。支持 30+ 种语言,包括 Python、JavaScript、Go、Java 和 C。
# 通过 pip 安装
pip install semgrep
# 通过 Homebrew 安装
brew install semgrep
# 通过 Docker 运行
docker run -v "${PWD}:/src" returntocorp/semgrep semgrep --config auto /src
# 验证
semgrep --version
# 自动检测代码规则
semgrep --config auto .
# 使用 Semgrep 注册表规则
semgrep --config r/python.lang.security
# 使用自定义规则文件
semgrep --config my-rules.yaml .
# 使用多个配置
semgrep --config auto --config ./custom-rules/ .
# JSON 输出
semgrep --config auto --json . > results.json
# SARIF 输出(用于 GitHub)
semgrep --config auto --sarif . > results.sarif
# 按严重性过滤
semgrep --config auto --severity ERROR .
# rules/sql-injection.yaml
rules:
- id: sql-injection-string-format
languages: [python]
severity: ERROR
message: |
Potential SQL injection via string formatting.
Use parameterized queries instead.
pattern: |
cursor.execute(f"..." % ...)
metadata:
cwe: ["CWE-89"]
owasp: ["A03:2021"]
category: security
fix: |
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
rules:
- id: hardcoded-secret-in-code
languages: [python, javascript, typescript]
severity: ERROR
message: Hardcoded secret detected in source code
patterns:
- pattern-either:
- pattern: $VAR = "..."
- pattern: $VAR = '...'
- metavariable-regex:
metavariable: $VAR
regex: (?i)(password|secret|api_key|token|aws_secret)
- pattern-not: $VAR = ""
- pattern-not: $VAR = "changeme"
- pattern-not: $VAR = "PLACEHOLDER"
metadata:
cwe: ["CWE-798"]
category: security
rules:
- id: xss-taint-tracking
languages: [python]
severity: ERROR
message: User input flows to HTML response without sanitization
mode: taint
pattern-sources:
- pattern: request.args.get(...)
- pattern: request.form.get(...)
- pattern: request.form[...]
pattern-sinks:
- pattern: return render_template_string(...)
- pattern: Markup(...)
pattern-sanitizers:
- pattern: bleach.clean(...)
- pattern: escape(...)
metadata:
cwe: ["CWE-79"]
owasp: ["A03:2021"]
rules:
- id: insecure-random
languages: [python, javascript, go, java]
severity: WARNING
message: |
Using insecure random number generator. Use cryptographically
secure alternatives for security-sensitive operations.
pattern-either:
# Python
- pattern: random.random()
- pattern: random.randint(...)
# JavaScript
- pattern: Math.random()
# Go
- pattern: math/rand.Intn(...)
# Java
- pattern: new java.util.Random()
metadata:
cwe: ["CWE-330"]
rules:
- id: require-error-handling
languages: [go]
severity: WARNING
message: Error return value not checked
pattern: |
$VAR, _ := $FUNC(...)
fix: |
$VAR, err := $FUNC(...)
if err != nil {
return fmt.Errorf("$FUNC failed: %w", err)
}
- id: no-console-log-in-production
languages: [javascript, typescript]
severity: WARNING
message: Remove console.log before merging to production
pattern: console.log(...)
paths:
exclude:
- "tests/*"
- "*.test.*"
rules:
- id: jwt-none-algorithm
languages: [python]
severity: ERROR
message: JWT decoded without algorithm verification - allows token forgery
patterns:
- pattern: jwt.decode($TOKEN, ..., algorithms=["none"], ...)
metadata:
cwe: ["CWE-347"]
- id: jwt-no-verification
languages: [python]
severity: ERROR
message: JWT decoded with verification disabled
patterns:
- pattern: jwt.decode($TOKEN, ..., options={"verify_signature": False}, ...)
metadata:
cwe: ["CWE-345"]
# rules/test-sql-injection.yaml
rules:
- id: sql-injection-format-string
languages: [python]
severity: ERROR
message: SQL injection via format string
pattern: |
cursor.execute(f"...{$VAR}...")
# 测试文件中的注解:
# test-sql-injection.py
def bad_query(user_id):
# ruleid: sql-injection-format-string
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
def good_query(user_id):
# ok: sql-injection-format-string
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
# 运行规则测试
semgrep --test rules/
# 测试特定规则
semgrep --config rules/sql-injection.yaml --test
name: Semgrep SAST
on: [pull_request]
jobs:
semgrep:
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
steps:
- uses: actions/checkout@v4
- name: Run Semgrep
run: |
semgrep --config auto \
--config ./custom-rules/ \
--sarif --output results.sarif \
--severity ERROR \
.
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
semgrep:
stage: test
image: returntocorp/semgrep
script:
- semgrep --config auto --config ./custom-rules/ --json --output semgrep.json .
artifacts:
reports:
sast: semgrep.json
# .semgrep.yaml
rules:
- id: my-org-rules
# ... rules here
# .semgrepignore
tests/
node_modules/
vendor/
*.min.js
# ruleid: 和 # ok: 注解测试规则fix 键提供修复建议