Back to Security & Vulnerability Analysis
semgrep-rule-variant-creator
Semgrepstatic analysiscode securityrule generationlanguage portingAI assistantcode qualitydeveloper tools
Install this skill
npx skills add trailofbits/skillsWorks across Claude Code, Cursor, Codex, Copilot & Antigravity
The semgrep-rule-variant-creator skill automates the expansion of security detection logic by porting existing Semgrep rules across different programming languages. Rather than simply translating syntax, this workflow enforces a strict four-phase methodology to ensure that ported rules account for language-specific AST structures, data-flow idioms, and distinct library behaviors. By requiring an initial applicability analysis followed by a mandatory test-first development loop, the skill ensures each variant remains accurate and functional. It prevents the common pitfall of assuming that vulnerability patterns translate identically across different runtime environments. Users receive a structured output directory for each target language, containing both the refined YAML rule and the necessary test files to validate the detection mechanism against language-specific edge cases.
When to Use This Skill
- β’Expanding an existing SQL injection rule to support both Java and Go
- β’Translating web framework security rules from Python to Ruby
- β’Adapting internal compliance rules to support polyglot microservice environments
- β’Creating language-specific variants for universal vulnerability patterns
How to Invoke This Skill
Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:
- βPort this Semgrep rule to support Java
- βCreate a variant of this rule for Golang
- βAdapt my existing rule for another target language
- βCheck if this pattern applies to a different runtime
- βGenerate a ported rule variant with test cases
Pro Tips
- π‘Before porting, thoroughly assess if the vulnerability pattern or coding standard is truly applicable and has equivalent constructs in the target language.
- π‘Always review the generated test cases and expand them with language-specific edge cases to ensure robust validation of the new rule variant.
- π‘Combine this skill with `semgrep-rule-creator` when you need to build a new rule from scratch before generating its language-specific variants.
- π‘Provide clear and concise rule YAML content or a precise file path to ensure the skill accurately parses the original rule.
What this skill does
- β’Performs deep AST-based applicability analysis for target languages
- β’Generates language-specific YAML rule files from source patterns
- β’Forces test-first development with required vulnerable and safe test cases
- β’Produces organized output structures for individual rule variants
- β’Validates API semantic equivalence across different platform ecosystems
When not to use it
- βAuthoring original security rules from the ground up
- βRunning active scans against production codebases
- βAddressing simple syntax changes within a single language context
Example workflow
- Analyze target language vulnerability vectors via applicability check
- Draft test files containing explicit vulnerable and safe patterns
- Construct the Semgrep YAML rule targeting the new language AST
- Execute tests to verify detection accuracy
- Debug and refine rule patterns until all test cases pass
Prerequisites
- βAn existing functional Semgrep rule
- βTarget language specifications
- βBasic knowledge of Semgrep AST patterns
Pitfalls & limitations
- !Assuming identical data-flow behavior across different languages
- !Skipping the mandatory test-first cycle for specific variants
- !Overlooking language-specific standard library differences during porting
FAQ
Why can't I just translate the syntax directly?
Semgrep rules rely on AST structures which vary wildly between languages; 1:1 translation often misses the specific ways languages handle data flow.
What happens if a rule is not applicable to a target language?
The workflow requires you to document why it is not applicable, preventing the creation of noisy or broken rules.
Do I need to run tests for every variant?
Yes, every variant must go through a full test-first cycle to ensure that the detection logic remains accurate within that specific language's context.
How it compares
While manual porting often ignores language-specific edge cases, this skill enforces a rigorous test-first validation loop that ensures portability without sacrificing detection precision.
Source & trust
β 5.7k starsπ CC-BY-SA-4.0π Updated 2026-06-15
π Full skill instructions β original source: trailofbits/skills
# Semgrep Rule Variant Creator
Port existing Semgrep rules to new target languages with proper applicability analysis and test-driven validation.
