MCPxelMCPxel
Co-Pilot
Updated a month ago

semgrep-rule-creator

Ttrailofbits
1.8k
trailofbits/skills/plugins/semgrep-rule-creator
76
Agent Score

💡 Summary

An AI-guided assistant for creating and testing custom Semgrep rules for bug and vulnerability detection.

🎯 Target Audience

Application Security EngineersDevSecOps EngineersSoftware Developers focused on code qualitySecurity Researchers

🤖 AI Roast:It's like a GPS for writing regex, but for abstract syntax trees—still easy to get lost if you don't know the territory.

Security AnalysisLow Risk

The skill guides the creation of rules that execute Semgrep, which performs local file system reads and code execution. A maliciously crafted rule pattern could be used to induce denial-of-service via complex matching. Mitigation: Run the agent and Semgrep in a sandboxed environment without network access.

Semgrep Rule Creator

Create production-quality Semgrep rules for detecting bug patterns and security vulnerabilities.

Author: Maciej Domanski

Skills Included

| Skill | Purpose | |-----------------------|------------------------------------------------------| | semgrep-rule-creator | Guide creation of custom Semgrep rules with testing |

When to Use

Use this plugin when you need to:

  • Create custom Semgrep rules for detecting specific bug patterns
  • Write rules for security vulnerability detection
  • Build taint-mode rules for data flow analysis
  • Develop pattern-matching rules for code quality checks

What It Does

  • Guides test-driven rule development (write tests first, then iterate)
  • Analyzes AST structure to help craft precise patterns
  • Supports both taint mode (data flow) and pattern matching approaches
  • Includes comprehensive reference documentation from Semgrep docs
  • Provides common vulnerability patterns by language

Prerequisites

  • Semgrep installed (pip install semgrep or brew install semgrep)

Installation

/plugin install trailofbits/skills/plugins/semgrep-rule-creator

Related Skills

  • semgrep-rule-variant-creator - Port existing Semgrep rules to new target languages
  • static-analysis - General static analysis toolkit with Semgrep, CodeQL, and SARIF parsing
  • variant-analysis - Find similar vulnerabilities across codebases
5-Dim Analysis
Clarity8/10
Novelty6/10
Utility9/10
Completeness7/10
Maintainability8/10
Pros & Cons

Pros

  • Promotes test-driven development for rule creation.
  • Supports both pattern-matching and complex taint-mode rules.
  • Integrates comprehensive Semgrep documentation.

Cons

  • Requires existing Semgrep installation and knowledge.
  • Limited to Semgrep's rule syntax and capabilities.
  • Effectiveness depends on user's ability to describe patterns.

Related Skills

variant-analysis

B
toolCo-Pilot
76/ 100

“It's a great guide for finding more bugs, but it won't write the perfect query for you—that's still on you, human.”

View Analysis

pytorch

S
toolCode Lib
92/ 100

“It's the Swiss Army knife of deep learning, but good luck figuring out which of the 47 installation methods is the one that won't break your system.”

View Analysis

agno

S
toolCode Lib
90/ 100

“It promises to be the Kubernetes for agents, but let's see if developers have the patience to learn yet another orchestration layer.”

View Analysis

Disclaimer: This content is sourced from GitHub open source projects for display and rating purposes only.

Copyright belongs to the original author trailofbits.