semgrep-rule-creator
by trailofbitssemgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.
This skill scores 84/100, which means it is a solid directory listing candidate for users who want a focused Semgrep rule-writing workflow. The repository gives enough operational guidance to help an agent trigger it correctly and write rules with less guesswork than a generic prompt, though users should note the absence of an install command and supporting scripts.
- Clear trigger and scope: explicitly for creating custom Semgrep rules for vulnerabilities, bug patterns, and code patterns.
- Strong operational guidance: includes when-to-use / when-not-to-use guidance plus workflow steps and test-first validation advice.
- Good quick-reference support: references cover required rule fields, pattern operators, and workflow details.
- No install command or automation scripts: adoption will rely on reading the skill docs and running Semgrep manually.
- Support files are limited to references: useful guidance exists, but there is no packaged tooling for rule generation or validation.
Overview of semgrep-rule-creator skill
semgrep-rule-creator is a practical skill for building Semgrep rules that catch real bugs, security flaws, and code-pattern violations with fewer false positives than a generic prompt. It is best for security engineers, AppSec teams, and developers doing a Security Audit who need a custom detection rule, not just a one-off regex idea.
What this skill is for
Use the semgrep-rule-creator skill when you need to express a specific finding in Semgrep syntax: a vulnerability pattern, a taint-flow source-to-sink path, or an enforceable coding standard. It is designed for production-quality rules, which means test cases, edge cases, and validation matter as much as the rule body.
Why it is different
The skill pushes you to decide between pattern matching and taint mode, reject unsafe shortcuts, and verify both positive and negative examples. That makes semgrep-rule-creator more useful than an ordinary prompt that only drafts YAML: it helps you avoid rules that look right but fail in real code.
Best-fit readers
This is a good fit if you already know the bug class you want to detect and need help turning it into a Semgrep rule. It is less useful if you want general static analysis, a ready-made ruleset, or broad code review without a defined detection target.
How to Use semgrep-rule-creator skill
Install and open the right files
Use the semgrep-rule-creator install flow for your platform, then start with SKILL.md. The most useful companion files are references/quick-reference.md for rule syntax and references/workflow.md for the creation process. Those two files are the fastest path to understanding semgrep-rule-creator usage without reading the entire repository.
Give the skill a complete problem statement
A strong input names the language, the bug pattern, the risky code shape, and the safe cases that should not match. For example: “Create a Semgrep rule for Python that flags subprocess.run(..., shell=True) when user input reaches the command string, but does not flag constant commands or validated allowlists.” That is much better than “make a rule for command injection.”
Follow a test-first workflow
The semgrep-rule-creator guide is most effective when you ask for the rule plus test fixtures, not just the YAML. A practical workflow is: define the pattern, choose pattern matching or taint mode, write vulnerable and safe examples, then run semgrep --test --config <rule-id>.yaml <rule-id>.<ext>. If the skill output does not include validation steps, add them yourself before trusting the rule.
Read the repo in this order
For first-pass adoption, read SKILL.md, then references/workflow.md, then references/quick-reference.md. That order surfaces scope, then process, then syntax details. If you are using semgrep-rule-creator for Security Audit work, pay special attention to the “When to Use” and “When NOT to Use” sections so you do not over-apply the skill.
semgrep-rule-creator skill FAQ
Is semgrep-rule-creator only for security rules?
No. The skill also supports bug patterns and coding standards, but it is strongest when the target can be expressed as a precise code pattern or data-flow rule. If your task is vague policy review, a custom Semgrep rule is usually the wrong tool.
Do I need Semgrep experience first?
Basic familiarity helps, but the skill is still beginner-friendly if you can describe the behavior you want to detect. The main learning curve is choosing the right rule strategy and writing good test cases, not memorizing every YAML field.
How is this different from a normal prompt?
A normal prompt may produce a plausible rule. semgrep-rule-creator is more decision-oriented: it emphasizes rule scope, rejection criteria, taint-mode tradeoffs, and test validation, which is what makes the result usable in a real Security Audit.
When should I not use it?
Do not use semgrep-rule-creator if you only want to run existing Semgrep packs, if the issue is too broad to define as a code pattern, or if you need general static analysis without custom rule authoring. In those cases, another workflow will be faster and more reliable.
How to Improve semgrep-rule-creator skill
Start with sharper inputs
The biggest quality gain comes from naming exact inputs and outputs: language, sink, source, sanitizer, and the false positives you want to avoid. For example, specify whether sanitized values, wrappers, or framework helpers should be excluded from matches. That clarity helps semgrep-rule-creator produce rules that are narrower and more trustworthy.
Ask for tests and rejection checks
If you want better results, explicitly request vulnerable examples, safe examples, and edge cases. The most common failure mode is a rule that catches the obvious bad case but also flags benign code. Ask the skill to explain why a candidate pattern should be rejected when it overmatches.
Iterate on precision before breadth
After the first rule, validate it against real snippets from your codebase and refine the pattern or taint sources/sinks based on missed or noisy matches. In practice, semgrep-rule-creator improves most when you feed it concrete false positives and false negatives from your own Security Audit.
Use repository references as a checklist
Revisit references/quick-reference.md when you need syntax corrections and references/workflow.md when you need process discipline. For semgrep-rule-creator improvement, the most useful habit is to convert each rough idea into a testable rule spec before asking for implementation.