Codeql Semgrep

Name: Codeql Semgrep
Author: itallstartedwithaidea

itallstartedwithaidea/agent-skills

Run and customize CodeQL and Semgrep in agent workflows for data-flow vulnerabilities, project-specific rules, and review-ready remediation—not just default rulesets.

Install

npx skills add https://github.com/itallstartedwithaidea/agent-skills --skill codeql-semgrep

What is this skill?

Combines CodeQL relational analysis with Semgrep syntactic, type-aware pattern matching
Authors custom CodeQL queries and Semgrep rules for ORM usage, auth middleware coverage, and leak-free errors
Interprets findings with actionable remediation—not only pass/fail from stock rules
Fits agent-driven code review enforcement beyond regex surface scanners

Adoption & trust: 1 installs on skills.sh; 18 GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Deep static analysis and enforcement land in Ship when you harden code before release and encode security expectations into review. Security is the canonical shelf because the skill centers vulnerability tracing, sinks/sources, and custom rules that block unsafe patterns—not generic lint style.

Common Questions / FAQ

Is Codeql Semgrep safe to install?

skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Codeql Semgrep

# CodeQL & Semgrep

Part of [Agent Skills™](https://github.com/itallstartedwithaidea/agent-skills) by [googleadsagent.ai™](https://googleadsagent.ai)

## Description

CodeQL & Semgrep integrates production-grade static analysis into agent workflows for deep vulnerability detection, custom rule authoring, and automated code review enforcement. The agent writes CodeQL queries and Semgrep rules tailored to project-specific patterns, runs them against codebases, and interprets results with actionable remediation guidance.

Pattern-matching security scanners catch surface-level issues. CodeQL and Semgrep operate at a deeper level: CodeQL builds a relational database of the program's structure and evaluates queries that trace data flow from sources (user input) to sinks (dangerous operations). Semgrep matches syntactic patterns with type-aware analysis. Together, they catch vulnerabilities that regex-based scanners miss entirely.

This skill goes beyond running default rulesets. The agent writes custom rules for project-specific patterns: ensuring all database queries use the project's ORM wrapper, verifying that authentication middleware is applied to every route, or confirming that error responses never leak stack traces. Custom rules encode institutional security knowledge that persists beyond any individual reviewer.

## Use When

- Running static analysis on AI-generated or human-written code
- Writing custom security rules for project-specific patterns
- Integrating security scanning into CI/CD pipelines
- Tracing data flow from user input to dangerous operations
- Enforcing architectural security constraints (auth on all routes, ORM usage)
- The user requests "static analysis", "CodeQL", or "Semgrep"

## How It Works

```mermaid
graph TD
    A[Codebase] --> B{Analysis Engine}
    B -->|Data Flow| C[CodeQL: Build Database]
    B -->|Pattern Match| D[Semgrep: Parse AST]
    C --> E[Run CodeQL Queries]
    D --> F[Run Semgrep Rules]
    E --> G[Taint Tracking: Source → Sink]
    F --> H[Pattern Matches + Metavariables]
    G --> I[Merge Findings]
    H --> I
    I --> J[Deduplicate + Prioritize]
    J --> K[Remediation Report]
    K --> L[CI/CD Gate: Pass/Fail]
```

CodeQL excels at data flow analysis (tracing tainted input through the program); Semgrep excels at pattern matching (finding structural anti-patterns). Running both provides comprehensive coverage.

## Implementation

### Semgrep Rules

```yaml
# .semgrep/agent-rules.yml
rules:
  - id: sql-injection-f-string
    patterns:
      - pattern: |
          $CURSOR.execute(f"...", ...)
    message: >
      SQL query uses f-string interpolation, which is vulnerable to SQL injection.
      Use parameterized queries instead.
    severity: ERROR
    languages: [python]
    metadata:
      cwe: ["CWE-89"]
      confidence: HIGH

  - id: missing-auth-middleware
    patterns:
      - pattern: |
          @app.route($PATH, ...)
          def $FUNC(...):
              ...
      - pattern-not-inside: |
          @require_auth
          @app.route($PATH, ...)
          def $FUNC(...):
              ...
    message: >
      Route handler $FUNC lacks @require_auth decorator.
      All routes must be authenticated unless explicitly exempted.
    severity: WARNING
    languages: [python]
    metadata:
      cwe: ["CWE-306"]

  - id: no-eval-user-input
    patterns:
      - pattern: eval($X)
      - pattern-where-python: |
          not $X.startswith('"')
    message: "eval() called with potentially dynamic input"
    severity: ERROR
    languages: [python]
    metadata:
      cwe: ["CWE-95"]
```

