Creates custom Semgrep rules for detecting security vulnerabilities and bug patterns, with mandatory testing and validation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/agentic-awesome-skills:semgrep-rule-creatorThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Create production-quality Semgrep rules with proper testing and validation.
Create production-quality Semgrep rules with proper testing and validation.
Ideal scenarios:
Do NOT use this skill for:
static-analysis skill)When writing Semgrep rules, reject these common shortcuts:
semgrep --test --config <rule-id>.yaml <rule-id>.<ext> to verify. Untested rules have hidden false positives/negatives.Too broad - matches everything, useless for detection:
# BAD: Matches any function call
pattern: $FUNC(...)
# GOOD: Specific dangerous function
pattern: eval(...) # security-allowlist: Semgrep sink pattern
Missing safe cases in tests - leads to undetected false positives:
# BAD: Only tests vulnerable case
# ruleid: my-rule
dangerous(user_input)
# GOOD: Include safe cases to verify no false positives
# ruleid: my-rule
dangerous(user_input)
# ok: my-rule
dangerous(sanitize(user_input))
# ok: my-rule
dangerous("hardcoded_safe_value")
Overly specific patterns - misses variations:
# BAD: Only matches exact format
pattern: os.system("rm " + $VAR)
# GOOD: Matches all os.system calls with taint tracking
mode: taint
pattern-sinks:
- pattern: os.system(...)
This workflow is strict - do not skip steps:
languages: generic)todook and todoruleid test annotations: todoruleid: <rule-id> and todook: <rule-id> annotations in tests files for future rule improvements are forbiddenThis skill guides creation of Semgrep rules that detect security vulnerabilities and code patterns. Rules are created iteratively: analyze the problem, write tests first, analyze AST structure, write the rule, iterate until all tests pass, optimize the rule.
Approach selection:
Why prioritize taint mode? Pattern matching finds syntax but misses context. A pattern eval($X) matches both eval(user_input) (vulnerable) and eval("safe_literal") (safe). Taint mode tracks data flow, so it only alerts when untrusted data actually reaches the sink—dramatically reducing false positives for injection vulnerabilities.
Iterating between approaches: It's okay to experiment. If you start with taint mode and it's not working well (e.g., taint doesn't propagate as expected, too many false positives/negatives), switch to pattern matching. Conversely, if pattern matching produces too many false positives on safe cases, try taint mode instead. The goal is a working rule—not rigid adherence to one approach.
Output structure - exactly 2 files in a directory named after the rule-id:
<rule-id>/
├── <rule-id>.yaml # Semgrep rule
└── <rule-id>.<ext> # Test file with ruleid/ok annotations
rules:
- id: insecure-eval
languages: [python]
severity: HIGH
message: User input passed to eval() allows code execution # security-allowlist: Semgrep finding message
mode: taint
pattern-sources:
- pattern: request.args.get(...)
pattern-sinks:
- pattern: eval(...) # security-allowlist: Semgrep sink pattern
Test file (insecure-eval.py):
# ruleid: insecure-eval
eval(request.args.get('code')) # security-allowlist: intentionally vulnerable Semgrep fixture
# ok: insecure-eval
eval("print('safe')") # security-allowlist: safe-literal Semgrep fixture
Run tests (from rule directory): semgrep --test --config <rule-id>.yaml <rule-id>.<ext>
Copy this checklist and track progress:
Semgrep Rule Progress:
- [ ] Step 1: Analyze the Problem
- [ ] Step 2: Write Tests First
- [ ] Step 3: Analyze AST structure
- [ ] Step 4: Write the rule
- [ ] Step 5: Iterate until all tests pass (semgrep --test)
- [ ] Step 6: Optimize the rule (remove redundancies, re-test)
- [ ] Step 7: Final Run
REQUIRED: Before writing any rule, use WebFetch to read all of these 4 links with Semgrep documentation:
npx claudepluginhub sickn33/agentic-awesome-skills --plugin agentic-awesome-skills25plugins reuse this skill
First indexed Jul 10, 2026
Showing the 6 earliest of 25 plugins
Creates custom Semgrep rules for detecting security vulnerabilities and bug patterns, with mandatory testing and validation.
Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Includes taint mode and test-first workflow.
Creates custom Semgrep rules for security vulnerabilities and bug patterns with mandatory test-first validation.