C
code-security
by @semgrepv1.0.0
3.7(0)
提供编写安全代码的指导原则和最佳实践,帮助开发者规避潜在的安全漏洞。
Static Application Security Testing (SAST)SemgrepVulnerability ScanningSecure Code ReviewSupply Chain SecurityGitHub
安装方式
npx skills add semgrep/skills --skill code-securitycompare_arrows
Before / After 效果对比
1 组使用前
编写代码时缺乏安全意识,容易引入漏洞,导致系统遭受攻击。代码审查难以全面覆盖安全风险,存在潜在隐患。
使用后
遵循安全编码指南,从源头杜绝常见漏洞,提升代码健壮性。代码审查更聚焦安全,有效降低系统被攻击的风险。
description SKILL.md
name: code-security description: "Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for SQL injection' or 'review security'. IMPORTANT: Always consult this skill when writing or reviewing any code that handles user input, authentication, file operations, database queries, network requests, cryptography, or infrastructure configuration (Terraform, Kubernetes, Docker, GitHub Actions) — even if the user doesn't explicitly mention security. Also use when users ask to 'review my code', 'check this for bugs', or 'is this safe'."
Code Security Guidelines
Comprehensive security rules for writing secure code across 15+ languages. Covers OWASP Top 10, infrastructure security, and coding best practices with 28 rule categories.
How to Use This Skill
Proactive mode — When writing or reviewing code, automatically check for relevant vulnerabilities based on the language and patterns present. You don't need to wait for the user to ask about security.
Reactive mode — When the user asks about security, use the categories below to find the relevant rule file, then read it for detailed vulnerable/secure code examples.
Workflow
- Identify the language and what the code does (handles input? queries a DB? reads files?)
- Check the relevant rules below — focus on Critical and High impact first
- Read the specific rule file from
rules/for detailed code examples in that language - Apply the secure patterns, or flag the vulnerable patterns if reviewing
Language-Specific Priority Rules
When writing code in these languages, check these rules first:
| Language | Priority Rules to Check |
|---|---|
| Python | SQL injection, command injection, path traversal, code injection, SSRF, insecure crypto |
| JavaScript/TypeScript | XSS, prototype pollution, code injection, insecure transport, CSRF |
| Java | SQL injection, XXE, insecure deserialization, insecure crypto, SSRF |
| Go | SQL injection, command injection, path traversal, insecure transport |
| C/C++ | Memory safety, unsafe functions, command injection, path traversal |
| Ruby | SQL injection, command injection, code injection, insecure deserialization |
| PHP | SQL injection, XSS, command injection, code injection, path traversal |
| HCL/YAML | Terraform (AWS/Azure/GCP), Kubernetes, Docker, GitHub Actions |
Categories
Critical Impact
- SQL Injection (
rules/sql-injection.md) - Use parameterized queries, never concatenate user input - Command Injection (
rules/command-injection.md) - Avoid shell commands with user input, use safe APIs - XSS (
rules/xss.md) - Escape output, use framework protections - XXE (
rules/xxe.md) - Disable external entities in XML parsers - Path Traversal (
rules/path-traversal.md) - Validate and sanitize file paths - Insecure Deserialization (
rules/insecure-deserialization.md) - Never deserialize untrusted data - Code Injection (
rules/code-injection.md) - Never eval() user input - Hardcoded Secrets (
rules/secrets.md) - Use environment variables or secret managers - Memory Safety (
rules/memory-safety.md) - Prevent buffer overflows, use-after-free (C/C++)
High Impact
- Insecure Crypto (
rules/insecure-crypto.md) - Use SHA-256+, AES-256, avoid MD5/SHA1/DES - Insecure Transport (
rules/insecure-transport.md) - Use HTTPS, verify certificates - SSRF (
rules/ssrf.md) - Validate URLs, use allowlists - JWT Issues (
rules/authentication-jwt.md) - Always verify signatures - CSRF (
rules/csrf.md) - Use CSRF tokens on state-changing requests - Prototype Pollution (
rules/prototype-pollution.md) - Validate object keys in JavaScript
Infrastructure
- Terraform AWS/Azure/GCP (
rules/terraform-aws.md,rules/terraform-azure.md,rules/terraform-gcp.md) - Encryption, least privilege, no public access - Kubernetes (
rules/kubernetes.md) - No privileged containers, run as non-root - Docker (
rules/docker.md) - Don't run as root, pin image versions - GitHub Actions (
rules/github-actions.md) - Avoid script injection, pin action versions
Medium/Low Impact
- Regex DoS (
rules/regex-dos.md) - Avoid catastrophic backtracking - Race Conditions (
rules/race-condition.md) - Use proper synchronization - Correctness (
rules/correctness.md) - Avoid common logic bugs - Best Practices (
rules/best-practice.md) - General secure coding patterns
See rules/_sections.md for the full index with CWE/OWASP references.
Quick Reference
| Vulnerability | Key Prevention |
|---|---|
| SQL Injection | Parameterized queries |
| XSS | Output encoding |
| Command Injection | Avoid shell, use APIs |
| Path Traversal | Validate paths |
| SSRF | URL allowlists |
| Secrets | Environment variables |
| Crypto | SHA-256, AES-256 |
forum用户评价 (0)
发表评价
效果
易用性
文档
兼容性
暂无评价,来写第一条吧
统计数据
安装量261
评分3.7 / 5.0
版本1.0.0
更新日期2026年3月16日
对比案例1 组
用户评分
3.7(0)
5
0%
4
0%
3
0%
2
0%
1
0%
为此 Skill 评分
0.0
兼容平台
🔧Claude Code
🔧OpenClaw
🔧OpenCode
🔧Codex
🔧Gemini CLI
🔧GitHub Copilot
🔧Amp
🔧Kimi CLI
时间线
创建2026年3月16日
最后更新2026年3月16日