Code Scanning

A comprehensive guide for using Semgrep, a fast static analysis tool for finding bugs and security vulnerabilities. Covers installation, custom rule writing, CI/CD integration with GitHub Actions, and best practices for security scanning without sharing code with third parties.

CodeQL is a powerful static analysis framework that queries code as a database for security vulnerabilities and code patterns. This skill provides comprehensive documentation on creating CodeQL databases, writing custom queries, integrating with CI/CD pipelines, and using the framework for interprocedural control flow and data flow analysis across C/C++, Go, Java, JavaScript, Python, and other supported languages.

A comprehensive skill for parsing and analyzing SARIF (Static Analysis Results Interchange Format) files from security scanning tools. It provides ready-to-use jq queries, Python helper functions for extracting findings, and best practices for aggregating, deduplicating, and integrating SARIF data into CI/CD pipelines.

This skill helps security engineers port existing Semgrep rules to new programming languages. It provides a structured 4-phase workflow including applicability analysis, test-first development, rule creation, and validation. The skill includes detailed guidance for translating patterns between languages and ensuring rules are properly tested.