semgrep
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements a mandatory human-in-the-loop approval step (Step 3) that prevents the agent from executing any scans until the user has reviewed and confirmed the rulesets and target parameters.
- [SAFE]: All Semgrep commands are configured with
--metrics=offto ensure that no telemetry or scan findings are transmitted to external servers, protecting the privacy of the analyzed codebase. - [EXTERNAL_DOWNLOADS]: The skill downloads additional security rulesets from trusted repositories managed by reputable organizations, including Trail of Bits, Microsoft, HashiCorp, and Atlassian. These sources are established industry entities.
- [COMMAND_EXECUTION]: Orchestrates scans using Bash and parallel tasks. The included Python script (
merge_sarif.py) uses safe subprocess calls with list arguments and directory globbing to consolidate findings without exposing command injection vectors. - [SAFE]: The orchestration logic specifically avoids unsafe patterns like
--config autoto maintain strict control over the rules being executed.
Audit Metadata