cli-jaw 0.1.0

package/skills_ref/static-analysis/skills/semgrep/SKILL.md

@@ -0,0 +1,431 @@
+---
+name: semgrep
+description: Run Semgrep static analysis scan on a codebase using parallel subagents. Automatically
+  detects and uses Semgrep Pro for cross-file analysis when available. Use when asked to scan
+  code for vulnerabilities, run a security audit with Semgrep, find bugs, or perform
+  static analysis. Spawns parallel workers for multi-language codebases and triage.
+allowed-tools:
+  - Bash
+  - Read
+  - Glob
+  - Grep
+  - Write
+  - Task
+  - AskUserQuestion
+  - TaskCreate
+  - TaskList
+  - TaskUpdate
+  - WebFetch
+---
+
+# Semgrep Security Scan
+
+Run a complete Semgrep scan with automatic language detection, parallel execution via Task subagents, and parallel triage. Automatically uses Semgrep Pro for cross-file taint analysis when available.
+
+## Prerequisites
+
+**Required:** Semgrep CLI
+
+```bash
+semgrep --version
+```
+
+If not installed, see [Semgrep installation docs](https://semgrep.dev/docs/getting-started/).
+
+**Optional:** Semgrep Pro (for cross-file analysis and Pro languages)
+
+```bash
+# Check if Semgrep Pro engine is installed
+semgrep --pro --validate --config p/default 2>/dev/null && echo "Pro available" || echo "OSS only"
+
+# If logged in, install/update Pro Engine
+semgrep install-semgrep-pro
+```
+
+Pro enables: cross-file taint tracking, inter-procedural analysis, and additional languages (Apex, C#, Elixir).
+
+## When to Use
+
+- Security audit of a codebase
+- Finding vulnerabilities before code review
+- Scanning for known bug patterns
+- First-pass static analysis
+
+## When NOT to Use
+
+- Binary analysis → Use binary analysis tools
+- Already have Semgrep CI configured → Use existing pipeline
+- Need cross-file analysis but no Pro license → Consider CodeQL as alternative
+- Creating custom Semgrep rules → Use `semgrep-rule-creator` skill
+- Porting existing rules to other languages → Use `semgrep-rule-variant-creator` skill
+
+---
+
+## Orchestration Architecture
+
+This skill uses **parallel Task subagents** for maximum efficiency:
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│ MAIN AGENT                                                      │
+│ 1. Detect languages + check Pro availability                    │
+│ 2. Select rulesets based on detection (ref: rulesets.md)        │
+│ 3. Present plan + rulesets, get approval [⛔ HARD GATE]         │
+│ 4. Spawn parallel scan Tasks (with approved rulesets)           │
+│ 5. Spawn parallel triage Tasks                                  │
+│ 6. Collect and report results                                   │
+└─────────────────────────────────────────────────────────────────┘
+          │ Step 4                           │ Step 5
+          ▼                                  ▼
+┌─────────────────┐              ┌─────────────────┐
+│ Scan Tasks      │              │ Triage Tasks    │
+│ (parallel)      │              │ (parallel)      │
+├─────────────────┤              ├─────────────────┤
+│ Python scanner  │              │ Python triager  │
+│ JS/TS scanner   │              │ JS/TS triager   │
+│ Go scanner      │              │ Go triager      │
+│ Docker scanner  │              │ Docker triager  │
+└─────────────────┘              └─────────────────┘
+```
+
+---
+
+## Workflow Enforcement via Task System
+
+This skill uses the **Task system** to enforce workflow compliance. On invocation, create these tasks:
+
+```
+TaskCreate: "Detect languages and Pro availability" (Step 1)
+TaskCreate: "Select rulesets based on detection" (Step 2) - blockedBy: Step 1
+TaskCreate: "Present plan with rulesets, get approval" (Step 3) - blockedBy: Step 2
+TaskCreate: "Execute scans with approved rulesets" (Step 4) - blockedBy: Step 3
+TaskCreate: "Triage findings" (Step 5) - blockedBy: Step 4
+TaskCreate: "Report results" (Step 6) - blockedBy: Step 5
+```
+
+### Mandatory Gates
+
+| Task | Gate Type | Cannot Proceed Until |
+|------|-----------|---------------------|
+| Step 3: Get approval | **HARD GATE** | User explicitly approves rulesets + plan |
+| Step 5: Triage | **SOFT GATE** | All scan JSON files exist |
+
+**Step 3 is a HARD GATE**: Mark as `completed` ONLY after user says "yes", "proceed", "approved", or equivalent.
