elizaOS

static-analysis

"Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing for security vulnerability detection. Use when running static analysis scans, writing custom detection rules, or processing analysis results."

elizaOS 18,504 5,555 Updated 3mo ago

Resources

3
GitHub

Install

npx skillscat add elizaos/eliza/static-analysis

Install via the SkillsCat registry.

SKILL.md

Static Analysis

Comprehensive static analysis toolkit for security vulnerability detection, based on the Trail of Bits Application Security Testing Handbook.

When to Use

  • Running security scans on codebases (any language)
  • Writing custom CodeQL queries or Semgrep rules
  • Processing and triaging SARIF output files from analysis tools
  • Setting up static analysis in CI/CD pipelines
  • Comparing and aggregating results from multiple tools

When NOT to Use

  • Writing Semgrep rules from scratch (use semgrep-rule-creator skill instead)
  • Dynamic analysis or fuzzing (use testing-handbook-skills)
  • Smart contract auditing (use security-building-secure-contracts)

Sub-Skills

Tool Purpose Best For Skill Path
CodeQL Semantic code analysis with database queries Deep data flow tracking, taint analysis, cross-function analysis skills/codeql/SKILL.md
Semgrep Fast pattern-matching static analysis Quick scans, custom rules, CI integration, lightweight checks skills/semgrep/SKILL.md
SARIF Parsing Parse and process SARIF result files Aggregating results, CI/CD integration, multi-tool triage skills/sarif-parsing/SKILL.md

Tool Selection Guide

Scenario Recommended Tool
Quick security scan Semgrep
Deep vulnerability analysis CodeQL
Data flow / taint tracking CodeQL (best) or Semgrep taint mode
Custom pattern detection Semgrep (simpler) or CodeQL (more powerful)
CI/CD integration Semgrep (fastest) + CodeQL (thorough)
Processing scan results SARIF Parsing
Non-building codebase Semgrep (works on incomplete code)

Quick Start

Semgrep (fast scan)

# Install
pip install semgrep

# Run with recommended rulesets
semgrep --config=auto .

# Run specific ruleset
semgrep --config=p/security-audit .

CodeQL (deep analysis)

# Create database
codeql database create mydb --language=python --source-root=.

# Run security queries
codeql database analyze mydb codeql/python-queries:codeql-suites/python-security-extended.qls --format=sarif-latest --output=results.sarif

SARIF Processing

# Parse results with jq
jq '.runs[].results[] | {ruleId, message: .message.text, location: .locations[0].physicalLocation.artifactLocation.uri}' results.sarif

Workflow

  1. Quick scan with Semgrep for fast results
  2. Deep analysis with CodeQL for thorough coverage
  3. Aggregate results using SARIF parsing
  4. Triage findings by severity and exploitability
  5. Custom rules for project-specific patterns

Related Skills

  • semgrep-rule-creator - Dedicated skill for writing production-quality Semgrep rules
  • variant-analysis - Find similar vulnerabilities using CodeQL/Semgrep patterns
  • security-differential-review - Security-focused code review using static analysis findings

Categories

CI/CD Processing Security
GitHub

Install

npx skillscat add elizaos/eliza/static-analysis

Install via the SkillsCat registry.

Recommended Skills

mukul975
analyzing-network-packets-with-scapy by mukul975
11.9K 1mo ago
mukul975
analyzing-kubernetes-audit-logs by mukul975
11.9K 1mo ago
mukul975
analyzing-outlook-pst-for-email-forensics by mukul975
11.8K 1mo ago
NousResearch
nemo-curator by NousResearch
172.3K 2mo ago
github
create-github-action-workflow-specification by github
34.1K 3mo ago
groeimetai
security-operations by groeimetai
66 3mo ago