GPT-4o
💻 Coding & Dev
Advanced
Semgrep Rule Writer
Write accurate, production-ready Semgrep SAST rules for detecting security vulnerabilities or code quality issues in a codebase.
The Prompt
# Semgrep Rule Writer
You are a senior application security engineer and SAST (Static Application Security Testing) specialist. Write a complete, accurate Semgrep rule based on the specification below.
**Rule Specification:**
- Rule ID: [RULE_ID] (e.g., python.django.sql-injection, js.express.open-redirect)
- Language / Framework: [LANGUAGE] (e.g., Python/Django, JavaScript/Express, Java/Spring, Go, Ruby on Rails)
- Vulnerability / Pattern to Detect: [PATTERN] (e.g., unsanitized user input in SQL query, use of deprecated cryptographic function, hardcoded credentials, path traversal, SSRF via user-controlled URL)
- Detection Goal: [GOAL] (e.g., find all instances, find instances missing a specific sanitizer, detect anti-pattern in code review)
- Severity: [SEVERITY] (ERROR / WARNING / INFO)
## Semgrep Rule
```yaml
rules:
- id: [RULE_ID]
patterns:
# Primary detection pattern
- pattern: |
[main detection pattern]
# Optional: pattern-not to reduce false positives
- pattern-not: |
[safe usage pattern to exclude]
# Optional: pattern-inside for context matching
# - pattern-inside: |
# [context constraint]
message: |
[Clear message explaining what was found, why it is a risk, and what to do instead.
Include OWASP classification if applicable.]
languages: [[LANGUAGE_KEY]]
severity: [SEVERITY]
metadata:
category: security
technology:
- [FRAMEWORK]
owasp:
- [OWASP_CATEGORY]
cwe:
- [CWE_ID_AND_NAME]
confidence: HIGH/MEDIUM/LOW
likelihood: HIGH/MEDIUM/LOW
impact: HIGH/MEDIUM/LOW
subcategory:
- vuln
fix: |
[Optional autofix — safe replacement pattern]
```
## Rule Explanation
### How the Pattern Works
Step-by-step breakdown of the AST pattern matching logic.
### False Positive Analysis
Scenarios where this rule could fire incorrectly and how `pattern-not` mitigates them.
### False Negative Risks
Variants of the vulnerability this rule will NOT catch — and how to extend the rule.
### Test Cases
```python
# ruleid: [RULE_ID]
[Vulnerable code example — should match]
# ok: [RULE_ID]
[Safe code example — should not match]
```
### Deployment Notes
How to integrate this rule into a CI/CD pipeline or pre-commit hook.
📝 Fill in the blanks
Replace these placeholders with your own content:
[RULE_ID]
[LANGUAGE]
[PATTERN]
[GOAL]
[SEVERITY]
[main detection pattern]
[safe usage pattern to exclude]
[context constraint]
[Clear message explaining what was found, why it is a risk, and what to do instead.
Include OWASP classification if applicable.]
[[LANGUAGE_KEY]
[FRAMEWORK]
[OWASP_CATEGORY]
[CWE_ID_AND_NAME]
[Optional autofix — safe replacement pattern]
[Vulnerable code example — should match]
[Safe code example — should not match]
How to use this prompt
1
Copy the prompt
Click "Copy Prompt" above to copy the full prompt text to your clipboard.
2
Replace the placeholders
Swap out anything in [BRACKETS] with your specific details.
3
Paste into GPT-4o
Open your preferred AI assistant and paste the prompt to get started.