Stats
Actions
Tags
From prodsec-skills
Creates language variants of existing Semgrep rules for static analysis. Ports rules to specified target languages, producing rule and test directories per language.
How this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:semgrep-rule-variant-creatorThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Port existing Semgrep rules to new target languages with proper applicability analysis and test-driven validation.
Port existing Semgrep rules to new target languages with proper applicability analysis and test-driven validation.
Ideal scenarios:
Do NOT use this skill for:
semgrep-rule-creator instead)This skill requires:
For each applicable target language, produces:
<original-rule-id>-<language>/
├── <original-rule-id>-<language>.yaml # Ported Semgrep rule
└── <original-rule-id>-<language>.<ext> # Test file with annotations
Example output for porting sql-injection to Go and Java:
sql-injection-golang/
├── sql-injection-golang.yaml
└── sql-injection-golang.go
sql-injection-java/
├── sql-injection-java.yaml
└── sql-injection-java.java
When porting Semgrep rules, reject these common shortcuts:
| Rationalization | Why It Fails | Correct Approach |
|---|---|---|
| "Pattern structure is identical" | Different ASTs across languages | Always dump AST for target language |
| "Same vulnerability, same detection" | Data flow differs between languages | Analyze target language idioms |
| "Rule doesn't need tests since original worked" | Language edge cases differ | Write NEW test cases for target |
| "Skip applicability - it obviously applies" | Some patterns are language-specific | Complete applicability analysis first |
| "I'll create all variants then test" | Errors compound, hard to debug | Complete full cycle per language |
| "Library equivalent is close enough" | Surface similarity hides differences | Verify API semantics match |
| "Just translate the syntax 1:1" | Languages have different idioms | Research target language patterns |
This workflow is strict - do not skip steps:
This skill guides the creation of language-specific variants of existing Semgrep rules. Each target language goes through an independent 4-phase cycle:
FOR EACH target language:
Phase 1: Applicability Analysis → Verdict
Phase 2: Test Creation (Test-First)
Phase 3: Rule Creation
Phase 4: Validation
(Complete full cycle before moving to next language)
The semgrep-rule-creator skill is the authoritative reference for Semgrep rule creation fundamentals. While this skill focuses on porting existing rules to new languages, the core principles of writing quality rules remain the same.
Consult semgrep-rule-creator for guidance on:
When porting a rule, you're applying these same principles in a new language context. If uncertain about rule structure or approach, refer to semgrep-rule-creator first.
Before porting, determine if the pattern applies to the target language.
Analysis criteria:
Verdict options:
APPLICABLE → Proceed with variant creationAPPLICABLE_WITH_ADAPTATION → Proceed but significant changes neededNOT_APPLICABLE → Skip this language, document whyFull guidance is inlined below (upstream references/applicability-analysis.md). (see upstream Trail of Bits prodsec-skills for companion files)
Always write tests before the rule.
Create test file with target language idioms:
ruleid:)ok:)// ruleid: sql-injection-golang
db.Query("SELECT * FROM users WHERE id = " + userInput)
// ok: sql-injection-golang
db.Query("SELECT * FROM users WHERE id = ?", userInput)
semgrep --dump-ast -l <lang> test-fileSee Inlined: language syntax guide below.
# Validate YAML
semgrep --validate --config rule.yaml
# Run tests
semgrep --test --config rule.yaml test-file
Checkpoint: Output MUST show All tests passed.
For taint rule debugging:
semgrep --dataflow-traces -f rule.yaml test-file
Extended troubleshooting and examples: upstream references/workflow.md in the rule-creator plugin and semgrep-rule-creator in this repo.
| Task | Command |
|---|---|
| Run tests | semgrep --test --config rule.yaml test-file |
| Validate YAML | semgrep --validate --config rule.yaml |
| Dump AST | semgrep --dump-ast -l <lang> <file> |
| Debug taint flow | semgrep --dataflow-traces -f rule.yaml file |
| Aspect | semgrep-rule-creator | This skill |
|---|---|---|
| Input | Bug pattern description | Existing rule + target languages |
| Output | Single rule+test | Multiple rule+test directories |
| Workflow | Single creation cycle | Independent cycle per language |
| Phase 1 | Problem analysis | Applicability analysis per language |
| Library research | Always relevant | Optional (when original uses libraries) |
REQUIRED: Before porting rules, read relevant Semgrep documentation:
references/applicability-analysis.md)Phase 1 of the variant creation workflow. Before porting a rule, analyze whether the vulnerability pattern applies to the target language.
For EACH target language, answer these questions:
Determine if the vulnerability type is possible in the target language.
Examples:
Identify what the original rule detects and find equivalents.
Parse the original rule to identify:
Then research the target language:
Verify the pattern translates meaningfully.
Consider:
Document your analysis for each target language:
TARGET: <language>
VERDICT: APPLICABLE | APPLICABLE_WITH_ADAPTATION | NOT_APPLICABLE
REASONING: <specific analysis>
ADAPTATIONS_NEEDED: <if APPLICABLE_WITH_ADAPTATION>
EQUIVALENT_CONSTRUCTS:
- Original: <function/pattern>
- Target: <equivalent function/pattern>
The pattern translates directly with minor syntax adjustments.
Criteria:
Example:
Original: Python os.system(user_input)
Target: Go exec.Command(user_input)
VERDICT: APPLICABLE
REASONING: Both execute shell commands with user input. Vulnerability is
identical (command injection). Detection logic (taint from input to exec)
translates directly.
The pattern can be ported but requires significant changes.
Criteria:
Example:
Original: Python pickle.loads(untrusted)
Target: Java ObjectInputStream.readObject()
VERDICT: APPLICABLE_WITH_ADAPTATION
REASONING: Both detect deserialization vulnerabilities but the APIs differ
significantly. Java requires detection of ObjectInputStream creation and
readObject() calls, not a single function call.
