commandant-rules-semgrep

Commandant rulesets derived from the Semgrep community shell rules, plus the transformation tooling that produced them. Licensed under the Semgrep Rules Licence.

commandant-rules-semgrep

Transformation tooling and derived rulesets for commandant, based on the Semgrep community bash rules.

Part of the ModelArmy organisation.

Repository layout

tools/
  semgrep_to_commandant/     # transformation tool (Crystal)
rulesets/
  posix/                     # derived rulesets, posix-applicable rules
  linux/                     # derived rulesets, GNU-specific rules
  windows/                   # derived rulesets, Windows-specific (minimal)
sources/
  semgrep-rules/             # git submodule: github.com/semgrep/semgrep-rules
schemas/
  tool_risk_ruleset_schema.json  # schema copy (adds optional `source` field)
.github/workflows/
  check_upstream.yml         # weekly drift detection against upstream
  validate.yml               # schema validation on every PR
ATTRIBUTION.md
LICENSE                      # Semgrep Rules Licence (applies to rulesets/)

Generating rulesets

After cloning with submodules:

git clone --recurse-submodules https://github.com/ModelArmy/commandant-rules-semgrep

Build the tool:

cd tools/semgrep_to_commandant
crystal build semgrep_to_commandant.cr -o semgrep_to_commandant --release

Run against the Semgrep bash security rules (the primary target):

./semgrep_to_commandant --output ../../rulesets/posix \
  ../../sources/semgrep-rules/bash/curl/security/*.yaml \
  ../../sources/semgrep-rules/bash/lang/security/*.yaml

The tool writes one JSON stub per detected tool. Each stub that contains raw_pattern-based rules is emitted with "requires_human_review": true in the source field. Review and correct all such rules before committing.

Validation

pip install check-jsonschema
check-jsonschema \
  --schemafile schemas/tool_risk_ruleset_schema.json \
  rulesets/**/*.json

The same check runs automatically on every PR via validate.yml.

Priority rules

Semgrep path Tool Relevance Notes
bash/curl/security/curl-pipe-bash.yaml curl HIGH network-egress, executes-code
bash/curl/security/curl-eval.yaml curl HIGH taint mode — stub only
bash/lang/security/ifs-tampering.yaml bash MEDIUM modifies-environment
bash/lang/best-practice/ SKIP style, not security risk
bash/lang/correctness/ LOW not a commandant risk category

Schema extension

schemas/tool_risk_ruleset_schema.json is a copy of the upstream schema from commandant-rules-core with one addition: an optional source object on each rule item, carrying provenance metadata (origin, original_id, semgrep_path, validated, requires_human_review). This field is not required and is invisible to commandant-rules-core rulesets.

Licence

  • tools/ — MIT. Original work, contains no Semgrep content.
  • rulesets/Semgrep Rules Licence. Free use; commercial redistribution restricted.

See ATTRIBUTION.md for upstream acknowledgement.

Repository

commandant-rules-semgrep

Owner
Statistic
  • 0
  • 0
  • 0
  • 0
  • 0
  • about 6 hours ago
  • May 13, 2026
License

Other

Links
Synced at

Fri, 05 Jun 2026 01:51:46 GMT

Languages
Crystal 78.92% Shell 21.08%