{"id":"645540b0-6380-4e56-b4cc-885f6a774536","shortId":"xPG43f","kind":"skill","title":"semgrep-rule-variant-creator","tagline":"Creates language variants of existing Semgrep rules. Use when porting a Semgrep rule to specified target languages. Takes an existing rule and target languages as input, produces independent rule+test directories for each language.","description":"# Semgrep Rule Variant Creator\n\nPort existing Semgrep rules to new target languages with proper applicability analysis and test-driven validation.\n\n## When to Use\n**Ideal scenarios:**\n- Porting an existing Semgrep rule to one or more target languages\n- Creating language-specific variants of a universal vulnerability pattern\n- Expanding rule coverage across a polyglot codebase\n- Translating rules between languages with equivalent constructs\n\n## When NOT to Use\n\nDo NOT use this skill for:\n- Creating a new Semgrep rule from scratch (use `semgrep-rule-creator` instead)\n- Running existing rules against code\n- Languages where the vulnerability pattern fundamentally doesn't apply\n- Minor syntax variations within the same language\n\n## Input Specification\n\nThis skill requires:\n1. **Existing Semgrep rule** - YAML file path or YAML rule content\n2. **Target languages** - One or more languages to port to (e.g., \"Golang and Java\")\n\n## Output Specification\n\nFor each applicable target language, produces:\n```\n<original-rule-id>-<language>/\n├── <original-rule-id>-<language>.yaml     # Ported Semgrep rule\n└── <original-rule-id>-<language>.<ext>    # Test file with annotations\n```\n\nExample output for porting `sql-injection` to Go and Java:\n```\nsql-injection-golang/\n├── sql-injection-golang.yaml\n└── sql-injection-golang.go\n\nsql-injection-java/\n├── sql-injection-java.yaml\n└── sql-injection-java.java\n```\n\n## Rationalizations to Reject\n\nWhen porting Semgrep rules, reject these common shortcuts:\n\n| Rationalization | Why It Fails | Correct Approach |\n|-----------------|--------------|------------------|\n| \"Pattern structure is identical\" | Different ASTs across languages | Always dump AST for target language |\n| \"Same vulnerability, same detection\" | Data flow differs between languages | Analyze target language idioms |\n| \"Rule doesn't need tests since original worked\" | Language edge cases differ | Write NEW test cases for target |\n| \"Skip applicability - it obviously applies\" | Some patterns are language-specific | Complete applicability analysis first |\n| \"I'll create all variants then test\" | Errors compound, hard to debug | Complete full cycle per language |\n| \"Library equivalent is close enough\" | Surface similarity hides differences | Verify API semantics match |\n| \"Just translate the syntax 1:1\" | Languages have different idioms | Research target language patterns |\n\n## Strictness Level\n\nThis workflow is **strict** - do not skip steps:\n- **Applicability analysis is mandatory**: Don't assume patterns translate\n- **Each language is independent**: Complete full cycle before moving to next\n- **Test-first for each variant**: Never write a rule without test cases\n- **100% test pass required**: \"Most tests pass\" is not acceptable\n\n## Overview\n\nThis skill guides the creation of language-specific variants of existing Semgrep rules. Each target language goes through an independent 4-phase cycle:\n\n```\nFOR EACH target language:\n  Phase 1: Applicability Analysis → Verdict\n  Phase 2: Test Creation (Test-First)\n  Phase 3: Rule Creation\n  Phase 4: Validation\n  (Complete full cycle before moving to next language)\n```\n\n## Foundational Knowledge\n\n**The `semgrep-rule-creator` skill is the authoritative reference for Semgrep rule creation fundamentals.** While this skill focuses on porting existing rules to new languages, the core principles of writing quality rules remain the same.