Static Analysis Tools Skill

Overview

This skill provides integration with security-focused static analysis tools for comprehensive code security analysis.

Capabilities

• Execute Semgrep rules and custom patterns
• Run CodeQL queries for vulnerability detection
• Execute Bandit (Python), Brakeman (Ruby), etc.
• Parse and interpret static analysis results
• Generate custom detection rules
• Aggregate findings across tools
• Map findings to CWE/CVE identifiers
• Support SAST pipeline integration

Target Processes

• static-code-analysis.js
• variant-analysis.js
• web-app-vuln-research.js
• api-security-research.js

Dependencies

• Semgrep CLI
• CodeQL CLI and databases
• Language-specific analyzers:
  • Bandit (Python)
  • Brakeman (Ruby)
  • gosec (Go)
  • SpotBugs (Java)
• Python for result aggregation

Usage Context

This skill is essential for:

• Security code review automation
• Vulnerability pattern detection
• Custom security rule development
• CI/CD security gate integration
• Variant analysis across codebases

Integration Notes

• Supports multiple output formats (SARIF, JSON, custom)
• Can run incrementally on changed files
• Integrates with IDE and CI/CD workflows
• Custom rules can be version controlled
• Results can be deduplicated and triaged