Semgrep

Semgrep skill for static analysis on codebases with automatic language detection, parallel workers, merged SARIF output, and plan-first approval. Built for semgrep for Security Audit workflows, it supports run all and important only modes, uses --metrics=off, and can leverage Semgrep Pro when available.

sarif-parsing is a post-scan skill for reading, filtering, deduplicating, summarizing, and converting SARIF 2.1.0 results from tools like CodeQL and Semgrep. Use it when you already have scan output and need clear parsing, aggregation, or CI/CD-ready transformation. It is not for running scans.

semgrep-rule-variant-creator helps port existing Semgrep rules into target languages with applicability analysis, test-first validation, and separate rule/test outputs. Use the semgrep-rule-variant-creator skill when you need a reliable guide for Semgrep rule expansion across polyglot codebases, not a brand-new rule from scratch.

variant-analysis helps you find similar vulnerabilities and bugs across a codebase after one issue is confirmed. Use it to build CodeQL or Semgrep queries, follow a root-cause-first workflow, and run a focused variant-analysis guide for Security Audit work. It is best for post-discovery searches, not broad initial review.