Codeql

coverage-analysis helps you measure code exercised during fuzzing, spot blockers like magic value checks, and compare harness changes. Use this coverage-analysis skill for Security Audit workflows when you need clear coverage-analysis usage, install guidance, and repeatable coverage-analysis guide decisions.

Semgrep skill for static analysis on codebases with automatic language detection, parallel workers, merged SARIF output, and plan-first approval. Built for semgrep for Security Audit workflows, it supports run all and important only modes, uses --metrics=off, and can leverage Semgrep Pro when available.

sarif-parsing is a post-scan skill for reading, filtering, deduplicating, summarizing, and converting SARIF 2.1.0 results from tools like CodeQL and Semgrep. Use it when you already have scan output and need clear parsing, aggregation, or CI/CD-ready transformation. It is not for running scans.

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

cpg-analysis is a deep code analysis skill for control flow, data flow, taint paths, and security auditing using Joern CPG and CodeQL. Use the cpg-analysis skill when a normal repo skim is not enough and you need evidence-backed tracing across functions, files, and sinks.

Use the finding-duplicate-functions skill to identify semantic duplicates: functions that do the same job with different names or implementations. It is built for LLM-generated and fast-growing JavaScript or TypeScript codebases, and it supports finding-duplicate-functions for Code Review, consolidation planning, and cleanup before refactors.

variant-analysis helps you find similar vulnerabilities and bugs across a codebase after one issue is confirmed. Use it to build CodeQL or Semgrep queries, follow a root-cause-first workflow, and run a focused variant-analysis guide for Security Audit work. It is best for post-discovery searches, not broad initial review.