\n\nConsult `semgrep-rule-creator` for guidance on:\n- **When to use taint mode vs pattern matching** - Choosing the right approach for the vulnerability type\n- **Test-first methodology** - Why tests come before rules and how to write effective test cases\n- **Anti-patterns to avoid** - Common mistakes like overly broad or overly specific patterns\n- **Iterating until tests pass** - The validation loop and debugging techniques\n- **Rule optimization** - Removing redundant patterns after tests pass\n\nWhen porting a rule, you're applying these same principles in a new language context. If uncertain about rule structure or approach, refer to `semgrep-rule-creator` first.\n\n## Four-Phase Workflow\n\n### Phase 1: Applicability Analysis\n\nBefore porting, determine if the pattern applies to the target language.\n\n**Analysis criteria:**\n1. Does the vulnerability class exist in the target language?\n2. Does an equivalent construct exist (function, pattern, library)?\n3. Are the semantics similar enough for meaningful detection?\n\n**Verdict options:**\n- `APPLICABLE` → Proceed with variant creation\n- `APPLICABLE_WITH_ADAPTATION` → Proceed but significant changes needed\n- `NOT_APPLICABLE` → Skip this language, document why\n\nSee applicability-analysis.md for detailed guidance.\n\n### Phase 2: Test Creation (Test-First)\n\n**Always write tests before the rule.**\n\nCreate test file with target language idioms:\n- Minimum 2 vulnerable cases (`ruleid:`)\n- Minimum 2 safe cases (`ok:`)\n- Include language-specific edge cases\n\n```go\n// ruleid: sql-injection-golang\ndb.Query(\"SELECT * FROM users WHERE id = \" + userInput)\n\n// ok: sql-injection-golang\ndb.Query(\"SELECT * FROM users WHERE id = ?\", userInput)\n```\n\n### Phase 3: Rule Creation\n\n1. **Analyze AST**: `semgrep --dump-ast -l <lang> test-file`\n2. **Translate patterns** to target language syntax\n3. **Update metadata**: language key, message, rule ID\n4. **Adapt for idioms**: Handle language-specific constructs\n\nSee language-syntax-guide.md for translation guidance.\n\n### Phase 4: Validation\n\n```bash\n# Validate YAML\nsemgrep --validate --config rule.yaml\n\n# Run tests\nsemgrep --test --config rule.yaml test-file\n```\n\n**Checkpoint**: Output MUST show `All tests passed`.\n\nFor taint rule debugging:\n```bash\nsemgrep --dataflow-traces -f rule.yaml test-file\n```\n\nSee workflow.md for detailed workflow and troubleshooting.\n\n## Quick Reference\n\n| Task | Command |\n|------|---------|\n| Run tests | `semgrep --test --config rule.yaml test-file` |\n| Validate YAML | `semgrep --validate --config rule.yaml` |\n| Dump AST | `semgrep --dump-ast -l <lang> <file>` |\n| Debug taint flow | `semgrep --dataflow-traces -f rule.yaml file` |\n\n\n## Key Differences from Rule Creation\n\n| Aspect | semgrep-rule-creator | This skill |\n|--------|---------------------|------------|\n| Input | Bug pattern description | Existing rule + target languages |\n| Output | Single rule+test | Multiple rule+test directories |\n| Workflow | Single creation cycle | Independent cycle per language |\n| Phase 1 | Problem analysis | Applicability analysis per language |\n| Library research | Always relevant | Optional (when original uses libraries) |\n\n## Documentation\n\n**REQUIRED**: Before porting rules, read relevant Semgrep documentation:\n\n- [Rule Syntax](https://semgrep.dev/docs/writing-rules/rule-syntax) - YAML structure and operators\n- [Pattern Syntax](https://semgrep.dev/docs/writing-rules/pattern-syntax) - Pattern matching and metavariables\n- [Pattern Examples](https://semgrep.dev/docs/writing-rules/pattern-examples) - Per-language pattern references\n- [Testing Rules](https://semgrep.dev/docs/writing-rules/testing-rules) - Testing annotations\n- [Trail of Bits Testing Handbook](https://appsec.guide/docs/static-analysis/semgrep/advanced/) - Advanced patterns\n\n## Next Steps\n\n- For applicability analysis guidance, see applicability-analysis.md\n- For language translation guidance, see language-syntax-guide.md\n- For detailed workflow and examples, see workflow.md\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["semgrep","rule","variant","creator","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents"],"capabilities":["skill","source-sickn33","skill-semgrep-rule-variant-creator","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/semgrep-rule-variant-creator","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34583 