All skills
Skillintermediate

Semgrep Rulesets Reference

| Ruleset | Description | Use Case | |---------|-------------|----------| | `p/security-audit` | Comprehensive vulnerability detection, higher false positives | Manual audits, security reviews | | `p/secrets` | Hardcoded credentials, API keys, tokens | Always include | | `p/owasp-top-ten` | OWASP Top 10 web application vulnerabilities | Web app security | | `p/cwe-top-25` | CWE Top 25 most dangero

Claude Code Knowledge Pack7/10/2026

Overview

Semgrep Rulesets Reference

Complete Ruleset Catalog

Security-Focused Rulesets

RulesetDescriptionUse Case
p/security-auditComprehensive vulnerability detection, higher false positivesManual audits, security reviews
p/secretsHardcoded credentials, API keys, tokensAlways include
p/owasp-top-tenOWASP Top 10 web application vulnerabilitiesWeb app security
p/cwe-top-25CWE Top 25 most dangerous software weaknessesGeneral security
p/sql-injectionSQL injection patterns and tainted data flowsDatabase security
p/insecure-transportEnsures code uses encrypted channelsNetwork security
p/gitleaksHard-coded credentials detection (gitleaks port)Secrets scanning
p/findsecbugsFindSecBugs rule pack for JavaJava security
p/phpcs-security-auditPHP security audit rulesPHP security

CI/CD Rulesets

RulesetDescriptionUse Case
p/defaultDefault ruleset, balanced coverageFirst-time users
p/ciHigh-confidence security + logic bugs, low FPCI pipelines
p/r2c-ciLow false positives, CI-safeCI/CD blocking
p/r2cCommunity favorite, curated by Semgrep (618k+ downloads)General scanning
p/autoAuto-selects rules based on detected languages/frameworksQuick scans
p/commentComment-related rulesCode review

Third-Party Rulesets

RulesetDescriptionMaintainer
p/gitlabGitLab-maintained security rulesGitLab

Ruleset Selection Algorithm

Follow this algorithm to select rulesets based on detected languages and frameworks.

Step 1: Always Include Security Baseline

{
  "baseline": ["p/security-audit", "p/secrets"]
}
  • p/security-audit - Comprehensive vulnerability detection (always include)
  • p/secrets - Hardcoded credentials, API keys, tokens (always include)

Step 2: Add Language-Specific Rulesets

For each detected language, add the primary ruleset. If a framework is detected, add its ruleset too.

GA Languages (production-ready):

DetectionPrimary RulesetFramework RulesetsPro Rule Count
.pyp/pythonp/django, p/flask, p/fastapi710+
.js, .jsxp/javascriptp/react, p/nodejs, p/express, p/nextjs, p/angular250+ (JS), 70+ (JSX)
.ts, .tsxp/typescriptp/react, p/nodejs, p/express, p/nextjs, p/angular230+
.gop/golangp/go (alias)80+
.javap/javap/spring, p/findsecbugs190+
.ktp/kotlinp/spring60+
.rbp/rubyp/rails40+
.phpp/phpp/symfony, p/laravel, p/phpcs-security-audit50+
.c, .cpp, .hp/c-150+
.rsp/rust-40+
.csp/csharp-170+
.scalap/scala-Community
.swiftp/swift-60+

Beta Languages (Pro recommended):

DetectionPrimary RulesetNotes
.ex, .exsp/elixirRequires Pro for best coverage
.cls, .triggerp/apexSalesforce; requires Pro

Experimental Languages:

DetectionPrimary RulesetNotes
.solNo official rulesetUse Decurity third-party rules
Dockerfilep/dockerfileLimited rules
.yaml, .ymlp/yamlK8s, GitHub Actions, docker-compose patterns
.jsonr/json.awsAWS IAM policies; use r/json.* for specific rules
Bash scripts-Community support
Cairo, Circom-Experimental, smart contracts

Framework detection hints:

FrameworkDetection SignalsRuleset
Djangosettings.py, urls.py, django in requirementsp/django
Flaskflask in requirements, @app.routep/flask
FastAPIfastapi in requirements, @app.get/postp/fastapi
Reactpackage.json with react dependency, .jsx/.tsx filesp/react
Next.jsnext.config.js, pages/ or app/ directoryp/nextjs
Angularangular.json, @angular/ dependenciesp/angular
Expressexpress in package.json, app.use() patternsp/express
NestJS@nestjs/ dependencies, @Controller decoratorsp/nodejs
Springpom.xml with spring, @SpringBootApplicationp/spring
RailsGemfile with rails, config/routes.rbp/rails
Laravelcomposer.json with laravel, artisanp/laravel
Symfonycomposer.json with symfony, config/packages/p/symfony

Step 3: Add Infrastructure Rulesets

DetectionRulesetDescription
Dockerfilep/dockerfileContainer security, best practices
.tf, .hclp/terraformIaC misconfigurations, CIS benchmarks, AWS/Azure/GCP
k8s manifestsp/kubernetesK8s security, RBAC issues
CloudFormationp/cloudformationAWS infrastructure security
GitHub Actionsp/github-actionsCI/CD security, secrets exposure
.yaml, .ymlp/yamlGeneric YAML patterns (K8s, docker-compose)
AWS IAM JSONr/json.awsIAM policy misconfigurations (use --config r/json.aws)

Step 4: Add Third-Party Rulesets

These are NOT optional. Include automatically when language matches:

LanguagesSourceWhy Required
Python, Go, Ruby, JS/TS, Terraform, HCLTrail of BitsSecurity audit patterns from real engagements (AGPLv3)
C, C++0xdeaMemory safety, low-level vulnerabilities
Solidity, Cairo, RustDecuritySmart contract vulnerabilities, DeFi exploits
GodgryskiAdditional Go-specific patterns
Android (Java/Kotlin)MindedSecurityOWASP MASTG-derived mobile security rules
Java, Go, JS/TS, C#, Python, PHPelttamSecurity consulting patterns
Dockerfile, PHP, Go, JavakonduktoContainer and web app security
PHP, Kotlin, JavadottaPentest-derived web/mobile app rules
Terraform, HCLHashiCorpHashiCorp infrastructure patterns
Swift, Java, Cobolakabe1iOS and legacy system patterns
JavaAtlassian LabsAtlassian-maintained Java rules
Python, JS/TS, Java, Ruby, Go, PHPApiiroMalicious code detection, supply chain

Step 5: Verify Rulesets

Before finalizing, verify official rulesets load:

# Quick validation (exits 0 if valid)
semgrep --config p/python --validate --metrics=off 2>&1 | head -3

Or browse the Semgrep Registry.

Output Format

{
  "baseline": ["p/security-audit", "p/secrets"],
  "python": ["p/python", "p/django"],
  "javascript": ["p/javascript", "p/react", "p/nodejs"],
  "docker": ["p/dockerfile"],
  "third_party": ["https://github.com/trailofbits/semgrep-rules"]
}