name	semgrep-analyze
description	Analyze code with Semgrep for security vulnerabilities and code quality issues, then create a prioritized fix plan
user-invocable	true
allowed-tools	Bash, Read, Write, Grep, Glob

Skill: Semgrep Analyze

Analyze code with Semgrep and plan fixes for identified issues.

Usage

/semgrep-analyze [path] [--rules <ruleset>]

Arguments:

path - Directory or file to analyze (default: current directory)
--rules - Semgrep ruleset to use (default: auto)

Examples:

/semgrep-analyze
/semgrep-analyze src/
/semgrep-analyze --rules p/security-audit
/semgrep-analyze src/utils --rules p/javascript

Process

1. Check Semgrep Installation

First, verify semgrep is installed:

semgrep --version

If not installed, install via pip (recommended):

# Install semgrep via pip
pip install semgrep

# Or via pipx for isolated environment
pipx install semgrep

# Or via Homebrew on macOS
brew install semgrep

2. Run Semgrep Analysis

Run semgrep with appropriate rules:

# Auto-detect language and use recommended rules
semgrep scan --config auto .

# Use specific ruleset
semgrep scan --config p/javascript .
semgrep scan --config p/typescript .
semgrep scan --config p/security-audit .
semgrep scan --config p/owasp-top-ten .

# Output as JSON for parsing
semgrep scan --config auto --json -o semgrep-results.json .

# Scan specific directory
semgrep scan --config auto src/

3. Common Rulesets

Ruleset	Description
`auto`	Auto-detect language, use recommended rules
`p/javascript`	JavaScript-specific rules
`p/typescript`	TypeScript-specific rules
`p/react`	React-specific rules
`p/nodejs`	Node.js security rules
`p/security-audit`	General security audit
`p/owasp-top-ten`	OWASP Top 10 vulnerabilities
`p/ci`	Rules suitable for CI/CD
`p/default`	Semgrep default ruleset

4. Analyze Results

For each finding, document:

Rule ID - The semgrep rule that triggered
Severity - ERROR, WARNING, INFO
Location - File and line number
Message - Description of the issue
Code snippet - The problematic code

5. Plan Fixes

For each issue, create a fix plan:

## Issue: [Rule ID]

**Severity:** [ERROR/WARNING/INFO]
**File:** [path:line]

**Problem:**
[Description of the issue]

**Current Code:**
```[language]
[code snippet]

Proposed Fix:

[fixed code]

Rationale: [Why this fix addresses the issue]


### 6. Prioritize Fixes

Order fixes by:

1. **Critical** - Security vulnerabilities, data exposure
2. **High** - Bugs that could cause runtime errors
3. **Medium** - Code quality issues, potential bugs
4. **Low** - Style issues, minor improvements

## Example Workflow

```bash
# 1. Check installation
semgrep --version

# 2. If not installed
pip install semgrep

# 3. Run scan
semgrep scan --config auto --json -o semgrep-results.json .

# 4. View summary
semgrep scan --config auto . 2>&1 | tail -20

# 5. Scan specific areas if needed
semgrep scan --config p/security-audit src/

Output Format

After analysis, provide:

Summary - Total findings by severity
Critical Issues - Detailed breakdown of critical/high issues
Fix Plan - Prioritized list of fixes with code changes
Verification - Commands to verify fixes

Semgrep Configuration

Create .semgrep.yml for custom rules or to ignore paths:

# .semgrep.yml
rules: []

# Or reference external rules
# rules:
#   - p/javascript
#   - p/security-audit

# Ignore paths
# paths:
#   exclude:
#     - node_modules
#     - dist
#     - "*.test.js"

Common Fixes by Category

Security

Issue	Fix
Hardcoded secrets	Move to environment variables
SQL injection	Use parameterized queries
XSS vulnerability	Sanitize user input
Insecure randomness	Use crypto.randomUUID()

Code Quality

Issue	Fix
Unused variables	Remove or prefix with `_`
Missing error handling	Add try/catch or error callbacks
Deprecated API usage	Update to modern API
Inefficient patterns	Refactor to optimal approach

React/Svelte Specific

Issue	Fix
Missing key prop	Add unique key to list items
Direct DOM manipulation	Use framework methods
Memory leaks	Clean up subscriptions/listeners
Unsafe innerHTML	Use safe rendering methods

Integration with Quality Gates

After fixing issues:

# Verify fixes
semgrep scan --config auto .

# Run existing quality gates
npm test && npm run build && npm run lint

Troubleshooting

Semgrep not found

# Check if pip is available
pip --version

# If pip not found, install Python first
# macOS: brew install python
# Ubuntu: sudo apt install python3-pip

# Then install semgrep
pip install semgrep

Rate limiting

# Login to avoid rate limits
semgrep login

# Or use offline mode with local rules
semgrep scan --config ./local-rules.yml .

Memory issues on large codebases

# Scan specific directories
semgrep scan --config auto src/

# Exclude large directories
semgrep scan --config auto --exclude node_modules --exclude dist .

Done Criteria

name	semgrep-analyze
description	Analyze code with Semgrep for security vulnerabilities and code quality issues, then create a prioritized fix plan
user-invocable	true
allowed-tools	Bash, Read, Write, Grep, Glob

Skill: Semgrep Analyze

Analyze code with Semgrep and plan fixes for identified issues.