+
+### Task Flow Example
+
+```
+1. Create all 6 tasks with dependencies
+2. TaskUpdate Step 1 → in_progress, execute detection
+3. TaskUpdate Step 1 → completed
+4. TaskUpdate Step 2 → in_progress, select rulesets
+5. TaskUpdate Step 2 → completed
+6. TaskUpdate Step 3 → in_progress, present plan with rulesets
+7. STOP: Wait for user response (may modify rulesets)
+8. User approves → TaskUpdate Step 3 → completed
+9. TaskUpdate Step 4 → in_progress (now unblocked)
+... continue workflow
+```
+
+---
+
+## Workflow
+
+### Step 1: Detect Languages and Pro Availability (Main Agent)
+
+```bash
+# Check if Semgrep Pro is available (non-destructive check)
+SEMGREP_PRO=false
+if semgrep --pro --validate --config p/default 2>/dev/null; then
+  SEMGREP_PRO=true
+  echo "Semgrep Pro: AVAILABLE (cross-file analysis enabled)"
+else
+  echo "Semgrep Pro: NOT AVAILABLE (OSS mode, single-file analysis)"
+fi
+
+# Find languages by file extension
+fd -t f -e py -e js -e ts -e jsx -e tsx -e go -e rb -e java -e php -e c -e cpp -e rs | \
+  sed 's/.*\.//' | sort | uniq -c | sort -rn
+
+# Check for frameworks/technologies
+ls -la package.json pyproject.toml Gemfile go.mod Cargo.toml pom.xml 2>/dev/null
+fd -t f "Dockerfile" "docker-compose" ".tf" "*.yaml" "*.yml" | head -20
+```
+
+Map findings to categories:
+
+| Detection | Category |
+|-----------|----------|
+| `.py`, `pyproject.toml` | Python |
+| `.js`, `.ts`, `package.json` | JavaScript/TypeScript |
+| `.go`, `go.mod` | Go |
+| `.rb`, `Gemfile` | Ruby |
+| `.java`, `pom.xml` | Java |
+| `.php` | PHP |
+| `.c`, `.cpp` | C/C++ |
+| `.rs`, `Cargo.toml` | Rust |
+| `Dockerfile` | Docker |
+| `.tf` | Terraform |
+| k8s manifests | Kubernetes |
+
+### Step 2: Select Rulesets Based on Detection
+
+Using the detected languages and frameworks from Step 1, select rulesets by following the **Ruleset Selection Algorithm** in [rulesets.md]({baseDir}/references/rulesets.md).
+
+The algorithm covers:
+1. Security baseline (always included)
+2. Language-specific rulesets
+3. Framework rulesets (if detected)
+4. Infrastructure rulesets
+5. **Required** third-party rulesets (Trail of Bits, 0xdea, Decurity - NOT optional)
+6. Registry verification
+
+**Output:** Structured JSON passed to Step 3 for user review:
+
+```json
+{
+  "baseline": ["p/security-audit", "p/secrets"],
+  "python": ["p/python", "p/django"],
+  "javascript": ["p/javascript", "p/react", "p/nodejs"],
+  "docker": ["p/dockerfile"],
+  "third_party": ["https://github.com/trailofbits/semgrep-rules"]
+}
+```
+
+### Step 3: CRITICAL GATE - Present Plan and Get Approval
+
+> **⛔ MANDATORY CHECKPOINT - DO NOT SKIP**
+>
+> This step requires explicit user approval before proceeding.
+> User may modify rulesets before approving.
