Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

semgrep-review

Estrellas1

Forks0

Actualizado5 de febrero de 2026, 23:21

Analyze semgrep scan findings, triage real vulnerabilities vs false positives, fix real issues using framework-native escaping, and suppress false positives with properly formatted nosemgrep comments.

Instalación

Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.

Ejecutar en Manus

Fuente

jaeyeom

jaeyeom/claude-toolbox

Abrir repositorio de GitHub Ver repositorios del creador

Descarga

Ejecutar en Manus

Ocupaciones relacionadasSOC

Basado en la clasificación ocupacional SOC

Analistas de seguridad de la informaciónOcupaciones informáticas y matemáticas·SOC 15-1212

SKILL.md

readonly

Más de este repositorio

mismo repositorio

jira-close-merged

jaeyeom/claude-toolbox

Marks Jira tickets as Done when their commits have been merged into the current branch. Use whenever the user wants to sync Jira with merged commits — e.g. "mark done", "close tickets from commits", "sync Jira with merged PRs", "any Jira tickets to close?", or after a batch of PRs lands. Works with any Jira project key.

2026-06-161

gabyx-githooks-setup

jaeyeom/claude-toolbox

Set up shared Git hooks using gabyx/Githooks (not standard git hooks). Use when a user asks to set up githooks, apply shared hooks, or configure hook repositories in a project.

2026-05-051

ci-workflow

jaeyeom/claude-toolbox

Generate GitHub Actions CI workflows that call Makefile targets for consistent local and CI behavior. Use when a user asks about CI setup, GitHub Actions, continuous integration, or CI/CD pipelines.

2026-04-241

protobuf-dev

jaeyeom/claude-toolbox

Expert knowledge for Protocol Buffer development. Includes style guidelines, backward compatibility, design patterns, and build system detection (buf, Bazel). Use when creating, modifying, or reviewing .proto files or proto build rules.

2026-04-101

edit-description

jaeyeom/claude-toolbox

Edit JIRA issue descriptions using the jira CLI tool. Use when the user asks to update, modify, or edit a JIRA issue description, or when creating detailed documentation for JIRA tickets.

2026-04-091

new-bug

jaeyeom/claude-toolbox

Create a new Jira bug report with proper wiki markup formatting

2026-04-091

name	semgrep-review
description	Analyze semgrep scan findings, triage real vulnerabilities vs false positives, fix real issues using framework-native escaping, and suppress false positives with properly formatted nosemgrep comments.

Semgrep Review Skill

You are an expert at analyzing semgrep static analysis findings. Your job is to triage findings into real issues vs false positives, fix real issues, and suppress false positives with well-documented nosemgrep comments.

Workflow

Step 1: Run Semgrep

If the user hasn't provided semgrep output, run the scan.

First, check if the project has local semgrep rules (a .semgrep/ directory or .semgrep.yaml file in the project root). If local rules exist, include them alongside the auto config:

# With local rules (.semgrep/ directory or .semgrep.yaml exists)
semgrep scan --config auto --config .semgrep <target-directory>

# Without local rules
semgrep scan --config auto <target-directory>

Using --config auto --config .semgrep ensures local custom rules are applied on top of the semgrep registry defaults. Omitting the local config when it exists can cause semgrep to fail.

Step 2: Triage Each Finding

For every finding, determine whether it is a real issue or a false positive by reading the flagged code and tracing the data source.

Questions to ask for each finding:

Where does the flagged value originate? (user input, database, config, test fixture)
Is the value sanitized or escaped before use? (framework auto-escaping, manual escaping)
What is the threat model? (public-facing, admin-only, test-only)

Common false positive categories:

Category	Example	Why It's Safe
Test fixtures	Private keys, hashes in test files	Intentionally committed, no real system access
Framework-escaped values	Variables inside Hono `html` template literals, React JSX	Framework auto-escapes interpolated values
Admin-only internal tools	Values from admin DB displayed in admin panel	Not user-controlled, but still fix for defense-in-depth

Step 3: Fix Real Issues

Prefer framework-native escaping over custom helpers. Do not write a custom escapeHtml() function if the framework provides auto-escaping.