## When to Use
**Ideal scenarios:**
- Porting an existing Semgrep rule to one or more target languages
- Creating language-specific variants of a universal vulnerability pattern
- Expanding rule coverage across a polyglot codebase
- Translating rules between languages with equivalent constructs
## When NOT to Use
Do NOT use this skill for:
- Creating a new Semgrep rule from scratch (use
- Running existing rules against code
- Languages where the vulnerability pattern fundamentally doesn't apply
- Minor syntax variations within the same language
## Input Specification
This skill requires:
1. **Existing Semgrep rule** - YAML file path or YAML rule content
2. **Target languages** - One or more languages to port to (e.g., "Golang and Java")
## Output Specification
For each applicable target language, produces:
Example output for porting
## Rationalizations to Reject
When porting Semgrep rules, reject these common shortcuts:
| Rationalization | Why It Fails | Correct Approach |
|-----------------|--------------|------------------|
| "Pattern structure is identical" | Different ASTs across languages | Always dump AST for target language |
| "Same vulnerability, same detection" | Data flow differs between languages | Analyze target language idioms |
| "Rule doesn't need tests since original worked" | Language edge cases differ | Write NEW test cases for target |
| "Skip applicability - it obviously applies" | Some patterns are language-specific | Complete applicability analysis first |
| "I'll create all variants then test" | Errors compound, hard to debug | Complete full cycle per language |
| "Library equivalent is close enough" | Surface similarity hides differences | Verify API semantics match |
| "Just translate the syntax 1:1" | Languages have different idioms | Research target language patterns |
## Strictness Level
This workflow is **strict** - do not skip steps:
- **Applicability analysis is mandatory**: Don't assume patterns translate
- **Each language is independent**: Complete full cycle before moving to next
- **Test-first for each variant**: Never write a rule without test cases
- **100% test pass required**: "Most tests pass" is not acceptable
## Overview
This skill guides the creation of language-specific variants of existing Semgrep rules. Each target language goes through an independent 4-phase cycle:
## Foundational Knowledge
**The
Consult
- **When to use taint mode vs pattern matching** - Choosing the right approach for the vulnerability type
- **Test-first methodology** - Why tests come before rules and how to write effective test cases
- **Anti-patterns to avoid** - Common mistakes like overly broad or overly specific patterns
- **Iterating until tests pass** - The validation loop and debugging techniques
- **Rule optimization** - Removing redundant patterns after tests pass
When porting a rule, you're applying these same principles in a new language context. If uncertain about rule structure or approach, refer to
## Four-Phase Workflow
### Phase 1: Applicability Analysis
Before porting, determine if the pattern applies to the target language.
**Analysis criteria:**
1. Does the vulnerability class exist in the target language?
2. Does an equivalent construct exist (function, pattern, library)?
3. Are the semantics similar enough for meaningful detection?
**Verdict options:**
-
-
-
See [applicability-analysis.md]({baseDir}/references/applicability-analysis.md) for detailed guidance.
### Phase 2: Test Creation (Test-First)
**Always write tests before the rule.**
Create test file with target language idioms:
- Minimum 2 vulnerable cases (
- Minimum 2 safe cases (
- Include language-specific edge cases
### Phase 3: Rule Creation
1. **Analyze AST**:
2. **Translate patterns** to target language syntax
3. **Update metadata**: language key, message, rule ID
4. **Adapt for idioms**: Handle language-specific constructs
See [language-syntax-guide.md]({baseDir}/references/language-syntax-guide.md) for translation guidance.
### Phase 4: Validation
**Checkpoint**: Output MUST show
For taint rule debugging:
See [workflow.md]({baseDir}/references/workflow.md) for detailed workflow and troubleshooting.
## Quick Reference
| Task | Command |
|------|---------|
| Run tests |
| Validate YAML |
| Dump AST |
| Debug taint flow |
## Key Differences from Rule Creation
| Aspect | semgrep-rule-creator | This skill |
|--------|---------------------|------------|
| Input | Bug pattern description | Existing rule + target languages |
| Output | Single rule+test | Multiple rule+test directories |
| Workflow | Single creation cycle | Independent cycle per language |
| Phase 1 | Problem analysis | Applicability analysis per language |
| Library research | Always relevant | Optional (when original uses libraries) |
## Documentation
**REQUIRED**: Before porting rules, read relevant Semgrep documentation:
- [Rule Syntax](https://semgrep.dev/docs/writing-rules/rule-syntax) - YAML structure and operators
- [Pattern Syntax](https://semgrep.dev/docs/writing-rules/pattern-syntax) - Pattern matching and metavariables
- [Pattern Examples](https://semgrep.dev/docs/writing-rules/pattern-examples) - Per-language pattern references
- [Testing Rules](https://semgrep.dev/docs/writing-rules/testing-rules) - Testing annotations
- [Trail of Bits Testing Handbook](https://appsec.guide/docs/static-analysis/semgrep/advanced/) - Advanced patterns
## Next Steps
- For applicability analysis guidance, see [applicability-analysis.md]({baseDir}/references/applicability-analysis.md)
- For language translation guidance, see [language-syntax-guide.md]({baseDir}/references/language-syntax-guide.md)
- For detailed workflow and examples, see [workflow.md]({baseDir}/references/workflow.md)
Port existing Semgrep rules to new target languages with proper applicability analysis and test-driven validation.