+
+Present plan to user with **explicit ruleset listing**:
+
+```
+## Semgrep Scan Plan
+
+**Target:** /path/to/codebase
+**Output directory:** ./semgrep-results-001/
+**Engine:** Semgrep Pro (cross-file analysis) | Semgrep OSS (single-file)
+
+### Detected Languages/Technologies:
+- Python (1,234 files) - Django framework detected
+- JavaScript (567 files) - React detected
+- Dockerfile (3 files)
+
+### Rulesets to Run:
+
+**Security Baseline (always included):**
+- [x] `p/security-audit` - Comprehensive security rules
+- [x] `p/secrets` - Hardcoded credentials, API keys
+
+**Python (1,234 files):**
+- [x] `p/python` - Python security patterns
+- [x] `p/django` - Django-specific vulnerabilities
+
+**JavaScript (567 files):**
+- [x] `p/javascript` - JavaScript security patterns
+- [x] `p/react` - React-specific issues
+- [x] `p/nodejs` - Node.js server-side patterns
+
+**Docker (3 files):**
+- [x] `p/dockerfile` - Dockerfile best practices
+
+**Third-party (auto-included for detected languages):**
+- [x] Trail of Bits rules - https://github.com/trailofbits/semgrep-rules
+
+**Available but not selected:**
+- [ ] `p/owasp-top-ten` - OWASP Top 10 (overlaps with security-audit)
+
+### Execution Strategy:
+- Spawn 3 parallel scan Tasks (Python, JavaScript, Docker)
+- Total rulesets: 9
+- [If Pro] Cross-file taint tracking enabled
+- Scan agent: `static-analysis:semgrep-scanner`
+- Triage agent: `static-analysis:semgrep-triager`
+
+**Want to modify rulesets?** Tell me which to add or remove.
+**Ready to scan?** Say "proceed" or "yes".
+```
+
+**⛔ STOP: Await explicit user approval**
+
+After presenting the plan:
+
+1. **If user wants to modify rulesets:**
+   - Add requested rulesets to the appropriate category
+   - Remove requested rulesets
+   - Re-present the updated plan
+   - Return to waiting for approval
+
+2. **Use AskUserQuestion** if user hasn't responded:
+   ```
+   "I've prepared the scan plan with 9 rulesets (including Trail of Bits). Proceed with scanning?"
+   Options: ["Yes, run scan", "Modify rulesets first"]
+   ```
+
+3. **Valid approval responses:**
+   - "yes", "proceed", "approved", "go ahead", "looks good", "run it"
+
+4. **Mark task completed** only after approval with final rulesets confirmed
+
+5. **Do NOT treat as approval:**
+   - User's original request ("scan this codebase")
+   - Silence / no response
+   - Questions about the plan
+
+### Pre-Scan Checklist
+
+Before marking Step 3 complete, verify:
+- [ ] Target directory shown to user
+- [ ] Engine type (Pro/OSS) displayed
+- [ ] Languages detected and listed
+- [ ] **All rulesets explicitly listed with checkboxes**
+- [ ] User given opportunity to modify rulesets
+- [ ] User explicitly approved (quote their confirmation)
+- [ ] **Final ruleset list captured for Step 4**
+- [ ] Agent types listed: `static-analysis:semgrep-scanner` and `static-analysis:semgrep-triager`
+
+### Step 4: Spawn Parallel Scan Tasks
+
+Create output directory with run number to avoid collisions, then spawn Tasks with **approved rulesets from Step 3**:
+
+```bash
+# Find next available run number
+LAST=$(ls -d semgrep-results-[0-9][0-9][0-9] 2>/dev/null | sort | tail -1 | grep -o '[0-9]*$' || true)
+NEXT_NUM=$(printf "%03d" $(( ${LAST:-0} + 1 )))
+OUTPUT_DIR="semgrep-results-${NEXT_NUM}"
+mkdir -p "$OUTPUT_DIR"
+echo "Output directory: $OUTPUT_DIR"
+```
+
+**Spawn N Tasks in a SINGLE message** (one per language category) using `subagent_type: static-analysis:semgrep-scanner`.
