{"id":"31f00ca4-e527-4ea9-95de-dc6899623431","shortId":"wRUW6R","kind":"skill","title":"semgrep-rule-creator","tagline":"Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Use when writing Semgrep rules or building custom static analysis detections.","description":"# Semgrep Rule Creator\n\nCreate production-quality Semgrep rules with proper testing and validation.\n\n## When to Use\n**Ideal scenarios:**\n- Writing Semgrep rules for specific bug patterns\n- Writing rules to detect security vulnerabilities in your codebase\n- Writing taint mode rules for data flow vulnerabilities\n- Writing rules to enforce coding standards\n\n## When NOT to Use\n\nDo NOT use this skill for:\n- Running existing Semgrep rulesets\n- General static analysis without custom rules (use `static-analysis` skill)\n\n## Rationalizations to Reject\n\nWhen writing Semgrep rules, reject these common shortcuts:\n\n- **\"The pattern looks complete\"** → Still run `semgrep --test --config .yaml .` to verify. Untested rules have hidden false positives/negatives.\n- **\"It matches the vulnerable case\"** → Matching vulnerabilities is half the job. Verify safe cases don't match (false positives break trust).\n- **\"Taint mode is overkill for this\"** → If data flows from user input to a dangerous sink, taint mode gives better precision than pattern matching.\n- **\"One test is enough\"** → Include edge cases: different coding styles, sanitized inputs, safe alternatives, and boundary conditions.\n- **\"I'll optimize the patterns first\"** → Write correct patterns first, optimize after all tests pass. Premature optimization causes regressions.\n- **\"The AST dump is too complex\"** → The AST reveals exactly how Semgrep sees code. Skipping it leads to patterns that miss syntactic variations.\n\n## Anti-Patterns\n\n**Too broad** - matches everything, useless for detection:\n```yaml\n# BAD: Matches any function call\npattern: $FUNC(...)\n\n# GOOD: Specific dangerous function\npattern: eval(...)\n```\n\n**Missing safe cases in tests** - leads to undetected false positives:\n```python\n# BAD: Only tests vulnerable case\n# ruleid: my-rule\ndangerous(user_input)\n\n# GOOD: Include safe cases to verify no false positives\n# ruleid: my-rule\ndangerous(user_input)\n\n# ok: my-rule\ndangerous(sanitize(user_input))\n\n# ok: my-rule\ndangerous(\"hardcoded_safe_value\")\n```\n\n**Overly specific patterns** - misses variations:\n```yaml\n# BAD: Only matches exact format\npattern: os.system(\"rm \" + $VAR)\n\n# GOOD: Matches all os.system calls with taint tracking\nmode: taint\npattern-sinks:\n - pattern: os.system(...)\n```\n\n## Strictness Level\n\nThis workflow is **strict** - do not skip steps:\n- **Read documentation first**: See [Documentation](#documentation) before writing Semgrep rules\n- **Test-first is mandatory**: Never write a rule without tests\n- **100% test pass is required**: \"Most tests pass\" is not acceptable\n- **Optimization comes last**: Only simplify patterns after all tests pass\n- **Avoid generic patterns**: Rules must be specific, not match broad patterns\n- **Prioritize taint mode**: For data flow vulnerabilities\n- **One YAML file - one Semgrep rule**: Each YAML file must contain only one Semgrep rule; don't combine multiple rules in a single file\n- **No generic rules**: When targeting a specific language for Semgrep rules - avoid generic pattern matching (`languages: generic`)\n- **Forbidden `todook` and `todoruleid` test annotations**: `todoruleid: ` and `todook: ` annotations in tests files for future rule improvements are forbidden\n\n## Overview\n\nThis skill guides creation of Semgrep rules that detect security vulnerabilities and code patterns. Rules are created iteratively: analyze the problem, write tests first, analyze AST structure, write the rule, iterate until all tests pass, optimize the rule.