Summary
This is your pattern-based static analysis workhorse for finding security vulnerabilities and enforcing coding standards across 30+ languages. It shines when you need quick scans (minutes, not hours) using built-in rulesets like OWASP Top 10 or CWE Top 25, or when you want to write custom YAML rules for project-specific patterns. The taint mode is solid for tracking data flow from untrusted sources to dangerous sinks, which beats simple pattern matching for injection vulnerabilities. The skill includes MCP tools for scanning files and creating custom rules, plus comprehensive CLI fallbacks. One honest take: the test-first approach for custom rules is mandatory, not optional. You'll waste time debugging false positives without those ruleid and ok annotations in your test files.
Install to Claude Code
npx -y skills add semgrep/skills --skill semgrep --agent claude-codeInstalls into .claude/skills of the current project.
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
An agent that runs the SEO playbooks that move rankings and ships PRs you control.
Get founding access →
Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.
Try For Free →Files
SKILL.md
Select a file.
Featured
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →An agent that runs the SEO playbooks that move rankings and ships PRs you control.
Get founding access →Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.
Try For Free →First SeenMay 16, 2026