## When to Use
**Ideal scenarios:**
- Porting an existing Semgrep rule to one or more target languages
- Creating language-specific variants of a universal vulnerability pattern
- Expanding rule coverage across a polyglot codebase
- Translating rules between languages with equivalent constructs
## When NOT to Use
Do NOT use this skill for:
- Creating a new Semgrep rule from scratch (use
semgrep-rule-creator instead)- Running existing rules against code
- Languages where the vulnerability pattern fundamentally doesn't apply
- Minor syntax variations within the same language
## Input Specification
This skill requires:
1. **Existing Semgrep rule** - YAML file path or YAML rule content
2. **Target languages** - One or more languages to port to (e.g., "Golang and Java")
## Output Specification
For each applicable target language, produces:
<original-rule-id>-<language>/
βββ <original-rule-id>-<language>.yaml # Ported Semgrep rule
βββ <original-rule-id>-<language>.<ext> # Test file with annotationsExample output for porting
sql-injection to Go and Java:sql-injection-golang/
βββ sql-injection-golang.yaml
βββ sql-injection-golang.go
sql-injection-java/
βββ sql-injection-java.yaml
βββ sql-injection-java.java## Rationalizations to Reject
When porting Semgrep rules, reject these common shortcuts:
| Rationalization | Why It Fails | Correct Approach |
|-----------------|--------------|------------------|
| "Pattern structure is identical" | Different ASTs across languages | Always dump AST for target language |
| "Same vulnerability, same detection" | Data flow differs between languages | Analyze target language idioms |
| "Rule doesn't need tests since original worked" | Language edge cases differ | Write NEW test cases for target |
| "Skip applicability - it obviously applies" | Some patterns are language-specific | Complete applicability analysis first |
| "I'll create all variants then test" | Errors compound, hard to debug | Complete full cycle per language |
| "Library equivalent is close enough" | Surface similarity hides differences | Verify API semantics match |
| "Just translate the syntax 1:1" | Languages have different idioms | Research target language patterns |
## Strictness Level
This workflow is **strict** - do not skip steps:
- **Applicability analysis is mandatory**: Don't assume patterns translate
- **Each language is independent**: Complete full cycle before moving to next
- **Test-first for each variant**: Never write a rule without test cases
- **100% test pass required**: "Most tests pass" is not acceptable
## Overview
This skill guides the creation of language-specific variants of existing Semgrep rules. Each target language goes through an independent 4-phase cycle:
FOR EACH target language:
Phase 1: Applicability Analysis β Verdict
Phase 2: Test Creation (Test-First)
Phase 3: Rule Creation
Phase 4: Validation
(Complete full cycle before moving to next language)## Foundational Knowledge
**The
semgrep-rule-creator skill is the authoritative reference for Semgrep rule creation fundamentals.** While this skill focuses on porting existing rules to new languages, the core principles of writing quality rules remain the same.Consult
semgrep-rule-creator for guidance on:- **When to use taint mode vs pattern matching** - Choosing the right approach for the vulnerability type
- **Test-first methodology** - Why tests come before rules and how to write effective test cases
- **Anti-patterns to avoid** - Common mistakes like overly broad or overly specific patterns
- **Iterating until tests pass** - The validation loop and debugging techniques
- **Rule optimization** - Removing redundant patterns after tests pass
When porting a rule, you're applying these same principles in a new language context. If uncertain about rule structure or approach, refer to
semgrep-rule-creator first.## Four-Phase Workflow
### Phase 1: Applicability Analysis
Before porting, determine if the pattern applies to the target language.
**Analysis criteria:**
1. Does the vulnerability class exist in the target language?
2. Does an equivalent construct exist (function, pattern, library)?
3. Are the semantics similar enough for meaningful detection?
**Verdict options:**
-
APPLICABLE β Proceed with variant creation-
APPLICABLE_WITH_ADAPTATION β Proceed but significant changes needed-
NOT_APPLICABLE β Skip this language, document whySee [applicability-analysis.md]({baseDir}/references/applicability-analysis.md) for detailed guidance.
### Phase 2: Test Creation (Test-First)
**Always write tests before the rule.**
Create test file with target language idioms:
- Minimum 2 vulnerable cases (
ruleid:)- Minimum 2 safe cases (
ok:)- Include language-specific edge cases
// ruleid: sql-injection-golang
db.Query("SELECT * FROM users WHERE id = " + userInput)
// ok: sql-injection-golang
db.Query("SELECT * FROM users WHERE id = ?", userInput)### Phase 3: Rule Creation
1. **Analyze AST**:
semgrep --dump-ast -l <lang> test-file2. **Translate patterns** to target language syntax
3. **Update metadata**: language key, message, rule ID
4. **Adapt for idioms**: Handle language-specific constructs
See [language-syntax-guide.md]({baseDir}/references/language-syntax-guide.md) for translation guidance.
