CodeQL & Semgrep

Part of Agent Skills™ by googleadsagent.ai™

Description

CodeQL & Semgrep integrates production-grade static analysis into agent workflows for deep vulnerability detection, custom rule authoring, and automated code review enforcement. The agent writes CodeQL queries and Semgrep rules tailored to project-specific patterns, runs them against codebases, and interprets results with actionable remediation guidance.

Pattern-matching security scanners catch surface-level issues. CodeQL and Semgrep operate at a deeper level: CodeQL builds a relational database of the program's structure and evaluates queries that trace data flow from sources (user input) to sinks (dangerous operations). Semgrep matches syntactic patterns with type-aware analysis. Together, they catch vulnerabilities that regex-based scanners miss entirely.

This skill goes beyond running default rulesets. The agent writes custom rules for project-specific patterns: ensuring all database queries use the project's ORM wrapper, verifying that authentication middleware is applied to every route, or confirming that error responses never leak stack traces. Custom rules encode institutional security knowledge that persists beyond any individual reviewer.

Use When

• Running static analysis on AI-generated or human-written code
• Writing custom security rules for project-specific patterns
• Integrating security scanning into CI/CD pipelines
• Tracing data flow from user input to dangerous operations
• Enforcing architectural security constraints (auth on all routes, ORM usage)