ADAPTATIONS_NEEDED:
- Different sink patterns (readObject vs loads)
- May need pattern-inside for ObjectInputStream context
- Consider readUnshared() variant
The pattern should not be ported to this language.
Criteria:
Example:
Original: C buffer overflow detection
Target: Python
VERDICT: NOT_APPLICABLE
REASONING: Python handles memory management automatically. Buffer overflows
in the traditional C sense don't exist. The vulnerability class is not
present in the target language.
These vulnerability classes exist across most languages:
These require careful analysis:
These are often NOT_APPLICABLE for other languages:
When the original rule targets a third-party library:
What functionality does the library provide?
For the target language, identify:
Options:
Recommendation: Start with standard library or most popular option. Additional library variants can be created separately if needed.
Before proceeding past Phase 1:
Original Rule: Python command injection via subprocess
rules:
- id: python-command-injection
mode: taint
languages: [python]
pattern-sources:
- pattern: request.args.get(...)
pattern-sinks:
- pattern: subprocess.call($CMD, shell=True, ...)
Target: Go
TARGET: Go
VERDICT: APPLICABLE_WITH_ADAPTATION
REASONING:
- Command injection exists in Go (vulnerability class present)
- Go uses exec.Command() and exec.CommandContext() for command execution
- Go doesn't have shell=True equivalent; commands run directly by default
- Shell execution in Go requires explicit bash -c wrapping
EQUIVALENT_CONSTRUCTS:
- Original sink: subprocess.call(cmd, shell=True)
- Target sinks:
- exec.Command("bash", "-c", cmd)
- exec.Command("sh", "-c", cmd)
- exec.Command(cmd) when cmd comes from user input
ADAPTATIONS_NEEDED:
1. Different sink patterns for Go's exec package
2. Source patterns need Go HTTP handler equivalents (r.URL.Query(), r.FormValue())
3. Consider both direct exec.Command and shell-wrapped variants
Target: Java
TARGET: Java
VERDICT: APPLICABLE
REASONING:
- Command injection exists in Java (vulnerability class present)
- Java uses Runtime.exec() and ProcessBuilder for command execution
- Direct equivalent functionality available
EQUIVALENT_CONSTRUCTS:
- Original sink: subprocess.call(cmd, shell=True)
- Target sinks:
- Runtime.getRuntime().exec(cmd)
- new ProcessBuilder(cmd).start()
ADAPTATIONS_NEEDED:
- Source patterns need Java servlet equivalents (request.getParameter())
- Consider both Runtime.exec and ProcessBuilder patterns
references/language-syntax-guide.md)Guidance for translating Semgrep patterns between languages. This is NOT a pre-built mapping—use these principles to research and adapt patterns for your specific case.
What looks similar may parse differently:
# Python: method call on object
obj.method(arg)
# Go: might be method OR field access + function call
obj.Method(arg) # Method call
obj.Field(arg) # Field holding function, then called
Always dump the AST for your target language to see the actual structure.
For each construct in the original rule:
The goal is detecting the same vulnerability, not matching identical syntax.
# Original (Python) - detects eval of user input
pattern: eval($USER_INPUT)
# Go doesn't have eval() - what's the equivalent danger?
# Research shows: template execution, reflect-based eval, etc.
# Adapt to what actually creates the vulnerability in Go
semgrep --dump-ast -l <target-language> test-file
Compare how similar constructs are represented:
# Python
cursor.execute(query)
// Go
db.Query(query)
The AST structure may differ significantly even for conceptually similar operations.
| Aspect | May Differ |
|---|---|
| Method calls | Receiver position, syntax |
| Function arguments | Named vs positional, defaults |
| String handling | Interpolation, concatenation |
| Error handling | Exceptions vs return values |
| Imports | How namespaces work |
Semgrep metavariables ($X, $FUNC, etc.) work in all languages:
# Works in Python
pattern: $OBJ.execute($QUERY)
# Works in Java
pattern: $OBJ.executeQuery($QUERY)
# Works in Go
pattern: $DB.Query($QUERY, ...)
... matches language-appropriate constructs:
Research for your target language:
Common patterns to look for:
Research for your target language:
Research for your target language:
Research for your target language:
Parse the original rule:
Search for:
"<target language> <functionality>" (e.g., "golang exec command")"<target language> <vulnerability>" (e.g., "java sql injection")A single Python function may have multiple equivalents:
# Python has one main way
os.system(cmd)
// Java has multiple
Runtime.getRuntime().exec(cmd);
new ProcessBuilder(cmd).start();
ProcessBuilder.command(cmd).start();
Include all common variants in your rule.
Languages have preferred patterns:
# Python: often inline
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
// Go: typically uses placeholders
db.Query("SELECT * FROM users WHERE id = ?", userID)
// Vulnerability is when they DON'T use placeholders
db.Query("SELECT * FROM users WHERE id = " + userID)
Original rule sources need framework-specific translation:
# Python Flask
pattern: request.args.get(...)
# Java Servlet
pattern: $REQUEST.getParameter(...)
# Go net/http
pattern: $R.URL.Query().Get(...)
pattern: $R.FormValue(...)
Further sink/source examples and edge cases: (see upstream Trail of Bits prodsec-skills for companion files) — full language-syntax-guide.md.
npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsPorts existing Semgrep rules to new target languages with applicability analysis and test-driven validation. Use when expanding rule coverage across a polyglot codebase.
Ports existing Semgrep rules to target languages, creating YAML rule files and annotated tests for each. Use for polyglot codebases or expanding rule coverage across languages.
Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Includes testing and validation.