github stars · SKILL.md body (7,704 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T18:52:13.260Z","embedding":null,"createdAt":"2026-04-18T21:44:12.170Z","updatedAt":"2026-04-22T18:52:13.260Z","lastSeenAt":"2026-04-22T18:52:13.260Z","tsv":"'/docs/static-analysis/semgrep/advanced/)':951 '/docs/writing-rules/pattern-examples)':931 '/docs/writing-rules/pattern-syntax)':922 '/docs/writing-rules/rule-syntax)':913 '/docs/writing-rules/testing-rules)':941 '1':150,325,326,418,588,604,724,884 '100':378 '2':161,423,614,660,680,685,735 '3':430,623,721,742 '4':410,434,750,765 'accept':387 'across':90,237 'adapt':641,751 'advanc':952 'alway':239,666,893 'analysi':55,289,346,420,590,602,886,888,958 'analyz':254,725 'annot':190,943 'anti':523 'anti-pattern':522 'api':318 'appli':137,280,560,597 'applic':54,179,277,288,345,419,589,634,639,648,887,957 'applicability-analysis.md':655,961 'approach':230,501,575 'appsec.guide':950 'appsec.guide/docs/static-analysis/semgrep/advanced/)':949 'ask':1008 'aspect':852 'assum':351 'ast':236,241,726,730,831,835 'authorit':454 'avoid':526 'bash':767,794 'bit':946 'boundari':1016 'broad':531 'bug':860 'case':268,273,377,521,682,687,694 'chang':645 'checkpoint':783 'choos':498 'clarif':1010 'class':608 'clear':983 'close':311 'code':128 'codebas':93 'come':512 'command':814 'common':223,527 'complet':287,303,358,436 'compound':299 'config':772,778,819,828 'construct':100,618,758 'consult':482 'content':160 'context':568 'core':473 'correct':229 'coverag':89 'creat':6,77,111,293,672 'creation':393,425,432,459,638,662,723,851,877 'creator':5,43,122,450,486,581,856 'criteria':603,1019 'cycl':305,360,412,438,878,880 'data':249 'dataflow':797,842 'dataflow-trac':796,841 'db.query':701,713 'debug':302,544,793,837 'describ':987 'descript':862 'detail':657,807,969 'detect':248,631 'determin':593 'differ':235,251,269,316,329,848 'directori':36,874 'document':652,900,908 'doesn':135,259 'driven':59 'dump':240,729,830,834 'dump-ast':728,833 'e.g':171 'edg':267,693 'effect':519 'enough':312,628 'environ':999 'environment-specif':998 'equival':99,309,617 'error':298 'exampl':191,928,972 'exist':10,25,45,68,125,151,400,467,609,619,863 'expand':87 'expert':1004 'f':799,844 'fail':228 'file':155,188,674,734,782,803,823,846 'first':290,367,428,508,582,665 'flow':250,839 'focus':464 'foundat':444 'four':584 'four-phas':583 'full':304,359,437 'function':620 'fundament':134,460 'go':199,695 'goe':406 'golang':172,205,700,712 'guid':391 'guidanc':488,658,763,959,965 'handbook':948 'handl':754 'hard':300 'hide':315 'id':706,718,749 'ideal':64 'ident':234 'idiom':257,330,678,753 'includ':689 'independ':33,357,409,879 'inject':197,204,210,699,711 'input':31,145,859,1013 'instead':123 'iter':536 'java':174,201,211 'key':746,847 'knowledg':445 'l':731,836 'languag':7,22,29,39,51,76,79,97,129,144,163,167,181,238,244,253,256,266,285,307,327,333,355,396,405,416,443,471,567,601,613,651,677,691,740,745,756,866,882,890,934,963 'language-specif':78,284,395,690,755 'language-syntax-guide.md':760,967 'level':336 'librari':308,622,891,899 'like':529 'limit':975 'll':292 'loop':542 'mandatori':348 'match':320,497,924,984 'meaning':630 'messag':747 'metadata':744 'metavari':926 'methodolog':509 'minimum':679,684 'minor':138 'miss':1021 'mistak':528 'mode':494 'move':362,440 'multipl':871 'must':785 'need':261,646 'never':371 'new':49,113,271,470,566 'next':364,442,954 'obvious':279 'ok':688,708 'one':72,164 'oper':917 'optim':547 'option':633,895 'origin':264,897 'output':175,192,784,867,993 'over':530,533 'overview':388 'pass':380,384,539,553,789 'path':156 'pattern':86,133,231,282,334,352,496,524,535,550,596,621,737,861,918,923,927,935,953 'per':306,881,889,933 'per-languag':932 'permiss':1014 'phase':411,417,422,429,433,585,587,659,720,764,883 'polyglot':92 'port':15,44,66,169,184,194,218,466,555,592,903 'principl':474,563 'problem':885 