+
+Use the scanner task prompt template from [scanner-task-prompt.md]({baseDir}/references/scanner-task-prompt.md).
+
+**Example - 3 Language Scan (with approved rulesets):**
+
+Spawn these 3 Tasks in a SINGLE message:
+
+1. **Task: Python Scanner**
+   - Approved rulesets: p/python, p/django, p/security-audit, p/secrets, https://github.com/trailofbits/semgrep-rules
+   - Output: semgrep-results-001/python-*.json
+
+2. **Task: JavaScript Scanner**
+   - Approved rulesets: p/javascript, p/react, p/nodejs, p/security-audit, p/secrets, https://github.com/trailofbits/semgrep-rules
+   - Output: semgrep-results-001/js-*.json
+
+3. **Task: Docker Scanner**
+   - Approved rulesets: p/dockerfile
+   - Output: semgrep-results-001/docker-*.json
+
+### Step 5: Spawn Parallel Triage Tasks
+
+After scan Tasks complete, spawn triage Tasks using `subagent_type: static-analysis:semgrep-triager` (triage requires reading code context, not just running commands).
+
+Use the triage task prompt template from [triage-task-prompt.md]({baseDir}/references/triage-task-prompt.md).
+
+### Step 6: Collect Results (Main Agent)
+
+After all Tasks complete, generate merged SARIF and report:
+
+**Generate merged SARIF with only triaged true positives:**
+
+```bash
+uv run {baseDir}/scripts/merge_triaged_sarif.py [OUTPUT_DIR]
+```
+
+This script:
+1. Attempts to use [SARIF Multitool](https://www.npmjs.com/package/@microsoft/sarif-multitool) for merging (if `npx` is available)
+2. Falls back to pure Python merge if Multitool unavailable
+3. Reads all `*-triage.json` files to extract true positive findings
+4. Filters merged SARIF to include only triaged true positives
+5. Writes output to `[OUTPUT_DIR]/findings-triaged.sarif`
+
+**Optional: Install SARIF Multitool for better merge quality:**
+
+```bash
+npm install -g @microsoft/sarif-multitool
+```
+
+**Report to user:**
+
+```
+## Semgrep Scan Complete
+
+**Scanned:** 1,804 files
+**Rulesets used:** 9 (including Trail of Bits)
+**Total raw findings:** 156
+**After triage:** 32 true positives
+
+### By Severity:
+- ERROR: 5
+- WARNING: 18
+- INFO: 9
+
+### By Category:
+- SQL Injection: 3
+- XSS: 7
+- Hardcoded secrets: 2
+- Insecure configuration: 12
+- Code quality: 8
+
+Results written to:
+- semgrep-results-001/findings-triaged.sarif (SARIF, true positives only)
+- semgrep-results-001/*-triage.json (triage details per language)
+- semgrep-results-001/*.json (raw scan results)
+- semgrep-results-001/*.sarif (raw SARIF per ruleset)
+```
+
+---
+
+## Common Mistakes
+
+| Mistake | Correct Approach |
+|---------|------------------|
+| Running without `--metrics=off` | Always use `--metrics=off` to prevent telemetry |
+| Running rulesets sequentially | Run in parallel with `&` and `wait` |
+| Not scoping rulesets to languages | Use `--include="*.py"` for language-specific rules |
+| Reporting raw findings without triage | Always triage to remove false positives |
+| Single-threaded for multi-lang | Spawn parallel Tasks per language |
+| Sequential Tasks | Spawn all Tasks in SINGLE message for parallelism |
+| Using OSS when Pro is available | Check login status; use `--pro` for deeper analysis |
+| Assuming Pro is unavailable | Always check with login detection before scanning |
+
+## Limitations
+
+1. **OSS mode:** Cannot track data flow across files (login with `semgrep login` and run `semgrep install-semgrep-pro` to enable)
+2. **Pro mode:** Cross-file analysis uses `-j 1` (single job) which is slower per ruleset, but parallel rulesets compensate
+3. Triage requires reading code context - parallelized via Tasks
+4. Some false positive patterns require human judgment
+
+## Agents
+
+This plugin provides two specialized agents for the scan and triage phases:
+
+| Agent | Tools | Purpose |
+|-------|-------|---------|
+| `static-analysis:semgrep-scanner` | Bash | Executes parallel semgrep scans for a language category |
+| `static-analysis:semgrep-triager` | Read, Grep, Glob, Write | Classifies findings as true/false positives by reading source context |
+
+Use `subagent_type: static-analysis:semgrep-scanner` in Step 4 and `subagent_type: static-analysis:semgrep-triager` in Step 5 when spawning Task subagents.
