| name | semgrep-analyze |
| description | Analyze code with Semgrep for security vulnerabilities and code quality issues, then create a prioritized fix plan |
| user-invocable | true |
| allowed-tools | Bash, Read, Write, Grep, Glob |
Skill: Semgrep Analyze
Analyze code with Semgrep and plan fixes for identified issues.
Usage
/semgrep-analyze [path] [--rules <ruleset>]
Arguments:
path - Directory or file to analyze (default: current directory)
--rules - Semgrep ruleset to use (default: auto)
Examples:
/semgrep-analyze
/semgrep-analyze src/
/semgrep-analyze --rules p/security-audit
/semgrep-analyze src/utils --rules p/javascript
Process
1. Check Semgrep Installation
First, verify semgrep is installed:
semgrep --version
If not installed, install via pip (recommended):
pip install semgrep
pipx install semgrep
brew install semgrep
2. Run Semgrep Analysis
Run semgrep with appropriate rules:
semgrep scan --config auto .
semgrep scan --config p/javascript .
semgrep scan --config p/typescript .
semgrep scan --config p/security-audit .
semgrep scan --config p/owasp-top-ten .
semgrep scan --config auto --json -o semgrep-results.json .
semgrep scan --config auto src/
3. Common Rulesets
| Ruleset | Description |
|---|
auto | Auto-detect language, use recommended rules |
p/javascript | JavaScript-specific rules |
p/typescript | TypeScript-specific rules |
p/react | React-specific rules |
p/nodejs | Node.js security rules |
p/security-audit | General security audit |
p/owasp-top-ten | OWASP Top 10 vulnerabilities |
p/ci | Rules suitable for CI/CD |
p/default | Semgrep default ruleset |
4. Analyze Results
For each finding, document:
- Rule ID - The semgrep rule that triggered
- Severity - ERROR, WARNING, INFO
- Location - File and line number
- Message - Description of the issue
- Code snippet - The problematic code
5. Plan Fixes
For each issue, create a fix plan:
## Issue: [Rule ID]
**Severity:** [ERROR/WARNING/INFO]
**File:** [path:line]
**Problem:**
[Description of the issue]
**Current Code:**
```[language]
[code snippet]
Proposed Fix:
[fixed code]
Rationale:
[Why this fix addresses the issue]
### 6. Prioritize Fixes
Order fixes by:
1. **Critical** - Security vulnerabilities, data exposure
2. **High** - Bugs that could cause runtime errors
3. **Medium** - Code quality issues, potential bugs
4. **Low** - Style issues, minor improvements
## Example Workflow
```bash
# 1. Check installation
semgrep --version
# 2. If not installed
pip install semgrep
# 3. Run scan
semgrep scan --config auto --json -o semgrep-results.json .
# 4. View summary
semgrep scan --config auto . 2>&1 | tail -20
# 5. Scan specific areas if needed
semgrep scan --config p/security-audit src/
Output Format
After analysis, provide:
- Summary - Total findings by severity
- Critical Issues - Detailed breakdown of critical/high issues
- Fix Plan - Prioritized list of fixes with code changes
- Verification - Commands to verify fixes
Semgrep Configuration
Create .semgrep.yml for custom rules or to ignore paths:
rules: []
Common Fixes by Category
Security
| Issue | Fix |
|---|
| Hardcoded secrets | Move to environment variables |
| SQL injection | Use parameterized queries |
| XSS vulnerability | Sanitize user input |
| Insecure randomness | Use crypto.randomUUID() |
Code Quality
| Issue | Fix |
|---|
| Unused variables | Remove or prefix with _ |
| Missing error handling | Add try/catch or error callbacks |
| Deprecated API usage | Update to modern API |
| Inefficient patterns | Refactor to optimal approach |
React/Svelte Specific
| Issue | Fix |
|---|
| Missing key prop | Add unique key to list items |
| Direct DOM manipulation | Use framework methods |
| Memory leaks | Clean up subscriptions/listeners |
| Unsafe innerHTML | Use safe rendering methods |
Integration with Quality Gates
After fixing issues:
semgrep scan --config auto .
npm test && npm run build && npm run lint
Troubleshooting
Semgrep not found
pip --version
pip install semgrep
Rate limiting
semgrep login
semgrep scan --config ./local-rules.yml .
Memory issues on large codebases
semgrep scan --config auto src/
semgrep scan --config auto --exclude node_modules --exclude dist .
Done Criteria