semgrep-rule-creator
Semgrep Rule Creator
When to Use
- Writing custom Semgrep rules for project-specific vulnerability patterns
- Creating detection rules for internal APIs or frameworks
- Building taint-mode rules to track data flow from sources to sinks
- Porting detection logic from other tools to Semgrep
- Defining coding standards as enforceable rules
When NOT to Use
- Running existing Semgrep scans (use the semgrep sub-skill in static-analysis)
- Complex interprocedural analysis (use CodeQL for deep data flow)
- Binary or bytecode analysis
Rule Template
rules:
- id: <org>-<category>-<specific-issue>
languages: [<language>]
message: >
<Clear description of the issue and remediation>
severity: ERROR # ERROR | WARNING | INFO
metadata:
cwe: "CWE-XXX: Description"
confidence: HIGH # HIGH | MEDIUM | LOW
category: security
patterns:
- pattern: <vulnerable-code-pattern>
- pattern-not: <safe-variant-to-exclude>
Pattern Operators
| Operator | Use Case |
|---|---|
pattern |
Match exact code structure |
patterns |
All must match (AND) |
pattern-either |
Any matches (OR) |
pattern-not |
Exclude matches |
pattern-inside |
Only match within context |
pattern-not-inside |
Only match outside context |
pattern-regex |
Regex on source text |
metavariable-regex |
Regex on captured variable |
metavariable-comparison |
Numeric/string comparison |
Taint Mode Template
rules:
- id: <taint-rule-id>
languages: [<language>]
message: "Untrusted data flows to dangerous sink"
severity: ERROR
mode: taint
pattern-sources:
- pattern: <source-of-untrusted-data>
pattern-sinks:
- pattern: <dangerous-function-call>
pattern-sanitizers:
- pattern: <function-that-makes-input-safe>
Testing Rules
Create test files with annotations:
def test_vulnerable():
# ruleid: my-rule-id
dangerous_call(user_input)
def test_safe():
# ok: my-rule-id
safe_call(sanitized_input)
semgrep --test rules/
Best Practices
- Use specific, descriptive rule IDs with org prefix
- Include CWE and confidence metadata
- Write clear remediation guidance in the message
- Always create test cases for true positives AND false positives
- Use
pattern-notto reduce false positives - Prefer
pattern-insideto limit scope rather than overly complex patterns - Test against real codebases before deploying to CI
Resources
- Rule Syntax — https://semgrep.dev/docs/writing-rules/rule-syntax/
- Playground — https://semgrep.dev/playground
- Rule Registry — https://semgrep.dev/explore
More from elizaos/eliza
nano-pdf
Edits PDF files using natural-language instructions via the nano-pdf CLI. Supports modifying text, changing titles, fixing typos, and updating content on specific pages. Use when the user wants to edit a PDF, modify PDF content, update PDF text, fix a typo in a PDF, change a PDF title, or rewrite part of a PDF page.
30wacli
Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats). Use when the user asks to send a WhatsApp message, text someone on WhatsApp, search WhatsApp chat history, sync WhatsApp conversations, backfill message history, or forward a file via WhatsApp to a third party.
27nano-banana-pro
Generate or edit images via Gemini 3 Pro Image (Nano Banana Pro). Use when the user asks to create an image, generate a picture, produce AI-generated artwork, edit a photo, compose multiple images, or upscale an image to higher resolution. Supports text-to-image generation, single-image editing, and multi-image composition using the Gemini API.
27obsidian
Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli. Use when the user asks about notes, vault management, PKM, knowledge base organization, wikilinks, or personal knowledge management in Obsidian.
25session-logs
Search and analyze session logs (older/parent conversations) stored as JSONL files using jq and rg. Use when the user asks about prior chats, previous conversations, conversation history, what was said before, session costs, token usage, or tool usage breakdown across past sessions.
24discord
Use when you need to control Discord from Otto via the discord tool: send messages, react, post or upload stickers, upload emojis, run polls, manage threads/pins/search, create/edit/delete channels and categories, fetch permissions or member/role/channel info, set bot presence/activity, or handle moderation actions in Discord DMs or channels.
24