Static Analysis
Comprehensive static analysis toolkit for security vulnerability detection, based on the Trail of Bits Application Security Testing Handbook.
When to Use
-
Running security scans on codebases (any language)
-
Writing custom CodeQL queries or Semgrep rules
-
Processing and triaging SARIF output files from analysis tools
-
Setting up static analysis in CI/CD pipelines
-
Comparing and aggregating results from multiple tools
When NOT to Use
-
Writing Semgrep rules from scratch (use semgrep-rule-creator skill instead)
-
Dynamic analysis or fuzzing (use testing-handbook-skills)
-
Smart contract auditing (use security-building-secure-contracts)
Sub-Skills
Tool Purpose Best For Skill Path
CodeQL Semantic code analysis with database queries Deep data flow tracking, taint analysis, cross-function analysis skills/codeql/SKILL.md
Semgrep Fast pattern-matching static analysis Quick scans, custom rules, CI integration, lightweight checks skills/semgrep/SKILL.md
SARIF Parsing Parse and process SARIF result files Aggregating results, CI/CD integration, multi-tool triage skills/sarif-parsing/SKILL.md
Tool Selection Guide
Scenario Recommended Tool
Quick security scan Semgrep
Deep vulnerability analysis CodeQL
Data flow / taint tracking CodeQL (best) or Semgrep taint mode
Custom pattern detection Semgrep (simpler) or CodeQL (more powerful)
CI/CD integration Semgrep (fastest) + CodeQL (thorough)
Processing scan results SARIF Parsing
Non-building codebase Semgrep (works on incomplete code)
Quick Start
Semgrep (fast scan)
Install
pip install semgrep
Run with recommended rulesets
semgrep --config=auto .
Run specific ruleset
semgrep --config=p/security-audit .
CodeQL (deep analysis)
Create database
codeql database create mydb --language=python --source-root=.
Run security queries
codeql database analyze mydb codeql/python-queries:codeql-suites/python-security-extended.qls --format=sarif-latest --output=results.sarif
SARIF Processing
Parse results with jq
jq '.runs[].results[] | {ruleId, message: .message.text, location: .locations[0].physicalLocation.artifactLocation.uri}' results.sarif
Workflow
-
Quick scan with Semgrep for fast results
-
Deep analysis with CodeQL for thorough coverage
-
Aggregate results using SARIF parsing
-
Triage findings by severity and exploitability
-
Custom rules for project-specific patterns
Related Skills
-
semgrep-rule-creator - Dedicated skill for writing production-quality Semgrep rules
-
variant-analysis - Find similar vulnerabilities using CodeQL/Semgrep patterns
-
security-differential-review - Security-focused code review using static analysis findings