Labsco
semgrep logo

code-security

232

by semgrep · part of semgrep/skills

Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for…

🔥🔥🔥🔥✓ VerifiedFreeQuick setup
🧩 One of 3 skills in the semgrep/skills package — works on its own, and pairs well with its siblings.

Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for…

Inspect the full instructions your agent will receiveExpand

This is the exact playbook injected into your agent when the skill activates — shown here so you can audit it before installing. You don't need to read it to use the skill.

by semgrep

Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for… npx skills add https://github.com/semgrep/skills --skill code-security Download ZIPGitHub232

Code Security Guidelines

Comprehensive security rules for writing secure code across 15+ languages. Covers OWASP Top 10, infrastructure security, and coding best practices with 28 rule categories.

Language-Specific Priority Rules

When writing code in these languages, check these rules first:

Language Priority Rules to Check Python SQL injection, command injection, path traversal, code injection, SSRF, insecure crypto JavaScript/TypeScript XSS, prototype pollution, code injection, insecure transport, CSRF Java SQL injection, XXE, insecure deserialization, insecure crypto, SSRF Go SQL injection, command injection, path traversal, insecure transport C/C++ Memory safety, unsafe functions, command injection, path traversal Ruby SQL injection, command injection, code injection, insecure deserialization PHP SQL injection, XSS, command injection, code injection, path traversal HCL/YAML Terraform (AWS/Azure/GCP), Kubernetes, Docker, GitHub Actions

Categories

Critical Impact

  • SQL Injection (rules/sql-injection.md) - Use parameterized queries, never concatenate user input

  • Command Injection (rules/command-injection.md) - Avoid shell commands with user input, use safe APIs

  • XSS (rules/xss.md) - Escape output, use framework protections

  • XXE (rules/xxe.md) - Disable external entities in XML parsers

  • Path Traversal (rules/path-traversal.md) - Validate and sanitize file paths

  • Insecure Deserialization (rules/insecure-deserialization.md) - Never deserialize untrusted data

  • Code Injection (rules/code-injection.md) - Never eval() user input

  • Hardcoded Secrets (rules/secrets.md) - Use environment variables or secret managers

  • Memory Safety (rules/memory-safety.md) - Prevent buffer overflows, use-after-free (C/C++)

High Impact

  • Insecure Crypto (rules/insecure-crypto.md) - Use SHA-256+, AES-256, avoid MD5/SHA1/DES

  • Insecure Transport (rules/insecure-transport.md) - Use HTTPS, verify certificates

  • SSRF (rules/ssrf.md) - Validate URLs, use allowlists

  • JWT Issues (rules/authentication-jwt.md) - Always verify signatures

  • CSRF (rules/csrf.md) - Use CSRF tokens on state-changing requests

  • Prototype Pollution (rules/prototype-pollution.md) - Validate object keys in JavaScript

Infrastructure

  • Terraform AWS/Azure/GCP (rules/terraform-aws.md, rules/terraform-azure.md, rules/terraform-gcp.md) - Encryption, least privilege, no public access

  • Kubernetes (rules/kubernetes.md) - No privileged containers, run as non-root

  • Docker (rules/docker.md) - Don't run as root, pin image versions

  • GitHub Actions (rules/github-actions.md) - Avoid script injection, pin action versions

Medium/Low Impact

  • Regex DoS (rules/regex-dos.md) - Avoid catastrophic backtracking

  • Race Conditions (rules/race-condition.md) - Use proper synchronization

  • Correctness (rules/correctness.md) - Avoid common logic bugs

  • Best Practices (rules/best-practice.md) - General secure coding patterns

See rules/_sections.md for the full index with CWE/OWASP references.

Quick Reference

Vulnerability Key Prevention SQL Injection Parameterized queries XSS Output encoding Command Injection Avoid shell, use APIs Path Traversal Validate paths SSRF URL allowlists Secrets Environment variables Crypto SHA-256, AES-256