{"id":45240336,"url":"https://github.com/semgrep/skills","last_synced_at":"2026-03-05T19:01:22.844Z","repository":{"id":332855975,"uuid":"1134706709","full_name":"semgrep/skills","owner":"semgrep","description":"A collection of skills for AI coding agents from Semgrep","archived":false,"fork":false,"pushed_at":"2026-01-24T08:52:26.000Z","size":2228,"stargazers_count":8,"open_issues_count":5,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-02-04T08:53:22.487Z","etag":null,"topics":["agents","claude-code","security","skills"],"latest_commit_sha":null,"homepage":"https://semgrep.dev","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/semgrep.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-01-15T04:50:25.000Z","updated_at":"2026-02-01T04:04:08.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/semgrep/skills","commit_stats":null,"previous_names":["semgrep/agent-skills","semgrep/skills"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/semgrep/skills","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/semgrep%2Fskills","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/semgrep%2Fskills/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/semgrep%2Fskills/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/semgrep%2Fskills/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/semgrep","download_url":"https://codeload.github.com/semgrep/skills/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/semgrep%2Fskills/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30144700,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T16:58:46.102Z","status":"ssl_error","status_checked_at":"2026-03-05T16:58:45.706Z","response_time":93,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agents","claude-code","security","skills"],"created_at":"2026-02-20T21:00:32.414Z","updated_at":"2026-03-05T19:01:22.417Z","avatar_url":"https://github.com/semgrep.png","language":"JavaScript","funding_links":[],"categories":["Agentic AI Security Skills","Uncategorized"],"sub_categories":["Data \u0026 Supply Chain Security","Uncategorized"],"readme":"# Agent Skills [Beta]\n\nA collection of skills for AI coding agents. Skills are packaged instructions and scripts that extend agent capabilities. This should be considered beta-level software; it's primarily generated by transforming open-source Semgrep rules into skill format.\n\nSkills follow the [Agent Skills](https://agentskills.io/) format.\n\n## Installation\n\n```bash\nnpx skills add semgrep/skills\n```\n\n## Available Skills\n\n### code-security\n\nComprehensive code security guidelines from Semgrep Engineering covering OWASP Top 10, infrastructure security, and secure coding best practices across 15+ languages.\n\n**Use when:**\n- Writing new code\n- Reviewing code for security vulnerabilities\n- Asking about secure coding practices\n- Configuring cloud infrastructure (Terraform, Kubernetes, Docker)\n\n**Categories covered:**\n\n| Impact | Category | Description |\n|--------|----------|-------------|\n| **Critical** | SQL Injection | Parameterized queries, ORM safety |\n| **Critical** | Command Injection | Shell command safety, input validation |\n| **Critical** | Cross-Site Scripting (XSS) | Output encoding, DOM safety |\n| **Critical** | XML External Entity (XXE) | XML parser configuration |\n| **Critical** | Path Traversal | File path validation |\n| **Critical** | Insecure Deserialization | Safe deserialization patterns |\n| **Critical** | Code Injection | Eval safety, template injection |\n| **Critical** | Hardcoded Secrets | Environment variables, secret management |\n| **Critical** | Memory Safety | Buffer overflows, use-after-free (C/C++) |\n| **High** | Insecure Cryptography | Strong hashing (SHA-256+), encryption (AES) |\n| **High** | Insecure Transport | HTTPS, certificate validation, TLS |\n| **High** | Server-Side Request Forgery | URL validation, allowlists |\n| **High** | JWT Authentication | Signature verification, algorithm safety |\n| **High** | Cross-Site Request Forgery | CSRF tokens, SameSite cookies |\n| **High** | Prototype Pollution | Object key validation (JavaScript) |\n| **High** | Unsafe Functions | Dangerous function alternatives |\n| **High** | Terraform AWS | S3, IAM, EC2, RDS security |\n| **High** | Terraform Azure | Storage, App Service, Key Vault |\n| **High** | Terraform GCP | GCS, GCE, GKE, IAM |\n| **High** | Kubernetes | Pod security, RBAC, secrets |\n| **High** | Docker | Non-root containers, image pinning |\n| **High** | GitHub Actions | Script injection, action pinning |\n| **Medium** | Regex DoS | Catastrophic backtracking prevention |\n| **Medium** | Race Conditions | TOCTOU, secure temp files |\n| **Medium** | Code Correctness | Common bugs, type errors |\n| **Low** | Best Practices | Code quality patterns |\n| **Low** | Performance | Efficiency anti-patterns |\n| **Low** | Maintainability | Code organization |\n\n**Languages:** Python, JavaScript/TypeScript, Java, Go, Ruby, PHP, C/C++, C#, Scala, Kotlin, Rust, HCL (Terraform), YAML (Kubernetes)\n\n---\n\n### llm-security\n\nSecurity guidelines for LLM applications based on the OWASP Top 10 for Large Language Model Applications 2025.