### Phase 4: Validation
# Validate YAML
semgrep --validate --config rule.yaml
# Run tests
semgrep --test --config rule.yaml test-file**Checkpoint**: Output MUST show
All tests passed.For taint rule debugging:
semgrep --dataflow-traces -f rule.yaml test-fileSee [workflow.md]({baseDir}/references/workflow.md) for detailed workflow and troubleshooting.
## Quick Reference
| Task | Command |
|------|---------|
| Run tests |
semgrep --test --config rule.yaml test-file || Validate YAML |
semgrep --validate --config rule.yaml || Dump AST |
semgrep --dump-ast -l <lang> <file> || Debug taint flow |
semgrep --dataflow-traces -f rule.yaml file |## Key Differences from Rule Creation
| Aspect | semgrep-rule-creator | This skill |
|--------|---------------------|------------|
| Input | Bug pattern description | Existing rule + target languages |
| Output | Single rule+test | Multiple rule+test directories |
| Workflow | Single creation cycle | Independent cycle per language |
| Phase 1 | Problem analysis | Applicability analysis per language |
| Library research | Always relevant | Optional (when original uses libraries) |
## Documentation
**REQUIRED**: Before porting rules, read relevant Semgrep documentation:
- [Rule Syntax](https://semgrep.dev/docs/writing-rules/rule-syntax) - YAML structure and operators
- [Pattern Syntax](https://semgrep.dev/docs/writing-rules/pattern-syntax) - Pattern matching and metavariables
- [Pattern Examples](https://semgrep.dev/docs/writing-rules/pattern-examples) - Per-language pattern references
- [Testing Rules](https://semgrep.dev/docs/writing-rules/testing-rules) - Testing annotations
- [Trail of Bits Testing Handbook](https://appsec.guide/docs/static-analysis/semgrep/advanced/) - Advanced patterns
## Next Steps
- For applicability analysis guidance, see [applicability-analysis.md]({baseDir}/references/applicability-analysis.md)
- For language translation guidance, see [language-syntax-guide.md]({baseDir}/references/language-syntax-guide.md)
- For detailed workflow and examples, see [workflow.md]({baseDir}/references/workflow.md)
How to Use This Skill Unit
Option A: Project-Specific (Recommended)
- Click "Download" above
- In your project, create the directory:
.agent/skills/semgrep-rule-variant-creator/ - Save the file as
SKILL.md - The agent will automatically discover the skill based on its description.
Option B: Global Installation (All Agents)
Save the file to these locations to make it available across all projects:
- Claude Code:
~/.claude/skills/trailofbits/skills/semgrep-rule-variant-creator/SKILL.md - Cursor:
~/.cursor/skills/trailofbits/skills/semgrep-rule-variant-creator/SKILL.md - Antigravity:
~/.gemini/antigravity/skills/trailofbits/skills/semgrep-rule-variant-creator/SKILL.md
π Install with CLI:npx skills add trailofbits/skills
Recommended Rules
View more rules βπ Refactoring Agent - Safe Code Improvement
Agentic AIRefactoringClean Code
You are an expert refactoring agent specialized in safely improving code quality without changing behavior. Apply systematic reasoning to identify ref...
Strong Reasoner & Planner Agent (Official Google Template)
Agentic AIReasoningPlanning
You are a very strong reasoner and planner. Use these critical instructions to structure your plans, thoughts, and responses. π Source: Google Gemin...
π€ AI Prompt Engineer Agent - LLM Expert
Agentic AIPrompt EngineeringLLM
You are an expert AI prompt engineer agent specialized in crafting effective prompts for Large Language Models. Apply systematic reasoning to design p...
Recommended Workflows
View more workflows βSetup Prettier & ESLint from Scratch
ESLintPrettierCode Quality
--- description: Configure linting and formatting (ESLint 9 Flat Config) --- 1. **Install Dependencies**: - Install ESLint, Prettier, and configs....
Debug TypeScript 'any' Proliferation
TypeScriptCode QualityTypes
--- description: Find and eliminate implicit 'any' types for better type safety --- 1. **Enable Strict Mode**: - Update `tsconfig.json` to catch i...
Automatic commit message generator
GitAIAutomation
--- description: Automatic commit message generator and fast AI-powered commit for all current changes --- // turbo-all This workflow automatically ...