'proceed':635,642 'produc':32,182 'proper':53 'qualiti':477 'quick':811 'ration':214,225 're':559 'read':905 'redund':549 'refer':455,576,812,936 'reject':216,221 'relev':894,906 'remain':479 'remov':548 'requir':149,381,901,1012 'research':331,892 'review':1005 'right':500 'rule':3,12,18,26,34,41,47,70,88,95,115,121,126,153,159,186,220,258,374,402,431,449,458,468,478,485,514,546,557,572,580,671,722,748,792,850,855,864,869,872,904,909,938 'rule.yaml':773,779,800,820,829,845 'ruleid':683,696 'run':124,774,815 'safe':686 'safeti':1015 'scenario':65 'scope':986 'scratch':117 'see':654,759,804,960,966,973 'select':702,714 'semant':319,626 'semgrep':2,11,17,40,46,69,114,120,152,185,219,401,448,457,484,579,727,770,776,795,817,826,832,840,854,907 'semgrep-rule-cr':119,447,483,578,853 'semgrep-rule-variant-cr':1 'semgrep.dev':912,921,930,940 'semgrep.dev/docs/writing-rules/pattern-examples)':929 'semgrep.dev/docs/writing-rules/pattern-syntax)':920 'semgrep.dev/docs/writing-rules/rule-syntax)':911 'semgrep.dev/docs/writing-rules/testing-rules)':939 'shortcut':224 'show':786 'signific':644 'similar':314,627 'sinc':263 'singl':868,876 'skill':109,148,390,451,463,858,978 'skill-semgrep-rule-variant-creator' 'skip':276,343,649 'source-sickn33' 'specif':80,146,176,286,397,534,692,757,1000 'specifi':20 'sql':196,203,209,698,710 'sql-inject':195 'sql-injection-golang':202,697,709 'sql-injection-golang.go':207 'sql-injection-golang.yaml':206 'sql-injection-java':208 'sql-injection-java.java':213 'sql-injection-java.yaml':212 'step':344,955 'stop':1006 'strict':335,340 'structur':232,573,915 'substitut':996 'success':1018 'surfac':313 'syntax':139,324,741,910,919 'taint':493,791,838 'take':23 'target':21,28,50,75,162,180,243,255,275,332,404,415,600,612,676,739,865 'task':813,982 'techniqu':545 'test':35,58,187,262,272,297,366,376,379,383,424,427,507,511,520,538,552,661,664,668,673,733,775,777,781,788,802,816,818,822,870,873,937,942,947,1002 'test-driven':57 'test-fil':732,780,801,821 'test-first':365,426,506,663 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'trace':798,843 'trail':944 'translat':94,322,353,736,762,964 'treat':991 'troubleshoot':810 'type':505 'uncertain':570 'univers':84 'updat':743 'use':13,63,104,107,118,492,898,976 'user':704,716 'userinput':707,719 'valid':60,435,541,766,768,771,824,827,1001 'variant':4,8,42,81,295,370,398,637 'variat':140 'verdict':421,632 'verifi':317 'vs':495 'vulner':85,132,246,504,607,681 'within':141 'without':375 'work':265 'workflow':338,586,808,875,970 'workflow.md':805,974 'write':270,372,476,518,667 'yaml':154,158,183,769,825,914","prices":[{"id":"f58d127e-2d5e-435b-a796-4b2f83ed754d","listingId":"645540b0-6380-4e56-b4cc-885f6a774536","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:44:12.170Z"}],"sources":[{"listingId":"645540b0-6380-4e56-b4cc-885f6a774536","source":"github","sourceId":"sickn33/antigravity-awesome-skills/semgrep-rule-variant-creator","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/semgrep-rule-variant-creator","isPrimary":false,"firstSeenAt":"2026-04-18T21:44:12.170Z","lastSeenAt":"2026-04-22T18:52:13.260Z"}],"details":{"listingId":"645540b0-6380-4e56-b4cc-885f6a774536","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"semgrep-rule-variant-creator","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34583,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-22T06:40:00Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"ea1cff37f006d2ad532879900c69f933c1eac7b4","skill_md_path":"skills/semgrep-rule-variant-creator/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/semgrep-rule-variant-creator"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"semgrep-rule-variant-creator","description":"Creates language variants of existing Semgrep rules. Use when porting a Semgrep rule to specified target languages. Takes an existing rule and target languages as input, produces independent rule+test directories for each language."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/semgrep-rule-variant-creator"},"updatedAt":"2026-04-22T18:52:13.260Z"}}