\n\n**Approach selection:**\n- **Taint mode** (prioritize): Data flow issues where untrusted input reaches dangerous sinks\n- **Pattern matching**: Simple syntactic patterns without data flow requirements\n\n**Why prioritize taint mode?** Pattern matching finds syntax but misses context. A pattern `eval($X)` matches both `eval(user_input)` (vulnerable) and `eval(\"safe_literal\")` (safe). Taint mode tracks data flow, so it only alerts when untrusted data actually reaches the sink—dramatically reducing false positives for injection vulnerabilities.\n\n**Iterating between approaches:** It's okay to experiment. If you start with taint mode and it's not working well (e.g., taint doesn't propagate as expected, too many false positives/negatives), switch to pattern matching. Conversely, if pattern matching produces too many false positives on safe cases, try taint mode instead. The goal is a working rule—not rigid adherence to one approach.\n\n**Output structure** - exactly 2 files in a directory named after the rule-id:\n```\n/\n├── .yaml # Semgrep rule\n└── . # Test file with ruleid/ok annotations\n```\n\n## Quick Start\n\n```yaml\nrules:\n - id: insecure-eval\n languages: [python]\n severity: HIGH\n message: User input passed to eval() allows code execution\n mode: taint\n pattern-sources:\n - pattern: request.args.get(...)\n pattern-sinks:\n - pattern: eval(...)\n```\n\nTest file (`insecure-eval.py`):\n```python\n# ruleid: insecure-eval\neval(request.args.get('code'))\n\n# ok: insecure-eval\neval(\"print('safe')\")\n```\n\nRun tests (from rule directory): `semgrep --test --config .yaml .`\n\n## Quick Reference\n\n- For commands, pattern operators, and taint mode syntax, see quick-reference.md.\n- For detailed workflow and examples, you MUST see workflow.md\n\n## Workflow\n\nCopy this checklist and track progress:\n\n```\nSemgrep Rule Progress:\n- [ ] Step 1: Analyze the Problem\n- [ ] Step 2: Write Tests First\n- [ ] Step 3: Analyze AST structure\n- [ ] Step 4: Write the rule\n- [ ] Step 5: Iterate until all tests pass (semgrep --test)\n- [ ] Step 6: Optimize the rule (remove redundancies, re-test)\n- [ ] Step 7: Final Run\n```\n\n## Documentation\n\n**REQUIRED**: Before writing any rule, use WebFetch to read **all** of these 4 links with Semgrep documentation:\n\n1. [Rule Syntax](https://semgrep.dev/docs/writing-rules/rule-syntax)\n2. [Pattern Syntax](https://semgrep.dev/docs/writing-rules/pattern-syntax)\n3. [ToB Testing Handbook - Semgrep](https://appsec.guide/docs/static-analysis/semgrep/advanced/)\n4. [Constant propagation](https://semgrep.dev/docs/writing-rules/data-flow/constant-propagation)\n5. [Writing Rules Index](https://github.com/semgrep/semgrep-docs/tree/main/docs/writing-rules/)\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["semgrep","rule","creator","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding"],"capabilities":["skill","source-sickn33","skill-semgrep-rule-creator","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/semgrep-rule-creator","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34583 github stars · SKILL.md body (6,605 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T18:52:13.158Z","embedding":null,"createdAt":"2026-04-18T21:44:11.387Z","updatedAt":"2026-04-22T18:52:13.158Z","lastSeenAt":"2026-04-22T18:52:13.158Z","tsv":"'/docs/static-analysis/semgrep/advanced/)':842 '/docs/writing-rules/data-flow/constant-propagation)':848 '/docs/writing-rules/pattern-syntax)':834 '/docs/writing-rules/rule-syntax)':828 '/semgrep/semgrep-docs/tree/main/docs/writing-rules/)':855 '1':763,823 '100':376 '2':652,768,829 '3':773,835 '4':778,818,843 '5':783,849 '6':792 '7':802 'accept':386 'actual':575 'adher':645 'alert':571 'allow':689 'altern':190 'analysi':27,94,101 'analyz':494,500,764,774 'annot':461,465,670 'anti':237 'anti-pattern':236 'approach':514,588,648 'appsec.guide':841 'appsec.guide/docs/static-analysis/semgrep/advanced/)':840 'ask':889 'ast':214,220,501,775 'avoid':397,450 'bad':247,271,321 'better':172 'boundari':192,897 'break':151 'broad':240,406 'bug':13,53 'build':24 'call':251,334 'case':136,145,183,262,275,286,632 'caus':211 'checklist':755 'clarif':891 'clear':864 'code':16,76,185,226,488,690,714 'codebas':63 'combin':432 'come':388 'command':734 'common':112 'complet':117 'complex':218 'condit':193 'config':122,729 'constant':844 'contain':425 'context':547 'convers':621 'copi':753 'correct':201 'creat':5,32,492 'creation':479 'creator':4,31 'criteria':900 'custom':6,25,96 'danger':167,256,280,296,303,311,526 'data':69,160,412,519,534,566,574 'describ':868 'detail':744 'detect':10,28,58,245,484 'differ':184 'directori':656,726 'document':356,359,360,805,822 'doesn':608 'dramat':579 'dump':215 'e.g':606 'edg':182 'enforc':75 'enough':180 'environ':880 'environment-specif':879 'eval':259,550,554,559,678,688,703,711,712,718,719 'everyth':242 'exact':222,324,651 'exampl':747 'execut':691 'exist':89 'expect':612 'experi':593 'expert':885 'fals':130,149,268,290,581,615,628 'file':417,423,438,468,653,667,705 'final':803 'find':543 'first':199,203,357,367,499,771 'flow':70,161,413,520,535,567 'forbidden':456,474 'format':325 'func':253 'function':250,257 'futur':470 'general':92 'generic':398,440,451,455 'github.com':854 'github.com/semgrep/semgrep-docs/tree/main/docs/writing-rules/)':853 'give':171 'goal':638 'good':254,283,330 'guid':478 'half':140 'handbook':838 'hardcod':312 'hidden':129 'high':682 'id':662,675 'ideal':46 'improv':472 'includ':181,284 'index':852 'inject':584 'input':164,188,282,298,306,524,556,685,894 'insecur':677,710,717 'insecure-ev':676,709,716 'insecure-eval.py':706 'instead':636 'issu':521 'iter':493,506,586,784 'job':142 'languag':446,454,679 'last':389 'lead':229,265 'level':346 'limit':856 'link':819 'liter':561 'll':195 'look':116 'mandatori':369 'mani':614,627 'match':133,137,148,176,241,248,323,331,405,453,529,542,552,620,624,865 'messag':683 'miss':233,260,318,546,902 'mode':66,154,170,338,410,517,540,564,599,635,692,739 'multipl':433 'must':401,424,749 'my-rul':277,293,300,308 'name':657 'never':370 'ok':299,307,715 'okay':591 'one':177,415,418,427,647 'oper':736 'optim':196,204,210,387,511,793 'os.system':327,333,344 'output':649,874 'over':315 'overkil':156 'overview':475 'pass':208,378,383,396,510,686,788 'pattern':14,17,54,115,175,198,202,231,238,252,258,317,326,341,343,392,399,407,452,489,528,532,541,549,619,623,695,697,700,702,735,830 'pattern-sink':340,699 'pattern-sourc':694 'permiss':895 'posit':150,269,291,582,629 'positives/negatives':131,616 'precis':173 'prematur':209 'print':720 'priorit':408,518,538 'problem':496,766 'produc':625 'product':34 'production-qu':33 'progress':758,761 'propag':610,845 'proper':39 'python':270,680,707 'qualiti':35 'quick':671,731 'quick-reference.md':742 'ration':103 