Files

T

Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization

10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-20 23:52:15 +09:00

4.3 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

Semgrep Assistant

매 한 줄

"매 SAST + LLM 의 결합 — false positive triage, custom rule 자동 생성, autofix". 매 Semgrep (pattern-based static analysis) 위에 LLM layer 를 얹어 매 noise 를 줄이고 매 fix PR 을 제안. 매 2026: Claude Opus 4.7 backend, MCP integration 으로 IDE / CI 양쪽 지원.

매 핵심

매 Semgrep 기초

Pattern matching on AST. 매 pattern: $X == null && $X.foo() 같은 syntactic rule.
30+ language. 매 community + paid Pro rules.
매 fast (<1 min for typical repo), 매 deterministic.

매 Assistant 가 추가하는 것

Triage: 매 finding 에 대해 LLM 이 "true positive 확률" + reasoning. 매 noise -60~80%.
Autofix: 매 secure replacement code suggestion → PR comment.
Custom rule generation: 매 자연어 → Semgrep YAML rule.
Code understanding: data-flow context 추가 ("user input from line 42 reaches sink at line 87").

매 응용

CI gate — 매 PR block on critical findings only.
Backlog cleanup — 매 legacy finding triage.
Custom org rule (e.g., "internal logger 만 사용") generation.
Secret scanning + remediation.

💻 패턴

CLI scan

semgrep --config=auto .
semgrep --config=p/owasp-top-ten --sarif --output=results.sarif .

Custom rule

# rules/no-eval.yml
rules:
  - id: no-eval
    pattern: eval(...)
    message: "eval() 매 dangerous"
    severity: ERROR
    languages: [python]

Generate rule from natural language (Assistant API)

import requests
r = requests.post(
    "https://semgrep.dev/api/v1/assistant/rules",
    headers={"Authorization": f"Bearer {SEMGREP_TOKEN}"},
    json={"description": "Detect hardcoded JWT signing keys in Go"},
)
print(r.json()["rule_yaml"])

CI integration (GitHub Actions)

- uses: semgrep/semgrep-action@v1
  with:
    config: p/ci
    auditOn: push
  env:
    SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
    SEMGREP_ASSISTANT: "1"  # enable AI triage

Pre-commit

# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.95.0
  hooks:
    - id: semgrep
      args: ['--config=p/python', '--error']

MCP server (IDE)

// claude desktop config
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"],
      "env": {"SEMGREP_APP_TOKEN": "..."}
    }
  }
}

Programmatic triage

from semgrep_python import scan
findings = scan(target=".", config="p/security-audit")
for f in findings:
    if f.assistant_triage.likelihood == "true_positive":
        create_jira_issue(f)

매 결정 기준

상황	Approach
Open source repo, free SAST	semgrep CLI + community rules
Org with high noise SAST	Semgrep Pro + Assistant
Want fix PR auto	Assistant autofix
Highly custom domain rules	Assistant rule generation
CodeQL already in place	보완 (different engine)

기본값: semgrep --config=p/ci in CI + Assistant for triage.

🔗 Graph

부모: Static-Analysis · Application-Security
변형: CodeQL · SonarQube · Snyk-Code
Adjacent: Claude-Code · MCP

🤖 LLM 활용

언제: SAST noise 가 높아 triage backlog 누적. 매 custom rule 작성 진입장벽 낮추기. 언제 X: 매 license-sensitive (Pro tier 비용). 매 zero-network env (assistant 는 cloud).

❌ 안티패턴

Trust autofix blindly: 매 review 필수. LLM 가 logic 바꿀 수 있음.
Disable rule by Assistant verdict alone: false negative 위험. 매 sample audit.
Replace human review: 매 augment, not replace.

🧪 검증 / 중복

Verified (semgrep.dev docs, Semgrep blog 2024-2026).
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — Assistant features + MCP 2026

4.3 KiB Raw Blame History