Can it fix XSS vulnerabilities automatically?

Yes, it identifies unsafe string interpolation and replaces it with framework-native escaping, such as Hono's html tagged templates or React's standard JSX rendering.

How does it document suppressed findings?

It adds 'nosemgrep' comments either on the same line or immediately above the finding, including a detailed explanation of why the suppression is safe, such as in the case of test fixtures.

How does this skill handle local Semgrep rules?

It automatically detects .semgrep/ directories or .semgrep.yaml files in the project root and includes them in the scan alongside the standard auto-config for complete coverage.

Does it support specific JavaScript frameworks?

The skill includes specialized patterns for Hono and React/JSX, prioritizing framework-native escaping utilities over custom helper functions.

Semgrep Review

Name: Semgrep Review
Author: jaeyeom

byjaeyeom

0•

Seguridad y Pruebas

Automates the triage, remediation, and suppression of Semgrep static analysis security findings within your codebase.

The Semgrep Review skill empowers Claude to act as a security engineer by running comprehensive static analysis scans and intelligently evaluating the results. It distinguishes between genuine vulnerabilities and false positives—such as test fixtures or framework-managed values—and applies context-aware fixes using framework-native escaping patterns for Hono, React, and standard SSR. Beyond just fixing code, it generates properly formatted, documented suppression comments for non-issues, ensuring your project maintains a clean security profile without the manual overhead of managing linting noise.

Características Principales

01Intelligent triage of vulnerabilities vs. false positives using data-flow tracing

02Precise 'nosemgrep' suppression with clear, documented rationale

030 GitHub stars

04Post-fix verification workflow to ensure zero findings and zero regressions

05Automated Semgrep scanning with support for local rules and auto-config

06Framework-native security patching for Hono, React, and server-side rendering

Casos de Uso

01Conducting automated security audits during the development lifecycle

02Managing and documenting security exceptions in test suites and internal admin tools

03Refactoring legacy code to use modern, secure escaping patterns like Hono html literals

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add jaeyeom/claude-toolbox semgrep-review

For use in Claude.ai and ChatGPT

Download Skill