| name | semgrep-analyze |
| description | Run Semgrep static analysis on target files and return structured findings. Use this when the user wants static analysis, SAST scanning, or security scanning — phrases like "run semgrep", "scan for vulnerabilities", "static analysis on this code", or as a pre-review gate when security findings are needed before AI agents run. |
| argument-hint | [path] [--rules <ruleset>] |
| user-invocable | true |
| allowed-tools | Read, Grep, Glob, Bash(semgrep *) |
Semgrep Analyze
Role: worker. This skill runs Semgrep and reports findings — it does
not fix code.
You have been invoked with the /semgrep-analyze skill. Run a Semgrep
scan and return structured findings.
Constraints
- Do not modify code. Report findings only.
- Return structured JSON. Output must match the output format below.
- Be concise. No preambles, narration, or filler text.
Parse Arguments
Arguments: $ARGUMENTS
path: Directory or file to scan (default: current working
directory)
--rules <ruleset>: Semgrep ruleset (default: auto)
Examples:
/semgrep-analyze
/semgrep-analyze src/
/semgrep-analyze --rules p/security-audit
/semgrep-analyze src/utils --rules p/javascript
Steps
1. Check Semgrep installation
semgrep --version
If not installed, output:
{"status": "skip", "issues": [], "summary": "semgrep not installed — install via pip install semgrep, pipx install semgrep, or brew install semgrep"}
Stop.
2. Run Semgrep scan
semgrep scan --config <ruleset> --quiet --json <path>
Default ruleset is auto. Default path is ..
3. Parse results
Map each Semgrep finding to an issue:
| Semgrep field | Output field |
|---|
check_id | ruleId |
extra.severity | severity |
path | file |
start.line | line |
extra.message | message |
extra.metadata.cwe | cwe (if present) |
Severity mapping:
| Semgrep severity | Output severity |
|---|
| ERROR | error |
| WARNING | warning |
| INFO | suggestion |
4. Output JSON
{
"status": "pass|warn|fail",
"issues": [
{
"severity": "error|warning|suggestion",
"file": "<path>",
"line": 0,
"ruleId": "<check_id>",
"message": "<description>",
"cwe": "<CWE-ID>",
"suggestedFix": "<fix>"
}
],
"summary": "<N findings: N errors, N warnings, N suggestions>"
}
Status: fail if any errors, warn if warnings but no errors,
pass if clean.
Common Rulesets
| Ruleset | Description |
|---|
auto | Auto-detect language, use recommended rules |
p/javascript | JavaScript-specific rules |
p/typescript | TypeScript-specific rules |
p/react | React-specific rules |
p/nodejs | Node.js security rules |
p/security-audit | General security audit |
p/owasp-top-ten | OWASP Top 10 vulnerabilities |
p/ci | Rules suitable for CI/CD |
p/default | Semgrep default ruleset |
Common Fixes
Security
| Issue | Fix |
|---|
| Hardcoded secrets | Move to environment variables |
| SQL injection | Use parameterized queries |
| XSS vulnerability | Sanitize user input |
| Insecure randomness | Use crypto.randomUUID() |
Code Quality
| Issue | Fix |
|---|
| Unused variables | Remove or prefix with _ |
| Missing error handling | Add try/catch or error callbacks |
| Deprecated API usage | Update to modern API |
Troubleshooting
Rate limiting
semgrep login
semgrep scan --config ./local-rules.yml .
Memory issues on large codebases
semgrep scan --config auto --exclude node_modules --exclude dist .