're':799 're-test':798 'reach':525,576 'read':355,814 'reduc':580 'redund':797 'refer':732 'regress':212 'reject':105,110 'remov':796 'request.args.get':698,713 'requir':380,536,806,893 'reveal':221 'review':886 'rigid':644 'rm':328 'rule':3,8,22,30,37,50,56,67,73,97,109,127,279,295,302,310,364,373,400,420,429,434,441,449,471,482,490,505,513,642,661,665,674,725,760,781,795,810,824,851 'rule-id':660 'ruleid':276,292,708 'ruleid/ok':669 'ruleset':91 'run':88,119,722,804 'safe':144,189,261,285,313,560,562,631,721 'safeti':896 'sanit':187,304 'scenario':47 'scope':867 'secur':11,59,485 'see':225,358,741,750 'select':515 'semgrep':2,7,21,29,36,49,90,108,120,224,363,419,428,448,481,664,727,759,789,821,839 'semgrep-rule-cr':1 'semgrep.dev':827,833,847 'semgrep.dev/docs/writing-rules/data-flow/constant-propagation)':846 'semgrep.dev/docs/writing-rules/pattern-syntax)':832 'semgrep.dev/docs/writing-rules/rule-syntax)':826 'sever':681 'shortcut':113 'simpl':530 'simplifi':391 'singl':437 'sink':168,342,527,578,701 'skill':86,102,477,859 'skill-semgrep-rule-creator' 'skip':227,353 'sourc':696 'source-sickn33' 'specif':52,255,316,403,445,881 'standard':77 'start':596,672 'static':26,93,100 'static-analysi':99 'step':354,762,767,772,777,782,791,801 'still':118 'stop':887 'strict':345,350 'structur':502,650,776 'style':186 'substitut':877 'success':899 'switch':617 'syntact':234,531 'syntax':544,740,825,831 'taint':65,153,169,336,339,409,516,539,563,598,607,634,693,738 'target':443 'task':863 'test':40,121,178,207,264,273,366,375,377,382,395,460,467,498,509,666,704,723,728,770,787,790,800,837,883 'test-first':365 'tob':836 'todook':457,464 'todoruleid':459,462 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'track':337,565,757 'treat':872 'tri':633 'trust':152 'undetect':267 'untest':126 'untrust':523,573 'use':18,45,81,84,98,811,857 'useless':243 'user':163,281,297,305,555,684 'valid':42,882 'valu':314 'var':329 'variat':235,319 'verifi':125,143,288 'vulner':12,60,71,135,138,274,414,486,557,585 'webfetch':812 'well':605 'without':95,374,533 'work':604,641 'workflow':348,745,752 'workflow.md':751 'write':20,48,55,64,72,107,200,362,371,497,503,769,779,808,850 'x':551 'yaml':123,246,320,416,422,663,673,730","prices":[{"id":"60c7e657-d504-4c5c-ac14-7f8b6f0bce53","listingId":"31f00ca4-e527-4ea9-95de-dc6899623431","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:44:11.387Z"}],"sources":[{"listingId":"31f00ca4-e527-4ea9-95de-dc6899623431","source":"github","sourceId":"sickn33/antigravity-awesome-skills/semgrep-rule-creator","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/semgrep-rule-creator","isPrimary":false,"firstSeenAt":"2026-04-18T21:44:11.387Z","lastSeenAt":"2026-04-22T18:52:13.158Z"}],"details":{"listingId":"31f00ca4-e527-4ea9-95de-dc6899623431","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"semgrep-rule-creator","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34583,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-22T06:40:00Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"1c0249ca1f1b0e4f16caff0577ed0fb0f9721dc5","skill_md_path":"skills/semgrep-rule-creator/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/semgrep-rule-creator"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"semgrep-rule-creator","description":"Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Use when writing Semgrep rules or building custom static analysis detections."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/semgrep-rule-creator"},"updatedAt":"2026-04-22T18:52:13.158Z"}}