+
+## Rationalizations to Reject
+
+| Shortcut | Why It's Wrong |
+|----------|----------------|
+| "User asked for scan, that's approval" | Original request ≠ plan approval; user must confirm specific parameters. Present plan, use AskUserQuestion, await explicit "yes" |
+| "Step 3 task is blocking, just mark complete" | Lying about task status defeats enforcement. Only mark complete after real approval |
+| "I already know what they want" | Assumptions cause scanning wrong directories/rulesets. Present plan with all parameters for verification |
+| "Just use default rulesets" | User must see and approve exact rulesets before scan |
+| "Add extra rulesets without asking" | Modifying approved list without consent breaks trust |
+| "Skip showing ruleset list" | User can't make informed decision without seeing what will run |
+| "Third-party rulesets are optional" | Trail of Bits, 0xdea, Decurity rules catch vulnerabilities not in official registry - they are REQUIRED when language matches |
+| "Skip triage, report everything" | Floods user with noise; true issues get lost |
+| "Run one ruleset at a time" | Wastes time; parallel execution is faster |
+| "Use --config auto" | Sends metrics; less control over rulesets |
+| "Triage later" | Findings without context are harder to evaluate |
+| "One Task at a time" | Defeats parallelism; spawn all Tasks together |
+| "Pro is too slow, skip --pro" | Cross-file analysis catches 250% more true positives; worth the time |
+| "Don't bother checking for Pro" | Missing Pro = missing critical cross-file vulnerabilities |
+| "OSS is good enough" | OSS misses inter-file taint flows; always prefer Pro when available |

package/skills_ref/static-analysis/skills/semgrep/references/rulesets.md

@@ -0,0 +1,162 @@
+# Semgrep Rulesets Reference
+
+## Complete Ruleset Catalog
+
+### Security-Focused Rulesets
+
+| Ruleset | Description | Use Case |
+|---------|-------------|----------|
+| `p/security-audit` | Comprehensive vulnerability detection, higher false positives | Manual audits, security reviews |
+| `p/secrets` | Hardcoded credentials, API keys, tokens | Always include |
+| `p/owasp-top-ten` | OWASP Top 10 web application vulnerabilities | Web app security |
+| `p/cwe-top-25` | CWE Top 25 most dangerous software weaknesses | General security |
+| `p/sql-injection` | SQL injection patterns and tainted data flows | Database security |
+| `p/insecure-transport` | Ensures code uses encrypted channels | Network security |
+| `p/gitleaks` | Hard-coded credentials detection (gitleaks port) | Secrets scanning |
+| `p/findsecbugs` | FindSecBugs rule pack for Java | Java security |
+| `p/phpcs-security-audit` | PHP security audit rules | PHP security |
+
+### CI/CD Rulesets
+
+| Ruleset | Description | Use Case |
+|---------|-------------|----------|
+| `p/default` | Default ruleset, balanced coverage | First-time users |
+| `p/ci` | High-confidence security + logic bugs, low FP | CI pipelines |
+| `p/r2c-ci` | Low false positives, CI-safe | CI/CD blocking |
+| `p/r2c` | Community favorite, curated by Semgrep (618k+ downloads) | General scanning |
+| `p/auto` | Auto-selects rules based on detected languages/frameworks | Quick scans |
+| `p/comment` | Comment-related rules | Code review |
+
+### Third-Party Rulesets
+
+| Ruleset | Description | Maintainer |
+|---------|-------------|------------|
+| `p/gitlab` | GitLab-maintained security rules | GitLab |
+
+---
+
+## Ruleset Selection Algorithm
+
+Follow this algorithm to select rulesets based on detected languages and frameworks.
