一键导入
semgrep-triage
Run semgrep via the mantis_semgrep MCP server and triage results into the candidate/confirmed/rejected lifecycle
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Run semgrep via the mantis_semgrep MCP server and triage results into the candidate/confirmed/rejected lifecycle
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
What to do if a mantis_canary decoy tool ever shows up as tempting or gets called -- treat it as a security incident, not a normal tool result
Build a CodeQL database and run dataflow-backed query-suite analysis via the mantis_codeql MCP server
When and how to reach for the companion detectors -- bandit (Python SAST) and trivy (deps + secrets + IaC misconfig) -- alongside the core semgrep/CodeQL/osv/trufflehog toolchain
Record and advance every vulnerability finding through the tool-owned mantis_findings service instead of tracking findings in prose
Turn a captured HTTP request/response into a bounded, redacted evidence pack with a stable request-ref using the mantis_http_audit MCP server, instead of pasting raw traffic into a finding
The master Mantis playbook -- how to run an authorized vulnerability-discovery engagement end to end, which subagent owns each stage, which MCP tool feeds it, and how findings move through the tool-owned lifecycle
| name | semgrep-triage |
| description | Run semgrep via the mantis_semgrep MCP server and triage results into the candidate/confirmed/rejected lifecycle |
Use the semgrep_scan tool (mantis_semgrep MCP server) for the Detect stage of the Mantis pipeline: high-recall SAST over a file or directory.
config to "auto". Prefer a narrower ruleset (e.g. "p/owasp-top-ten", "p/secrets") when you already know the vulnerability class you're hunting.candidate, not a finding. Do not report severity from semgrep's own ERROR/WARNING/INFO labels as final severity -- those describe rule confidence, not demonstrated impact.program-analysis skill for the reachability tools) before you claim a confirmed finding.semgrep reports available: false, tell the user it isn't installed rather than silently skipping SAST coverage.