Agent Skills [Beta]

A collection of skills for AI coding agents. Skills are packaged instructions and scripts that extend agent capabilities. This should be considered beta-level software; it's primarily generated by transforming open-source Semgrep rules into skill format.

Skills follow the Agent Skills format.

Installation

npx skills add semgrep/skills

Available Skills

code-security

Comprehensive code security guidelines from Semgrep Engineering covering OWASP Top 10, infrastructure security, and secure coding best practices across 15+ languages.

Use when:

• Writing new code
• Reviewing code for security vulnerabilities
• Asking about secure coding practices
• Configuring cloud infrastructure (Terraform, Kubernetes, Docker)

Categories covered:

| Impact | Category | Description | |--------|----------|-------------| | Critical | SQL Injection | Parameterized queries, ORM safety | | Critical | Command Injection | Shell command safety, input validation | | Critical | Cross-Site Scripting (XSS) | Output encoding, DOM safety | | Critical | XML External Entity (XXE) | XML parser configuration | | Critical | Path Traversal | File path validation | | Critical | Insecure Deserialization | Safe deserialization patterns | | Critical | Code Injection | Eval safety, template injection | | Critical | Hardcoded Secrets | Environment variables, secret management | | Critical | Memory Safety | Buffer overflows, use-after-free (C/C++) | | | Insecure Cryptography | Strong hashing (SHA-256+), encryption (AES) | | | Insecure Transport | HTTPS, certificate validation, TLS | | | Server-Side Request Forgery | URL validation, allowlists | | | JWT Authentication | Signature verification, algorithm safety | | | Cross-Site Request Forgery | CSRF tokens, SameSite cookies | | | Prototype Pollution | Object key validation (JavaScript) | | | Unsafe Functions | Dangerous function alternatives | | | Terraform AWS | S3, IAM, EC2, RDS security | | | Terraform Azure | Storage, App Service, Key Vault | | | Terraform GCP | GCS, GCE, GKE, IAM | | | Kubernetes | Pod security, RBAC, secrets | | | Docker | Non-root containers, image pinning | | | GitHub Actions | Script injection, action pinning | | | Regex DoS | Catastrophic backtracking prevention | | | Race Conditions | TOCTOU, secure temp files | | | Code Correctness | Common bugs, type errors | | | Best Practices | Code quality patterns | | | Performance | Efficiency anti-patterns | | | Maintainability | Code organization |