MCPxelMCPxel
Co-Pilot / 辅助式
更新于 a month ago

semgrep-rule-variant-creator

Ttrailofbits
1.8k
trailofbits/skills/plugins/semgrep-rule-variant-creator
80
Agent 评分

💡 摘要

该技能将Semgrep规则移植到多种语言,并进行全面验证。

🎯 适合人群

安全分析师软件开发人员DevOps工程师代码审查员质量保证测试员

🤖 AI 吐槽:看起来很能打,但别让配置把人劝退。

安全分析中风险

风险:Medium。建议检查:是否发起外网请求(SSRF/数据外发);文件读写范围与路径穿越风险。以最小权限运行,并在生产环境启用前审计代码与依赖。

Semgrep Rule Variant Creator

A Claude Code skill for porting existing Semgrep rules to new target languages with proper applicability analysis and test-driven validation.

Overview

This skill takes an existing Semgrep rule and one or more target languages, then generates independent rule variants for each applicable language. Each variant goes through a complete 4-phase cycle:

  1. Applicability Analysis - Determine if the vulnerability pattern applies to the target language
  2. Test Creation - Write test-first with vulnerable and safe cases
  3. Rule Creation - Translate patterns and adapt for target language idioms
  4. Validation - Ensure all tests pass before proceeding

Prerequisites

  • Semgrep installed and available in PATH
  • Existing Semgrep rule to port (in YAML)
  • Target languages specified

Usage

Invoke the skill when you want to port an existing Semgrep rule:

Port the sql-injection.yaml Semgrep rule to Go and Java

Create Semgrep rule variants of my-rule.yaml for TypeScript, Rust, and C#

Create the same Semgrep rule for JavaScript and Ruby

Port this Semgrep rule to Golang

Output Structure

For each applicable target language, the skill produces:

<original-rule-id>-<language>/
├── <original-rule-id>-<language>.yaml     # Ported rule
└── <original-rule-id>-<language>.<ext>    # Test file

Example

Input:

  • Rule: python-command-injection.yaml
  • Target languages: Go, Java

Output:

python-command-injection-golang/
├── python-command-injection-golang.yaml
└── python-command-injection-golang.go

python-command-injection-java/
├── python-command-injection-java.yaml
└── python-command-injection-java.java

Key Differences from semgrep-rule-creator

| Aspect | semgrep-rule-creator | semgrep-rule-variant-creator | |--------|---------------------|------------------------------| | Input | Bug pattern description | Existing rule + target languages | | Output | Single rule+test | Multiple rule+test directories | | Workflow | Single creation cycle | Independent cycle per language | | Phase 1 | Problem analysis | Applicability analysis |

Skill Files

  • skills/semgrep-rule-variant-creator/SKILL.md - Main entry point
  • skills/semgrep-rule-variant-creator/references/applicability-analysis.md - Phase 1 guidance
  • skills/semgrep-rule-variant-creator/references/language-syntax-guide.md - Pattern translation guidance
  • skills/semgrep-rule-variant-creator/references/workflow.md - Detailed 4-phase workflow

Related Skills

  • semgrep-rule-creator - Create new Semgrep rules from scratch
  • static-analysis - Run existing Semgrep rules against code
五维分析
清晰度9/10
创新性7/10
实用性8/10
完整性8/10
可维护性8/10
优缺点分析

优点

  • 自动化规则移植过程
  • 确保全面验证
  • 支持多种目标语言
  • 增强代码安全性

缺点

  • 需要现有的Semgrep规则
  • 依赖于Semgrep安装
  • 移植后可能需要手动调整
  • 仅限于Semgrep的功能

相关技能

mcpspy

A
toolCo-Pilot / 辅助式
86/ 100

“MCPSpy:因为谁不想窥探他们 AI 的秘密?”

查看测评

ffuf-skill

A
toolCo-Pilot / 辅助式
84/ 100

“这个技能本质上是一个美化版的 ffuf 手册页,提供专家指导但没有实际的自动化或集成功能。”

查看测评

static-analysis

A
toolCo-Pilot / 辅助式
82/ 100

“看起来很能打,但别让配置把人劝退。”

查看测评

免责声明:本内容来源于 GitHub 开源项目,仅供展示和评分分析使用。

版权归原作者所有 trailofbits.