Usage

/semgrep-analyze [path] [--rules <ruleset>]

Arguments:

path - Directory or file to analyze (default: current directory)
--rules - Semgrep ruleset to use (default: auto)

Examples:

/semgrep-analyze
/semgrep-analyze src/
/semgrep-analyze --rules p/security-audit
/semgrep-analyze src/utils --rules p/javascript

Process

1. Check Semgrep Installation

First, verify semgrep is installed:

semgrep --version

If not installed, install via pip (recommended):

# Install semgrep via pip
pip install semgrep

# Or via pipx for isolated environment
pipx install semgrep

# Or via Homebrew on macOS
brew install semgrep

2. Run Semgrep Analysis

Run semgrep with appropriate rules:

# Auto-detect language and use recommended rules
semgrep scan --config auto .

# Use specific ruleset
semgrep scan --config p/javascript .
semgrep scan --config p/typescript .
semgrep scan --config p/security-audit .
semgrep scan --config p/owasp-top-ten .

# Output as JSON for parsing
semgrep scan --config auto --json -o semgrep-results.json .

# Scan specific directory
semgrep scan --config auto src/

3. Common Rulesets

Ruleset	Description
`auto`	Auto-detect language, use recommended rules
`p/javascript`	JavaScript-specific rules
`p/typescript`	TypeScript-specific rules
`p/react`	React-specific rules
`p/nodejs`	Node.js security rules
`p/security-audit`	General security audit
`p/owasp-top-ten`	OWASP Top 10 vulnerabilities
`p/ci`	Rules suitable for CI/CD
`p/default`	Semgrep default ruleset

4. Analyze Results

For each finding, document:

Rule ID - The semgrep rule that triggered
Severity - ERROR, WARNING, INFO
Location - File and line number
Message - Description of the issue
Code snippet - The problematic code

5. Plan Fixes

For each issue, create a fix plan:

## Issue: [Rule ID]

**Severity:** [ERROR/WARNING/INFO]
**File:** [path:line]

**Problem:**
[Description of the issue]

**Current Code:**
```[language]
[code snippet]

Proposed Fix:

[fixed code]

Rationale: [Why this fix addresses the issue]


### 6. Prioritize Fixes

Order fixes by:

1. **Critical** - Security vulnerabilities, data exposure
2. **High** - Bugs that could cause runtime errors
3. **Medium** - Code quality issues, potential bugs
4. **Low** - Style issues, minor improvements

## Example Workflow

```bash
# 1. Check installation
semgrep --version

# 2. If not installed
pip install semgrep

# 3. Run scan
semgrep scan --config auto --json -o semgrep-results.json .

# 4. View summary
semgrep scan --config auto . 2>&1 | tail -20

# 5. Scan specific areas if needed
semgrep scan --config p/security-audit src/

Output Format

After analysis, provide:

Summary - Total findings by severity
Critical Issues - Detailed breakdown of critical/high issues
Fix Plan - Prioritized list of fixes with code changes
Verification - Commands to verify fixes

Semgrep Configuration

Create .semgrep.yml for custom rules or to ignore paths:

# .semgrep.yml
rules: []

# Or reference external rules
# rules:
#   - p/javascript
#   - p/security-audit

# Ignore paths
# paths:
#   exclude:
#     - node_modules
#     - dist
#     - "*.test.js"

Common Fixes by Category

Security

Issue	Fix
Hardcoded secrets	Move to environment variables
SQL injection	Use parameterized queries
XSS vulnerability	Sanitize user input
Insecure randomness	Use crypto.randomUUID()

Code Quality

Issue	Fix
Unused variables	Remove or prefix with `_`
Missing error handling	Add try/catch or error callbacks
Deprecated API usage	Update to modern API
Inefficient patterns	Refactor to optimal approach

React/Svelte Specific

Issue	Fix
Missing key prop	Add unique key to list items
Direct DOM manipulation	Use framework methods
Memory leaks	Clean up subscriptions/listeners
Unsafe innerHTML	Use safe rendering methods

Integration with Quality Gates

After fixing issues:

# Verify fixes
semgrep scan --config auto .

# Run existing quality gates
npm test && npm run build && npm run lint

Troubleshooting

Semgrep not found

# Check if pip is available
pip --version

# If pip not found, install Python first
# macOS: brew install python
# Ubuntu: sudo apt install python3-pip

# Then install semgrep
pip install semgrep

Rate limiting

# Login to avoid rate limits
semgrep login

# Or use offline mode with local rules
semgrep scan --config ./local-rules.yml .

Memory issues on large codebases

# Scan specific directories
semgrep scan --config auto src/

# Exclude large directories
semgrep scan --config auto --exclude node_modules --exclude dist .

semgrep-analyze

Skill: Semgrep Analyze

Usage

Process

1. Check Semgrep Installation

2. Run Semgrep Analysis

3. Common Rulesets

4. Analyze Results

5. Plan Fixes

Output Format

Semgrep Configuration

Common Fixes by Category

Security

Code Quality

React/Svelte Specific

Integration with Quality Gates

Troubleshooting

Semgrep not found

Rate limiting

Memory issues on large codebases

Done Criteria

Plus depuis ce dépôt

Skill: Semgrep Analyze

Usage

Process

1. Check Semgrep Installation

2. Run Semgrep Analysis

3. Common Rulesets

4. Analyze Results

5. Plan Fixes

Output Format

Semgrep Configuration

Common Fixes by Category

Security

Code Quality

React/Svelte Specific

Integration with Quality Gates

Troubleshooting

Semgrep not found

Rate limiting

Memory issues on large codebases

Done Criteria

Plus depuis ce dépôt