static-analysis
Static analysis toolkit combining CodeQL, Semgrep, and SARIF parsing for security vulnerability detection.
Setup & Installation
What This Skill Does
Static analysis toolkit combining CodeQL, Semgrep, and SARIF parsing for security vulnerability detection. Covers taint tracking, data flow analysis, and pattern-based scanning across Python, JavaScript, Go, Java, C/C++, and more. Based on the Trail of Bits Testing Handbook.
Running CodeQL and Semgrep together with SARIF aggregation catches interprocedural vulnerabilities that grep-based or single-tool approaches miss.
When to use it
- Running CodeQL taint analysis to trace user input into SQL queries
- Writing Semgrep rules to catch a specific CWE pattern across a codebase
- Parsing SARIF output from multiple scanners into a deduplicated findings list
- Scanning a pull request with Semgrep against OWASP and Trail of Bits rulesets
- Generating CodeQL data extension models for project-specific API sinks
Similar Skills
best-practices
A checklist of modern web development standards covering HTTPS, CSP headers, input sanitization, deprecated API avoidance, and HTML validity.
auth0-android
Adds authentication to native Android apps using the Auth0 SDK.
auth0-angular
Adds authentication to Angular apps using the @auth0/auth0-angular SDK.
auth0-aspnetcore-api
Adds JWT access token validation to ASP.