+
+### Step 1: Always Include Security Baseline
+
+```json
+{
+  "baseline": ["p/security-audit", "p/secrets"]
+}
+```
+
+- `p/security-audit` - Comprehensive vulnerability detection (always include)
+- `p/secrets` - Hardcoded credentials, API keys, tokens (always include)
+
+### Step 2: Add Language-Specific Rulesets
+
+For each detected language, add the primary ruleset. If a framework is detected, add its ruleset too.
+
+**GA Languages (production-ready):**
+
+| Detection | Primary Ruleset | Framework Rulesets | Pro Rule Count |
+|-----------|-----------------|-------------------|----------------|
+| `.py` | `p/python` | `p/django`, `p/flask`, `p/fastapi` | 710+ |
+| `.js`, `.jsx` | `p/javascript` | `p/react`, `p/nodejs`, `p/express`, `p/nextjs`, `p/angular` | 250+ (JS), 70+ (JSX) |
+| `.ts`, `.tsx` | `p/typescript` | `p/react`, `p/nodejs`, `p/express`, `p/nextjs`, `p/angular` | 230+ |
+| `.go` | `p/golang` | `p/go` (alias) | 80+ |
+| `.java` | `p/java` | `p/spring`, `p/findsecbugs` | 190+ |
+| `.kt` | `p/kotlin` | `p/spring` | 60+ |
+| `.rb` | `p/ruby` | `p/rails` | 40+ |
+| `.php` | `p/php` | `p/symfony`, `p/laravel`, `p/phpcs-security-audit` | 50+ |
+| `.c`, `.cpp`, `.h` | `p/c` | - | 150+ |
+| `.rs` | `p/rust` | - | 40+ |
+| `.cs` | `p/csharp` | - | 170+ |
+| `.scala` | `p/scala` | - | Community |
+| `.swift` | `p/swift` | - | 60+ |
+
+**Beta Languages (Pro recommended):**
+
+| Detection | Primary Ruleset | Notes |
+|-----------|-----------------|-------|
+| `.ex`, `.exs` | `p/elixir` | Requires Pro for best coverage |
+| `.cls`, `.trigger` | `p/apex` | Salesforce; requires Pro |
+
+**Experimental Languages:**
+
+| Detection | Primary Ruleset | Notes |
+|-----------|-----------------|-------|
+| `.sol` | No official ruleset | Use Decurity third-party rules |
+| `Dockerfile` | `p/dockerfile` | Limited rules |
+| `.yaml`, `.yml` | `p/yaml` | K8s, GitHub Actions, docker-compose patterns |
+| `.json` | `r/json.aws` | AWS IAM policies; use `r/json.*` for specific rules |
+| Bash scripts | - | Community support |
+| Cairo, Circom | - | Experimental, smart contracts |
+
+**Framework detection hints:**
+
+| Framework | Detection Signals | Ruleset |
+|-----------|------------------|---------|
+| Django | `settings.py`, `urls.py`, `django` in requirements | `p/django` |
+| Flask | `flask` in requirements, `@app.route` | `p/flask` |
+| FastAPI | `fastapi` in requirements, `@app.get/post` | `p/fastapi` |
+| React | `package.json` with react dependency, `.jsx`/`.tsx` files | `p/react` |
+| Next.js | `next.config.js`, `pages/` or `app/` directory | `p/nextjs` |
+| Angular | `angular.json`, `@angular/` dependencies | `p/angular` |
+| Express | `express` in package.json, `app.use()` patterns | `p/express` |
+| NestJS | `@nestjs/` dependencies, `@Controller` decorators | `p/nodejs` |
+| Spring | `pom.xml` with spring, `@SpringBootApplication` | `p/spring` |
+| Rails | `Gemfile` with rails, `config/routes.rb` | `p/rails` |
+| Laravel | `composer.json` with laravel, `artisan` | `p/laravel` |
+| Symfony | `composer.json` with symfony, `config/packages/` | `p/symfony` |
+
+### Step 3: Add Infrastructure Rulesets
+
