Skip to content

Simpler sast#104

Merged
dguido merged 9 commits intomainfrom
simpler-sast
Feb 26, 2026
Merged

Simpler sast#104
dguido merged 9 commits intomainfrom
simpler-sast

Conversation

@GrosQuildu
Copy link
Contributor

@GrosQuildu GrosQuildu commented Feb 23, 2026
edited
Loading

Both:

  • Removed triaging steps (skills return almost raw results)
  • Better descriptions with specific trigger language
  • Progressive disclosure pattern applied throughout (lean SKILL.md → references/ + workflows/)
  • Plugin version bumped
  • Two "modes" (use all rules, use high-impact/confidence rules)
  • Clear output structure

Semgrep:

  • SKILL.md slimmed down; content extracted to new references/scan-modes.md and workflows/scan-workflow.md
  • Scanner agent improved with language-scoping (--include flags) and better GitHub URL handling
  • Simplified merge_triaged_sarif.py

CodeQL:

  • Three workflow files heavily cut down (build-database, create-data-extensions, run-analysis)
  • Can discover existing codeql databases
  • Six new reference files extracted (build-fixes, extension-yaml-format, important-only-suite, macos-arm64e workaround, quality-assessment, run-all-suite, sarif-processing)

@GrosQuildu GrosQuildu marked this pull request as draft February 24, 2026 11:18
@GrosQuildu GrosQuildu marked this pull request as ready for review February 26, 2026 15:45
@dguido @claude
Fix review issues: grep -P on macOS, LANG collision, stale triage ref…
b19f297 
…s, error handling

- Replace grep -oP with sed in macOS arm64e workaround (BSD grep lacks -P)
- Rename LANG to CODEQL_LANG across all CodeQL files to avoid POSIX locale collision
- Remove stale triage description from semgrep-scanner agent
- Rename merge_triaged_sarif.py to merge_sarif.py and update all references
- Restore {baseDir} in semgrep-scanner agent and sarif-parsing skill paths
- Fix quoted heredoc in scan-workflow.md preventing $(date) expansion
- Fix suite file location ($RESULTS_DIR -> $RAW_DIR) to match workflow
- Quote $OUTPUT_DIR in extension-yaml-format.md cp commands
- Add SARIF ruleIndex portability note for non-CodeQL tools
- Split CodeQL install check into separate command -v and --version steps
- Add semgrep install check before Pro detection in scan-workflow
- Add rm -rf guards in scanner agent and task prompt
- Narrow OSError catch in merge script with specific exception types
- Track and report skipped files in pure Python SARIF merge
- Add variable guards (${CODEQL_LANG:?}) in suite generation scripts
- Separate neutralModel into own section with column definition

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dguido dguido merged commit 8f92c6d into main Feb 26, 2026
6 checks passed
@dguido dguido deleted the simpler-sast branch February 26, 2026 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@axelm-tob axelm-tob Awaiting requested review from axelm-tob axelm-tob is a code owner

@dguido dguido Awaiting requested review from dguido dguido is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GrosQuildu @dguido