Where are the custom rules stored in my project?

Rules are typically stored in the .specify/security/rules/ or .semgrep/ directories to be automatically picked up by the security scanner.

What scanners does this skill support?

This skill primarily supports Semgrep for multi-language pattern matching and Bandit for Python-specific security analysis.

Can I use this to reduce false positives in my scans?

Yes, the skill provides guidance on using pattern-not clauses and pattern-inside constraints to exclude safe code and focus on real vulnerabilities.

How do I verify my new security rules work?

The skill helps you create positive and negative test cases and provides the specific Semgrep CLI commands to validate your rule syntax and logic.

Security Custom Rules

Name: Security Custom Rules
Author: jpoley

byjpoley

•

セキュリティとテスト

Empowers developers to design, validate, and implement tailored security linting rules using Semgrep and Bandit syntax.

概要

The Security Custom Rules skill streamlines the process of creating organization-specific security policies within Claude Code. It guides users through identifying vulnerability patterns, writing precise Semgrep or Bandit rules, and testing them against real codebases to ensure high accuracy with minimal false positives. By integrating directly with the flowspec workflow, it helps teams enforce internal coding standards and detect domain-specific security risks that generic scanners often miss.

主な機能

Interactive Semgrep and Bandit rule generation
Direct integration with flowspec security scanning
Automated rule validation and syntax checking
5 GitHub stars
False positive reduction using context-aware filters
Integrated test case creation for security policies

ユースケース

Reducing noise in security scans by fine-tuning existing rule patterns
Detecting organization-specific vulnerabilities and hardcoded secrets
Enforcing internal coding standards and secure development practices

概要

主な機能

Interactive Semgrep and Bandit rule generation
Direct integration with flowspec security scanning
Automated rule validation and syntax checking
5 GitHub stars
False positive reduction using context-aware filters
Integrated test case creation for security policies

ユースケース

Reducing noise in security scans by fine-tuning existing rule patterns
Detecting organization-specific vulnerabilities and hardcoded secrets
Enforcing internal coding standards and secure development practices