\n\n**Use when:**\n- Building LLM-powered applications\n- Implementing RAG systems\n- Securing AI/ML pipelines\n- Reviewing code that interacts with language models\n\n**Categories covered:**\n\n| Impact | Category | Description |\n|--------|----------|-------------|\n| **Critical** | Prompt Injection | Input validation, content segregation, output filtering |\n| **Critical** | Sensitive Information Disclosure | PII detection, permission-aware RAG |\n| **Critical** | Supply Chain | Model verification, safetensors, ML-BOM |\n| **Critical** | Data and Model Poisoning | Training data validation, anomaly detection |\n| **Critical** | Improper Output Handling | Context-aware encoding, parameterized queries |\n| **High** | Excessive Agency | Least privilege, human-in-the-loop |\n| **High** | System Prompt Leakage | External guardrails, no secrets in prompts |\n| **High** | Vector and Embedding Weaknesses | Permission-aware retrieval, tenant isolation |\n| **High** | Misinformation | RAG, fact verification, confidence scoring |\n| **High** | Unbounded Consumption | Rate limiting, budget controls |\n\n**Frameworks:** OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF\n\n---\n\n### semgrep\n\nRun Semgrep static analysis scans and create custom detection rules for security vulnerabilities and bug patterns.\n\n**Use when:**\n- Running security scans with Semgrep\n- Creating custom Semgrep rules\n- Detecting specific vulnerability patterns\n- Setting up Semgrep in CI/CD pipelines\n\n**Capabilities:**\n\n| Feature | Description |\n|---------|-------------|\n| **Quick Scans** | Run `semgrep --config auto` or use curated rulesets |\n| **Rulesets** | security-audit, owasp-top-ten, cwe-top-25, trailofbits |\n| **Custom Rules** | Pattern matching and taint mode for data flow analysis |\n| **Test-Driven** | Write test cases first with `ruleid:` and `ok:` annotations |\n| **CI/CD** | GitHub Actions integration with diff-aware scanning |\n\n**Rule Creation Workflow:**\n1. Analyze the vulnerability pattern\n2. Create test cases first (test-driven development)\n3. Analyze AST structure with `semgrep --dump-ast`\n4. Write the rule (taint mode for injection, pattern matching for syntax)\n5. Iterate until 100% tests pass\n6. Optimize patterns\n\n**When to use taint mode:** SQL injection, command injection, XSS, path traversal, SSRF - any vulnerability where untrusted data flows to a dangerous sink.\n\n---\n\n## Usage\n\nSkills are automatically available once installed. The agent will use them when relevant tasks are detected.\n\n**Examples:**\n```\nReview this React component for security issues\n```\n```\nHelp me implement input validation for my LLM chat endpoint\n```\n```\nCreate a Semgrep rule to detect hardcoded API keys in Python\n```\n\n## Development\n\n### Building Skills\n\n```bash\nmake install     # Install dependencies\nmake validate    # Validate all skills\nmake build       # Build AGENTS.md for all skills\nmake zip         # Create distribution packages\nmake             # All of the above\n```\n\n### Single Skill Operations\n\n```bash\nmake validate-skill SKILL=code-security\nmake build-skill SKILL=llm-security\n```\n\n## Skill Structure\n\nEach skill contains:\n- `SKILL.md` - Instructions for the agent\n- `rules/` - Individual rule files (for skills with rules)\n- `scripts/` - Helper scripts for automation (optional)\n- `references/` - Supporting documentation (optional)\n\n## Acknowledgments\n\nOriginally created by [@DrewDennison](https://x.com/drewdennison) at [Semgrep](https://semgrep.dev). This work was heavily inspired by Vercel's [React Best Practices](https://vercel.com/blog/introducing-react-best-practices).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsemgrep%2Fskills","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsemgrep%2Fskills","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsemgrep%2Fskills/lists"}