Common fix patterns by framework:

Hono (html tagged template literals)

Replace manual string interpolation with html template literals:

// BAD: Manual string building, no escaping
const items = data.map((d) => `<span>${d.name}</span>`).join('');
return raw(items);

// GOOD: Hono html template auto-escapes interpolated values
const items = data.map((d) => html`<span>${d.name}</span>`);
return items; // No raw() needed; html`` returns HtmlEscapedString

When refactoring from raw() + string templates to html templates:

Replace backtick strings with html tagged template literals
Remove .join('') calls (arrays of HtmlEscapedString render correctly)
Remove raw() wrappers (no longer needed when content is already HtmlEscapedString)
Watch for extra ) characters left behind when removing raw( wrapper

React / JSX

JSX auto-escapes by default. Flag only dangerouslySetInnerHTML usage:

// BAD
<div dangerouslySetInnerHTML={{ __html: userInput }} />

// GOOD
<div>{userInput}</div>

Plain HTML / Server-side rendering

Use the framework's escape utility or a well-known library. As a last resort, write a standard escape function:

function escapeHtml(str: string): string {
  return str
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;');
}

Step 4: Suppress False Positives with nosemgrep

Syntax Rules

The nosemgrep comment must be:

On the same line as the finding, OR
Alone on the line immediately above the finding

Use the short rule ID (e.g., detected-private-key), not the full dotted path (e.g., generic.secrets.security.detected-private-key.detected-private-key).

// WRONG: Full dotted path (semgrep ignores this)
// nosemgrep: generic.secrets.security.detected-private-key
const key = `-----BEGIN PRIVATE KEY-----...`;

// WRONG: nosemgrep is not immediately above the finding
// nosemgrep: detected-private-key
// This key is used for testing only.
const key = `-----BEGIN PRIVATE KEY-----...`;

// CORRECT: Short rule ID, immediately above the finding
// This key is used for testing only.
// nosemgrep: detected-private-key
const key = `-----BEGIN PRIVATE KEY-----...`;

Documenting the Rationale

Always add a comment explaining why the suppression is safe:

// Test-only ES256 private key for unit tests.
// This key is intentionally committed for testing JWT generation.
// It has no access to any real systems and is safe to expose.
// nosemgrep: detected-private-key
const TEST_KEY = `-----BEGIN PRIVATE KEY-----...`;

For bcrypt hashes in tests:

// Example bcrypt hashes for testing hash format detection.
// Not real credentials - test fixtures to verify needsRehash()
// correctly identifies legacy formats for migration.
// nosemgrep: detected-bcrypt-hash
expect(needsRehash('$2a$10$...')).toBe(true);

Suppressing Inside Template Literals

JavaScript // and /* */ comments don't work inside template literal text. Use these techniques instead:

Inside ${} expressions (these are JS expression context):

// Use /* */ block comment inside ${}
html`<div>
  ${/* nosemgrep: unknown-value-with-script-tag */ renderItems(data)}
</div>`;

// Use // line comment when the expression continues on the next line
html`<input value=${
  getValue() // nosemgrep: unknown-value-with-script-tag
} />`;

For object properties inside ${}:

// // comment works because it's inside a JS expression (object literal)
html`${textarea({
  name: 'field',
  value: data.join('\n'), // nosemgrep: unknown-value-with-script-tag
  rows: 2,
})}`;

When no JS expression context is available, extract the value to a variable above the template:

// nosemgrep: unknown-value-with-script-tag
const safeValue = computeValue();
html`<div>${safeValue}</div>`;

Note: The nosemgrep comment must be on the specific line semgrep flags, not just anywhere nearby. Run semgrep after adding comments to verify suppression works.

Step 5: Verify

After all fixes and suppressions:

Re-run semgrep (with --config auto --config .semgrep if local rules exist) to confirm 0 findings
Run type checking / build to confirm no regressions
Run tests if the changes affect runtime behavior

Output Format

Present findings as a summary table:

#	File	Rule	Verdict	Action
1	`path/to/file.ts:42`	`rule-id`	Real issue	Fix: use `html` template
2	`path/to/test.ts:10`	`detected-private-key`	False positive	Suppress: test fixture

Then proceed with fixes and suppressions.