Run Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes — "run all" (full ruleset coverage) and "important only"…
Semgrep Security Scan Run a Semgrep scan with automatic language detection, parallel execution via Task subagents, and merged SARIF output. Essential Principles Always use --metrics=off — Semgrep sends telemetry by default; --config auto also phones home. Every semgrep command must include --metrics=off to prevent data leakage during security audits. User must approve the scan plan (Step 3 is a hard gate) — The original "scan this codebase" request is NOT approval. Present exact rulesets, target, engine, and mode; wait for explicit "yes"/"proceed" before spawning scanners. Third-party rulesets are required, not optional — Trail of Bits, 0xdea, and Decurity rules catch vulnerabilities absent from the official registry. Include them whenever the detected language matches. Spawn all scan Tasks in a single message — Parallel execution is the core performance advantage. Never spawn Tasks sequentially; always emit all Task tool calls in one response. Always check for Semgrep Pro before scanning — Pro enables cross-file taint tracking and catches ~250% more true positives. Skipping the check means silently missing critical inter-file vulnerabilities. When to Use Security audit of a codebase Finding vulnerabilities before code review Scanning for known bug patterns First-pass static analysis
don't have the plugin yet? install it then click "run inline in claude" again.
added explicit decision logic for pro availability, authentication, empty results, timeout handling, and cli installation checks. documented semgrep pro token input with oauth/auth setup. clarified parallelization requirement and rule merge strategy. expanded procedure with detailed inputs/outputs per step. added edge cases for missing target, directory unreadability, sequential task spawning, and sarif deduplication.
scan a codebase for security vulnerabilities using semgrep's parallel static analysis engine. use this skill when you need to audit code before review, find known bug patterns, or run first-pass security analysis. the skill auto-detects languages, spawns parallel scanners for each, and merges results into a single SARIF file. it includes third-party rulesets from trail of bits, 0xdea, and decurity alongside official semgrep rules to catch vulnerabilities missing from the default registry. supports two modes: "run all" for complete coverage or "important only" for high-confidence findings filtered by severity. requires explicit user approval of the scan plan before execution.
semgrep installation: semgrep cli binary must be available in PATH. install via pip install semgrep or download from https://semgrep.dev/install
semgrep pro license (optional): set SEMGREP_APP_TOKEN environment variable to enable cross-file taint tracking and pro rules. without it, scanning falls back to oss mode with per-file analysis. pro mode catches roughly 2.5x more true positives via inter-file data flow.
target directory: filesystem path to the codebase to scan. must be readable by the current user.
scan mode selection: user chooses "run all" (complete ruleset, slower, comprehensive) or "important only" (filtered high-confidence vulnerabilities, faster).
ruleset approval: user must explicitly approve the exact rulesets, target directory, detected languages, and engine mode before scanning begins.
gather codebase metadata
map languages to semgrep rulesets
present scan plan for user approval
check for semgrep pro availability
SEMGREP_APP_TOKEN environment variable (if set)semgrep login --token $SEMGREP_APP_TOKEN --metrics=off (optional, only if token present)spawn parallel scan tasks
semgrep scan [TARGET] --config=[RULESET_CONFIG] --json --metrics=off [--pro-enabled flag if pro available]collect and merge SARIF results
--sarif output flag)merged_semgrep_results.sarifgenerate summary report
if semgrep pro token is set: enable pro mode in step 4, pass --pro-enabled flag to all scan commands in step 5, and use cross-file taint tracking rulesets for applicable languages (python, javascript, java, go). this catches inter-file data flow vulnerabilities.
else (no pro token): scan in oss mode, use per-file analysis only, skip cross-file taint rules. results will be less comprehensive but still valuable for first-pass audits.
if user rejects scan plan in step 3: stop. do not spawn any scanners. ask user to clarify target, language filter, or ruleset preference and re-present a revised plan.
if detected languages are empty or no files found: report to user and exit. do not spawn scanners or generate empty results.
if scan mode is "run all": include all available rulesets for each language (official + third-party).
if scan mode is "important only": filter rulesets to high-confidence rules only. exclude informational-level checks and low-impact patterns.
if a parallel scan task fails or times out (>600 seconds): log the failure, continue processing other tasks, and include a warning in the final report. do not fail the entire skill for a single language's timeout.
if semgrep cli is not installed: return error: "semgrep not found. install via 'pip install semgrep' or https://semgrep.dev/install". do not attempt to install automatically.
if the target directory does not exist or is not readable: return error with the specific path and permission issue. do not proceed to scanning.
if sarif merge encounters conflicting rule ids across rulesets: deduplicate by rule id + source + severity. include all instances if they differ.
merged sarif file: merged_semgrep_results.sarif in the current working directory. valid json, conforms to sarif 2.1 spec. includes all findings from all languages and rulesets, annotated with severity, rule id, source (official/trail of bits/0xdea/decurity), and file/line/column locations.
summary report: plaintext output listing finding counts by severity and top categories. example: "scan complete. found 3 critical, 12 high, 41 medium, 89 low findings across 127 rules from 4 rulesets (official, trail of bits, 0xdea, decurity) in 45 seconds."
task logs: all parallel scan task output (semgrep json per language) available for inspection. failures logged with language name and error message.
no data leakage: all semgrep commands include --metrics=off to disable telemetry. no data sent to semgrep cloud or third parties without explicit pro token auth.
user receives the merged sarif file and can open it in compatible tools (github code scanning, vs code semgrep extension, defect dojo, etc.). summary report displays finding counts by severity and the top vulnerable patterns detected. if "run all" mode was used, report includes all rulesets applied and execution time for each language. if pro mode was enabled, report explicitly states "cross-file taint tracking enabled" and lists pro-only rules that contributed findings. user can inspect the sarif file directly to see rule names, severity, and code locations. if no findings were detected, report states "no vulnerabilities found" and lists the rulesets that were applied (confirming coverage, not a missed scan).