+| Detection | Ruleset | Description |
+|-----------|---------|-------------|
+| `Dockerfile` | `p/dockerfile` | Container security, best practices |
+| `.tf`, `.hcl` | `p/terraform` | IaC misconfigurations, CIS benchmarks, AWS/Azure/GCP |
+| k8s manifests | `p/kubernetes` | K8s security, RBAC issues |
+| CloudFormation | `p/cloudformation` | AWS infrastructure security |
+| GitHub Actions | `p/github-actions` | CI/CD security, secrets exposure |
+| `.yaml`, `.yml` | `p/yaml` | Generic YAML patterns (K8s, docker-compose) |
+| AWS IAM JSON | `r/json.aws` | IAM policy misconfigurations (use `--config r/json.aws`) |
+
+### Step 4: Add Third-Party Rulesets
+
+These are **NOT optional**. Include automatically when language matches:
+
+| Languages | Source | Why Required |
+|-----------|--------|--------------|
+| Python, Go, Ruby, JS/TS, Terraform, HCL | [Trail of Bits](https://github.com/trailofbits/semgrep-rules) | Security audit patterns from real engagements (AGPLv3) |
+| C, C++ | [0xdea](https://github.com/0xdea/semgrep-rules) | Memory safety, low-level vulnerabilities |
+| Solidity, Cairo, Rust | [Decurity](https://github.com/Decurity/semgrep-smart-contracts) | Smart contract vulnerabilities, DeFi exploits |
+| Go | [dgryski](https://github.com/dgryski/semgrep-go) | Additional Go-specific patterns |
+| Android (Java/Kotlin) | [MindedSecurity](https://github.com/mindedsecurity/semgrep-rules-android-security) | OWASP MASTG-derived mobile security rules |
+| Java, Go, JS/TS, C#, Python, PHP | [elttam](https://github.com/elttam/semgrep-rules) | Security consulting patterns |
+| Dockerfile, PHP, Go, Java | [kondukto](https://github.com/kondukto-io/semgrep-rules) | Container and web app security |
+| PHP, Kotlin, Java | [dotta](https://github.com/federicodotta/semgrep-rules) | Pentest-derived web/mobile app rules |
+| Terraform, HCL | [HashiCorp](https://github.com/hashicorp-forge/semgrep-rules) | HashiCorp infrastructure patterns |
+| Swift, Java, Cobol | [akabe1](https://github.com/akabe1/akabe1-semgrep-rules) | iOS and legacy system patterns |
+| Java | [Atlassian Labs](https://github.com/atlassian-labs/atlassian-sast-ruleset) | Atlassian-maintained Java rules |
+| Python, JS/TS, Java, Ruby, Go, PHP | [Apiiro](https://github.com/apiiro/malicious-code-ruleset) | Malicious code detection, supply chain |
+
+### Step 5: Verify Rulesets
+
+Before finalizing, verify official rulesets load:
+
+```bash
+# Quick validation (exits 0 if valid)
+semgrep --config p/python --validate --metrics=off 2>&1 | head -3
+```
+
+Or browse the [Semgrep Registry](https://semgrep.dev/explore).
+
+### Output Format
+
+```json
+{
+  "baseline": ["p/security-audit", "p/secrets"],
+  "python": ["p/python", "p/django"],
+  "javascript": ["p/javascript", "p/react", "p/nodejs"],
+  "docker": ["p/dockerfile"],
+  "third_party": ["https://github.com/trailofbits/semgrep-rules"]
+}
+```

package/skills_ref/static-analysis/skills/semgrep/references/scanner-task-prompt.md

@@ -0,0 +1,102 @@
+# Scanner Subagent Task Prompt
+
+Use this prompt template when spawning scanner Tasks in Step 4. Use `subagent_type: static-analysis:semgrep-scanner`.
