code-security
This AI agent skill runs Semgrep to perform comprehensive code security scans, detecting vulnerabilities, secrets leakage, and OWASP Top 10 issues across various programming languages. It provides a structured report with remediation suggestions.
About this skill
The `code-security` skill empowers AI agents to act as a dedicated code security scanning expert. It leverages Semgrep, a fast, open-source static analysis tool, to automatically inspect source code for a wide range of security flaws. The skill can identify common vulnerabilities, potential secrets leakage (like API keys or passwords), and compliance with the OWASP Top 10 security risks. It supports scanning across multiple languages including Python, JavaScript/TypeScript, and Go, with options for general security audits or language-specific rule sets. Upon activation, the agent first verifies Semgrep's installation, identifies the project's primary language, and then executes the appropriate scanning strategy based on the user's request. The core value of this skill lies in its ability to streamline the security auditing process, allowing developers and security teams to quickly gain insights into their codebase's security posture without manually configuring complex tools. The agent ensures a standardized output, presenting findings in a clear, categorized report with severity levels and actionable remediation advice, making it easier to prioritize and fix critical issues. This skill is particularly useful for integrating automated security checks into development workflows, facilitating early detection of security vulnerabilities, and enforcing coding standards from a security perspective. By automating the initial pass of security scanning, it frees up human experts to focus on more complex, context-dependent security challenges.
Best use case
This skill is ideal for developers, security engineers, and DevOps teams who need to integrate automated static application security testing (SAST) into their development lifecycle. It's perfect for pre-commit checks, continuous integration (CI) pipelines, or ad-hoc security audits of codebases, ensuring that common vulnerabilities and sensitive data exposures are caught early. Teams looking to quickly assess the security health of a project or enforce basic security standards will benefit most from its structured reporting and actionable recommendations.
This AI agent skill runs Semgrep to perform comprehensive code security scans, detecting vulnerabilities, secrets leakage, and OWASP Top 10 issues across various programming languages. It provides a structured report with remediation suggestions.
A structured security report summarizing discovered vulnerabilities, secrets, or OWASP issues, categorized by severity, with file locations and specific remediation suggestions.
Practical example
Example input
帮我安全扫描一下这个项目,检查一下有没有密钥泄露。
Example output
### 扫描摘要 | 项目 | 结果 | |---|---| | 扫描工具 | Semgrep 0.123.0 | | 规则集 | p/security-audit, p/secrets | | 扫描文件数 | 150 | | 发现问题数 | 5 | ### 问题分类 **高危(必须修复)** - `src/utils/config.py:10` 硬编码AWS S3访问密钥。修复建议:将密钥存储在环境变量或密钥管理服务中。 **中危(建议修复)** - `src/auth.js:25` 使用弱哈希算法(MD5)进行密码存储。修复建议:改用bcrypt或argon2等强哈希算法。 **低危/信息** - `src/main.go:30` 未使用的变量。
When to use this skill
- When performing a security audit or vulnerability assessment of a codebase.
- To detect hardcoded secrets like API keys, passwords, or tokens.
- For identifying OWASP Top 10 vulnerabilities in your project.
- To get a quick overview of potential security issues in Python, JavaScript/TypeScript, or Go projects.
When not to use this skill
- When requiring deep, context-aware code logic analysis that goes beyond pattern matching.
- If you need a zero-false-positive security solution, as static analysis tools can have some.
- For dynamic analysis (DAST) or runtime security testing.
- If Semgrep is already integrated into your CI/CD pipeline and you don't need an ad-hoc agent execution.
How code-security Compares
| Feature / Agent | code-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | easy | N/A |
Frequently Asked Questions
What does this skill do?
This AI agent skill runs Semgrep to perform comprehensive code security scans, detecting vulnerabilities, secrets leakage, and OWASP Top 10 issues across various programming languages. It provides a structured report with remediation suggestions.
How difficult is it to install?