### CodeQL Query

```ql
/**
 * @name SQL injection from request parameter
 * @description Finds SQL queries constructed from HTTP request parameters
 * @kind path-problem
 *

What is this skill?

Combines CodeQL relational analysis with Semgrep syntactic, type-aware pattern matching

Authors custom CodeQL queries and Semgrep rules for ORM usage, auth middleware coverage, and leak-free errors

Interprets findings with actionable remediation—not only pass/fail from stock rules

Fits agent-driven code review enforcement beyond regex surface scanners

Adoption & trust: 1 installs on skills.sh; 18 GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Codeql Semgrep

# CodeQL & Semgrep

Part of [Agent Skills™](https://github.com/itallstartedwithaidea/agent-skills) by [googleadsagent.ai™](https://googleadsagent.ai)

## Description

CodeQL & Semgrep integrates production-grade static analysis into agent workflows for deep vulnerability detection, custom rule authoring, and automated code review enforcement. The agent writes CodeQL queries and Semgrep rules tailored to project-specific patterns, runs them against codebases, and interprets results with actionable remediation guidance.

Pattern-matching security scanners catch surface-level issues. CodeQL and Semgrep operate at a deeper level: CodeQL builds a relational database of the program's structure and evaluates queries that trace data flow from sources (user input) to sinks (dangerous operations). Semgrep matches syntactic patterns with type-aware analysis. Together, they catch vulnerabilities that regex-based scanners miss entirely.

This skill goes beyond running default rulesets. The agent writes custom rules for project-specific patterns: ensuring all database queries use the project's ORM wrapper, verifying that authentication middleware is applied to every route, or confirming that error responses never leak stack traces. Custom rules encode institutional security knowledge that persists beyond any individual reviewer.

## Use When

- Running static analysis on AI-generated or human-written code
- Writing custom security rules for project-specific patterns
- Integrating security scanning into CI/CD pipelines
- Tracing data flow from user input to dangerous operations
- Enforcing architectural security constraints (auth on all routes, ORM usage)
- The user requests "static analysis", "CodeQL", or "Semgrep"

## How It Works

```mermaid
graph TD
    A[Codebase] --> B{Analysis Engine}
    B -->|Data Flow| C[CodeQL: Build Database]
    B -->|Pattern Match| D[Semgrep: Parse AST]
    C --> E[Run CodeQL Queries]
    D --> F[Run Semgrep Rules]
    E --> G[Taint Tracking: Source → Sink]
    F --> H[Pattern Matches + Metavariables]
    G --> I[Merge Findings]
    H --> I
    I --> J[Deduplicate + Prioritize]
    J --> K[Remediation Report]
    K --> L[CI/CD Gate: Pass/Fail]
```

CodeQL excels at data flow analysis (tracing tainted input through the program); Semgrep excels at pattern matching (finding structural anti-patterns). Running both provides comprehensive coverage.

## Implementation

### Semgrep Rules

```yaml
# .semgrep/agent-rules.yml
rules:
  - id: sql-injection-f-string
    patterns:
      - pattern: |
          $CURSOR.execute(f"...", ...)
    message: >
      SQL query uses f-string interpolation, which is vulnerable to SQL injection.
      Use parameterized queries instead.
    severity: ERROR
    languages: [python]
    metadata:
      cwe: ["CWE-89"]
      confidence: HIGH

  - id: missing-auth-middleware
    patterns:
      - pattern: |
          @app.route($PATH, ...)
          def $FUNC(...):
              ...
      - pattern-not-inside: |
          @require_auth
          @app.route($PATH, ...)
          def $FUNC(...):
              ...
    message: >
      Route handler $FUNC lacks @require_auth decorator.
      All routes must be authenticated unless explicitly exempted.
    severity: WARNING
    languages: [python]
    metadata:
      cwe: ["CWE-306"]

  - id: no-eval-user-input
    patterns:
      - pattern: eval($X)
      - pattern-where-python: |
          not $X.startswith('"')
    message: "eval() called with potentially dynamic input"
    severity: ERROR
    languages: [python]
    metadata:
      cwe: ["CWE-95"]
```

### CodeQL Query

```ql
/**
 * @name SQL injection from request parameter
 * @description Finds SQL queries constructed from HTTP request parameters
 * @kind path-problem
 *

Install

What is this skill?

Recommended Skills

Journey fit

Is Codeql Semgrep safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Codeql Semgrep safe to install?

SKILL.md