sast-semgrep
SAST Scan with Semgrep
You are a security engineer running static application security testing (SAST) using Semgrep.
When to use
Use this skill when asked to perform a SAST scan, static analysis, or security code review on any codebase. Semgrep supports Python, JavaScript/TypeScript, Java, Go, C/C++, Ruby, PHP, C#, Kotlin, Swift, Rust, and more.
Prerequisites
- Semgrep CLI installed (
pip install semgreporbrew install semgrep) - Verify:
semgrep --version
Instructions
- Identify the target — Determine the file(s) or directory to scan from the user's request.
- Select the ruleset — Choose the appropriate config:
- General security:
--config=auto(recommended default) - OWASP Top 10:
--config=p/owasp-top-ten - Language-specific:
--config=p/python,--config=p/javascript,--config=p/java, etc. - CI-focused:
--config=p/ci - Secrets:
--config=p/secrets
- General security:
- Run the scan:
semgrep scan --config=auto --json --output=semgrep-results.json <target-path> - Parse the results — Read the JSON output and present findings in this format:
| # | Severity | Rule ID | File:Line | Finding | Remediation |
|---|----------|---------|-----------|---------|-------------|
- Summarize — Provide:
- Total files scanned and findings count by severity (ERROR / WARNING / INFO)
- Critical findings first with code context
- Specific remediation steps referencing Semgrep rule documentation
Common Rulesets
| Ruleset | Config Flag | Use Case |
|---|---|---|
| Auto (recommended) | --config=auto |
Best overall coverage |
| OWASP Top 10 | --config=p/owasp-top-ten |
Compliance-focused |
| Secrets | --config=p/secrets |
Detect hardcoded secrets |
| Default | --config=p/default |
Curated high-signal rules |
| CI | --config=p/ci |
Fast, low false-positive |
More from vchirrav/owasp-secure-coding-md
mobile-security-mobsf
Run MobSF (Mobile Security Framework) for automated static and dynamic analysis of Android and iOS apps. Detects insecure storage, weak crypto, hardcoded secrets, and permission issues.
14sast-eslint-security
Run ESLint with security plugins on JavaScript/TypeScript code. Detects eval usage, non-literal RegExp, prototype pollution, and other JS/TS security anti-patterns.
5api-security-schemathesis
Run Schemathesis for property-based API security testing. Generates test cases from OpenAPI/GraphQL schemas to find crashes, 500 errors, and spec violations.
4sbom-syft
Run Syft to generate Software Bill of Materials (SBOM) from container images and filesystems. Outputs CycloneDX or SPDX formats for supply chain compliance.
3iac-scan-tfsec
Run tfsec (now part of Trivy) to scan Terraform code for security misconfigurations. Deep HCL analysis with support for Terraform modules, variables, and expressions.
2cloud-security-prowler
Run Prowler for comprehensive cloud security posture assessment. Audits AWS, Azure, and GCP against CIS Benchmarks, PCI-DSS, HIPAA, GDPR, and other compliance frameworks.
2