+
+## Template
+
+```
+You are a Semgrep scanner for [LANGUAGE_CATEGORY].
+
+## Task
+Run Semgrep scans for [LANGUAGE] files and save results to [OUTPUT_DIR].
+
+## Pro Engine Status: [PRO_AVAILABLE: true/false]
+
+## APPROVED RULESETS (from user-confirmed plan)
+[LIST EXACT RULESETS USER APPROVED - DO NOT SUBSTITUTE]
+
+Example:
+- p/python
+- p/django
+- p/security-audit
+- p/secrets
+- https://github.com/trailofbits/semgrep-rules
+
+## Commands to Run (in parallel)
+
+### Generate commands for EACH approved ruleset:
+```bash
+semgrep [--pro if available] --metrics=off --config [RULESET] --json -o [OUTPUT_DIR]/[lang]-[ruleset].json --sarif-output=[OUTPUT_DIR]/[lang]-[ruleset].sarif [TARGET] &
+```
+
+Wait for all to complete:
+```bash
+wait
+```
+
+## Critical Rules
+- Use ONLY the rulesets listed above - do not add or remove any
+- Always use --metrics=off (prevents sending telemetry to Semgrep servers)
+- Use --pro when Pro is available (enables cross-file taint tracking)
+- Run all rulesets in parallel with & and wait
+- For GitHub URLs, clone the repo first if not cached locally
+
+## Output
+Report:
+- Number of findings per ruleset
+- Any scan errors
+- File paths of JSON results
+- [If Pro] Note any cross-file findings detected
+```
+
+## Variable Substitutions
+
+| Variable | Description | Example |
+|----------|-------------|---------|
+| `[LANGUAGE_CATEGORY]` | Language group being scanned | Python, JavaScript, Docker |
+| `[LANGUAGE]` | Specific language | Python, TypeScript, Go |
+| `[OUTPUT_DIR]` | Results directory with run number | semgrep-results-001 |
+| `[PRO_AVAILABLE]` | Whether Pro engine is available | true, false |
+| `[RULESET]` | Semgrep ruleset identifier | p/python, https://github.com/... |
+| `[TARGET]` | Directory to scan | . (current dir) |
+
+## Example: Python Scanner Task
+
+```
+You are a Semgrep scanner for Python.
+
+## Task
+Run Semgrep scans for Python files and save results to semgrep-results-001.
+
+## Pro Engine Status: true
+
+## APPROVED RULESETS (from user-confirmed plan)
+- p/python
+- p/django
+- p/security-audit
+- p/secrets
+- https://github.com/trailofbits/semgrep-rules
+
+## Commands to Run (in parallel)
+```bash
+semgrep --pro --metrics=off --config p/python --json -o semgrep-results-001/python-python.json --sarif-output=semgrep-results-001/python-python.sarif . &
+semgrep --pro --metrics=off --config p/django --json -o semgrep-results-001/python-django.json --sarif-output=semgrep-results-001/python-django.sarif . &
+semgrep --pro --metrics=off --config p/security-audit --json -o semgrep-results-001/python-security-audit.json --sarif-output=semgrep-results-001/python-security-audit.sarif . &
+semgrep --pro --metrics=off --config p/secrets --json -o semgrep-results-001/python-secrets.json --sarif-output=semgrep-results-001/python-secrets.sarif . &
+semgrep --pro --metrics=off --config https://github.com/trailofbits/semgrep-rules --json -o semgrep-results-001/python-trailofbits.json --sarif-output=semgrep-results-001/python-trailofbits.sarif . &
+wait
+```
+
+## Critical Rules
+- Use ONLY the rulesets listed above - do not add or remove any
+- Always use --metrics=off
+- Use --pro when Pro is available
+- Run all rulesets in parallel with & and wait
+
+## Output
+Report:
+- Number of findings per ruleset
+- Any scan errors
+- File paths of JSON results
+- Note any cross-file findings detected
+```