// Run semgrep static analysis with the security-audit and secrets rulesets, then map each hit into scrutineer's findings shape so it surfaces alongside model-driven audits. Use as a fast deterministic pass before or alongside deeper skills.
Produce a structured plain-language overview of what a repository does, who maintains it, its activity level, and the shape of its codebase. Use when you want a quick orientation before deeper analysis.
Audit first-party source for security vulnerabilities using an inventory-first, six-step per-sink methodology. Use when you want a thorough scan that distinguishes real findings from pattern matches and records both in a machine-readable report. The target is this codebase's own code, not its dependencies.
Enumerate scannable sub-folders inside a repository. Identifies monorepo packages, workspaces, and discrete modules so the analyst can scope deep-dive scans to a specific sub-path instead of treating a huge tree as one unit. Runs at repo level; writes back a list that surfaces on the repo overview.
Default pipeline scrutineer runs when a repository is added. Triggers a standard set of other skills in parallel, then writes a short summary of what was enqueued. Edit the list below to change the default scan coverage without touching scrutineer's Go code.
Audit the repository's GitHub Actions workflows for common security issues (credential mishandling, untrusted inputs, template injection, overly permissive tokens) and convert findings to scrutineer's shape. Use on any repo with a .github/workflows directory.
Propose a code patch for a finding. Produces a unified diff against the current HEAD plus a short rationale, written back as a finding note so the analyst can review, adjust, and open a PR themselves. The skill never pushes to the remote.
| name | semgrep |
| description | Run semgrep static analysis with the security-audit and secrets rulesets, then map each hit into scrutineer's findings shape so it surfaces alongside model-driven audits. Use as a fast deterministic pass before or alongside deeper skills. |
| license | MIT |
| compatibility | Requires `semgrep` (https://semgrep.dev) and `python3` on PATH. |
| metadata | {"scrutineer.output_file":"report.json","scrutineer.output_kind":"freeform"} |
Run semgrep against ./src using the p/security-audit and p/secrets rulesets, then convert each hit into the findings-report shape scrutineer's parser understands.
./src — the cloned repository./scripts/scan.py — the wrapper./report.json — write the findings report here./schema.json — output shapescripts/scan.py — runs semgrep, maps results into findings with the fields we actually populate (id, title, severity, cwe, location, trace, rating). Severity maps: ERROR → High, WARNING → Medium, INFO/INVENTORY/EXPERIMENT → Low.python3 scripts/scan.py > ./report.json
The script self-reports tool-missing errors into the JSON envelope so failures are visible on the scan page rather than silent. Don't post-process its output.