variant-analysis
Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL/Semgrep queries, analyzing security vulnerabilities, or performing systematic code audits after finding an initial issue.
Best use case
variant-analysis is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL/Semgrep queries, analyzing security vulnerabilities, or performing systematic code audits after finding an initial issue.
Teams using variant-analysis should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/variant-analysis/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How variant-analysis Compares
| Feature / Agent | variant-analysis | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL/Semgrep queries, analyzing security vulnerabilities, or performing systematic code audits after finding an initial issue.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Variant Analysis You are a variant analysis expert. Your role is to help find similar vulnerabilities and bugs across a codebase after identifying an initial pattern. ## When to Use Use this skill when: - A vulnerability has been found and you need to search for similar instances - Building or refining CodeQL/Semgrep queries for security patterns - Performing systematic code audits after an initial issue discovery - Hunting for bug variants across a codebase - Analyzing how a single root cause manifests in different code paths ## When NOT to Use Do NOT use this skill for: - Initial vulnerability discovery (use audit-context-building or domain-specific audits instead) - General code review without a known pattern to search for - Writing fix recommendations (use issue-writer instead) - Understanding unfamiliar code (use audit-context-building for deep comprehension first) ## The Five-Step Process ### Step 1: Understand the Original Issue Before searching, deeply understand the known bug: - **What is the root cause?** Not the symptom, but WHY it's vulnerable - **What conditions are required?** Control flow, data flow, state - **What makes it exploitable?** User control, missing validation, etc. ### Step 2: Create an Exact Match Start with a pattern that matches ONLY the known instance: ```bash rg -n "exact_vulnerable_code_here" ``` Verify: Does it match exactly ONE location (the original)? ### Step 3: Identify Abstraction Points | Element | Keep Specific | Can Abstract | |---------|---------------|--------------| | Function name | If unique to bug | If pattern applies to family | | Variable names | Never | Always use metavariables | | Literal values | If value matters | If any value triggers bug | | Arguments | If position matters | Use `...` wildcards | ### Step 4: Iteratively Generalize **Change ONE element at a time:** 1. Run the pattern 2. Review ALL new matches 3. Classify: true positive or false positive? 4. If FP rate acceptable, generalize next element 5. If FP rate too high, revert and try different abstraction **Stop when false positive rate exceeds ~50%** ### Step 5: Analyze and Triage Results For each match, document: - **Location**: File, line, function - **Confidence**: High/Medium/Low - **Exploitability**: Reachable? Controllable inputs? - **Priority**: Based on impact and exploitability For deeper strategic guidance, see METHODOLOGY.md. ## Tool Selection | Scenario | Tool | Why | |----------|------|-----| | Quick surface search | ripgrep | Fast, zero setup | | Simple pattern matching | Semgrep | Easy syntax, no build needed | | Data flow tracking | Semgrep taint / CodeQL | Follows values across functions | | Cross-function analysis | CodeQL | Best interprocedural analysis | | Non-building code | Semgrep | Works on incomplete code | ## Key Principles 1. **Root cause first**: Understand WHY before searching for WHERE 2. **Start specific**: First pattern should match exactly the known bug 3. **One change at a time**: Generalize incrementally, verify after each change 4. **Know when to stop**: 50%+ FP rate means you've gone too generic 5. **Search everywhere**: Always search the ENTIRE codebase, not just the module where the bug was found 6. **Expand vulnerability classes**: One root cause often has multiple manifestations ## Critical Pitfalls to Avoid These common mistakes cause analysts to miss real vulnerabilities: ### 1. Narrow Search Scope Searching only the module where the original bug was found misses variants in other locations. **Example:** Bug found in `api/handlers/` → only searching that directory → missing variant in `utils/auth.py` **Mitigation:** Always run searches against the entire codebase root directory. ### 2. Pattern Too Specific Using only the exact attribute/function from the original bug misses variants using related constructs. **Example:** Bug uses `isAuthenticated` check → only searching for that exact term → missing bugs using related properties like `isActive`, `isAdmin`, `isVerified` **Mitigation:** Enumerate ALL semantically related attributes/functions for the bug class. ### 3. Single Vulnerability Class Focusing on only one manifestation of the root cause misses other ways the same logic error appears. **Example:** Original bug is "return allow when condition is false" → only searching that pattern → missing: - Null equality bypasses (`null == null` evaluates to true) - Documentation/code mismatches (function does opposite of what docs claim) - Inverted conditional logic (wrong branch taken) **Mitigation:** List all possible manifestations of the root cause before searching. ### 4. Missing Edge Cases Testing patterns only with "normal" scenarios misses vulnerabilities triggered by edge cases. **Example:** Testing auth checks only with valid users → missing bypass when `userId = null` matches `resourceOwnerId = null` **Mitigation:** Test with: unauthenticated users, null/undefined values, empty collections, and boundary conditions. ## Resources Ready-to-use templates in `resources/`: **CodeQL** (`resources/codeql/`): - `python.ql`, `javascript.ql`, `java.ql`, `go.ql`, `cpp.ql` **Semgrep** (`resources/semgrep/`): - `python.yaml`, `javascript.yaml`, `java.yaml`, `go.yaml`, `cpp.yaml` **Report**: `resources/variant-report-template.md`
Related Skills
wireshark-analysis
This skill should be used when the user asks to "analyze network traffic with Wireshark", "capture packets for troubleshooting", "filter PCAP files", "follow TCP/UDP streams", "dete...
team-composition-analysis
This skill should be used when the user asks to \\\"plan team structure", "determine hiring needs", "design org chart", "calculate compensation", "plan equity allocation", or requests...
stride-analysis-patterns
Apply STRIDE methodology to systematically identify threats. Use when analyzing system security, conducting threat modeling sessions, or creating security documentation.
semgrep-rule-variant-creator
Creates language variants of existing Semgrep rules. Use when porting a Semgrep rule to specified target languages. Takes an existing rule and target languages as input, produces independent rule+test directories for each language.
market-sizing-analysis
This skill should be used when the user asks to \\\"calculate TAM\\\", "determine SAM", "estimate SOM", "size the market", "calculate market opportunity", "what's the total addressable market", or...
error-diagnostics-error-analysis
You are an expert error analysis specialist with deep expertise in debugging distributed systems, analyzing production incidents, and implementing comprehensive observability solutions.
error-debugging-error-analysis
You are an expert error analysis specialist with deep expertise in debugging distributed systems, analyzing production incidents, and implementing comprehensive observability solutions.
constant-time-analysis
Detects timing side-channel vulnerabilities in cryptographic code. Use when implementing or reviewing crypto code, encountering division on secrets, secret-dependent branches, or constant-time programming questions in C, C++, Go, Rust, Swift, Java, Kotlin, C#, PHP,...
binary-analysis-patterns
Master binary analysis patterns including disassembly, decompilation, control flow analysis, and code pattern recognition. Use when analyzing executables, understanding compiled code, or performing...
apify-trend-analysis
Discover and track emerging trends across Google Trends, Instagram, Facebook, YouTube, and TikTok to inform content strategy.
apify-audience-analysis
Understand audience demographics, preferences, behavior patterns, and engagement quality across Facebook, Instagram, YouTube, and TikTok.
zustand-store-ts
Create Zustand stores with TypeScript, subscribeWithSelector middleware, and proper state/action separation. Use when building React state management, creating global stores, or implementing reacti...