The installation complexity is rated as easy. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
SKILL.md Source
# AI代码安全扫描专家 你是代码安全扫描专家,使用Semgrep对当前项目进行全面的安全漏洞检测。 --- ## 前置检查 在执行任何扫描前,先确认Semgrep已安装: ```bash semgrep --version ``` 如果未安装,执行: ```bash pip install semgrep ``` --- ## 核心能力 ### 1. 全面安全扫描(默认模式) 使用Semgrep推荐规则集扫描当前项目: ```bash semgrep scan --config auto --json 2>/dev/null | python -m json.tool ``` 如果JSON输出太大,使用文本模式: ```bash semgrep scan --config auto ``` ### 2. OWASP安全审计 专注于OWASP Top 10漏洞检测: ```bash semgrep scan --config "p/security-audit" ``` ### 3. 语言专项扫描 根据项目主要语言选择规则集: **Python项目**: ```bash semgrep scan --config "p/python" --config "p/bandit" ``` **JavaScript/TypeScript项目**: ```bash semgrep scan --config "p/javascript" --config "p/typescript" ``` **Go项目**: ```bash semgrep scan --config "p/golang" ``` ### 4. 密钥泄露检测 检查代码中是否有硬编码的API密钥、密码、Token: ```bash semgrep scan --config "p/secrets" ``` ### 5. 指定文件/目录扫描 ```bash semgrep scan --config auto <目标路径> ``` --- ## 扫描流程 收到用户请求后,按以下流程执行: 1. **确认环境**:检查Semgrep版本,确认已安装 2. **识别项目语言**:检查项目中的文件类型,确定主要语言 3. **选择扫描策略**:根据用户需求选择合适的规则集 4. **执行扫描**:运行Semgrep命令 5. **分析结果**:解读扫描结果,按严重程度分类 6. **输出报告**:生成结构化的安全报告 --- ## 报告格式 扫描完成后,输出以下格式的报告: ### 扫描摘要 | 项目 | 结果 | |------|------| | 扫描工具 | Semgrep [版本] | | 规则集 | [使用的规则集] | | 扫描文件数 | [数量] | | 发现问题数 | [数量] | ### 问题分类 按严重程度分类(高危 > 中危 > 低危 > 信息): **高危(必须修复)** - [文件:行号] 问题描述 + 修复建议 **中危(建议修复)** - [文件:行号] 问题描述 + 修复建议 **低危/信息** - [文件:行号] 问题描述 ### 修复建议 针对每个高危和中危问题,提供: 1. 问题原因说明 2. 具体修复代码 3. 预防建议 --- ## 使用示例 用户可以这样触发本Skill: - "帮我安全扫描一下这个项目" - "扫一下漏洞" - "代码扫描" - "检查一下有没有安全问题" - "扫一下有没有密钥泄露" - "对src目录做个安全检查" --- ## 注意事项 1. Semgrep是规则匹配工具,能发现已知模式的漏洞,但无法像Claude Code Security那样理解代码逻辑 2. 扫描结果可能有误报,需要结合上下文判断 3. 密钥泄露检测(p/secrets)建议每次提交前都跑一遍 4. 大型项目扫描可能需要较长时间,可以指定子目录缩小范围
Related Skills
perl-security
全面的Perl安全指南,涵盖污染模式、输入验证、安全进程执行、DBI参数化查询、Web安全(XSS/SQLi/CSRF)以及perlcritic安全策略。
security-scan
AgentShield を使用して、Claude Code の設定(.claude/ ディレクトリ)のセキュリティ脆弱性、設定ミス、インジェクションリスクをスキャンします。CLAUDE.md、settings.json、MCP サーバー、フック、エージェント定義をチェックします。
security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
mobile-security-coder
Expert in secure mobile coding practices specializing in input validation, WebView security, and mobile-specific security patterns.
laravel-security-audit
Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.
frontend-security-coder
Expert in secure frontend coding practices specializing in XSS prevention, output sanitization, and client-side security patterns.
frontend-mobile-security-xss-scan
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi
azure-security-keyvault-keys-java
Azure Key Vault Keys Java SDK for cryptographic key management. Use when creating, managing, or using RSA/EC keys, performing encrypt/decrypt/sign/verify operations, or working with HSM-backed keys.
azure-security-keyvault-keys-dotnet
Azure Key Vault Keys SDK for .NET. Client library for managing cryptographic keys in Azure Key Vault and Managed HSM. Use for key creation, rotation, encryption, decryption, signing, and verification.
Cybersecurity Risk Assessment
You are a cybersecurity risk assessment specialist. When the user needs a security audit, threat assessment, or compliance review, follow this framework.
afrexai-cybersecurity-engine
Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack — zero external dependencies.
security-guardian
Automated security auditing for OpenClaw projects. Scans for hardcoded secrets (API keys, tokens) and container vulnerabilities (CVEs) using Trivy. Provides structured reports to help maintain a clean and secure codebase.