AI Best Practices — Semgrep Rules Semgrep rules that catch common trust & safety mistakes in LLM-powered applications. Scan any codebase in seconds to find hardcoded API keys, missing safety checks, prompt injection risks, and unhandled errors across all major AI providers.
58 rules | 102 sub-rules | 6 providers + MCP + Claude Code & Cursor hooks + LangChain | 7 languages
pip install semgrep
git clone https://github.com/semgrep/ai-best-practices.git
semgrep --config ai-best-practices/rules/ /path/to/your/project/
Category
Example
Severity
Hardcoded API keys OpenAI(api_key="sk-abc123...")ERROR
Prompt injection User input flowing into system prompts
ERROR
Missing refusal handling Accessing response content without checking for refusals
WARNING
Missing safety settings Gemini calls without safety_settings
WARNING
No error handling API calls outside try/except blocks
WARNING
Missing moderation Chat completions without moderation checks
WARNING
Hooks security Unsafe input handling, path traversal, command injection in Claude Code and Cursor hooks
WARNING/ERROR
MCP server flaws Command injection, SSRF, tool poisoning, credential leaks in MCP servers
ERROR
Agentic code execution LLM output flowing to eval/exec/subprocess, dangerous LangChain utilities
ERROR
Config file attacks Hidden Unicode in AI config files, unsafe IDE/agent settings
ERROR
Python
JS/TS
Go
Java
Ruby
Bash/Generic
OpenAI X
X
X
X
X
Anthropic X
X
X
X
X
Google Gemini X
X
X
X
Cohere X
X
Mistral X
X
Hugging Face X
X
MCP Servers X
X
LangChain X
Claude Code & Cursor Hooks X
X
IDE/Agent Config X
name : AI Safety Lint
on : [pull_request]
jobs :
semgrep :
runs-on : ubuntu-latest
steps :
- uses : actions/checkout@v4
- uses : actions/checkout@v4
with :
repository : semgrep/ai-best-practices
path : ai-best-practices
- name : Run Semgrep
uses : semgrep/semgrep-action@v1
with :
config : ai-best-practices/rules/ semgrep :
image : semgrep/semgrep
script :
- git clone https://github.com/semgrep/ai-best-practices.git
- semgrep --config ai-best-practices/rules/ --error .
rules :
- if : $CI_MERGE_REQUEST_IID repos :
- repo : https://github.com/semgrep/semgrep
rev : v1.138.0
hooks :
- id : semgrep
args : ['--config', 'path/to/ai-best-practices/rules/', '--error'] Suppressing False Positives # nosemgrep: openai-missing-moderation
response = client .chat .completions .create (...) # moderation handled in middleware
Go/Java : Only credential detection rules (struct/builder patterns prevent reliable missing-field detection)Taint sources : Flask, Django, and Express only (Sanic, Koa, Hapi, FastAPI query params not covered)Error handling : Most rules Python-only; OpenAI and Anthropic also support JS/TS try/catch detectionModeration rule : Same-function scope (middleware-based moderation will false-positive)Ruby SDK patterns may vary : The ruby-openai and Anthropic Ruby gems use different conventions than official SDKs
Hardcoded Credentials (7 rules)
Rule ID
Severity
What it Detects
Languages
openai-hardcoded-api-keyERROR
OpenAI(api_key="sk-...") and variantspy, js/ts, go, java, rb
anthropic-hardcoded-api-keyERROR
Anthropic(api_key="sk-ant-...") and variantspy, js/ts, go, java, rb
gemini-hardcoded-api-keyERROR
genai.configure(api_key="AIza...") and variantspy, js/ts, go, java
cohere-hardcoded-api-keyERROR
cohere.Client(api_key="...") and variantspy, js/ts
mistral-hardcoded-api-keyERROR
Mistral(api_key="...") and variantspy, js/ts
huggingface-hardcoded-api-keyERROR
InferenceClient(token="hf_...") and variantspy, js/ts
llm-api-key-in-sourceERROR
Any variable assigned a string matching known AI key prefixes (sk-, sk-ant-, sk-proj-, AIza, hf_)
py, js/ts, go, java, rb
Missing Safety Checks (12 rules)
Rule ID
Severity
What it Detects
Languages
openai-missing-refusal-checkWARNING
Accessing .message.content without checking .message.refusal
py, js/ts
anthropic-missing-refusal-checkWARNING
Accessing .content without checking stop_reason
py, js/ts
openai-missing-user-parameterWARNING
chat.completions.create() without user= parameterpy, js/ts
openai-missing-safety-identifierWARNING
responses.create() without safety_identifier= parameterpy, js/ts
openai-missing-max-tokensWARNING
chat.completions.create() without max_tokens= parameterpy, js/ts
anthropic-missing-system-promptWARNING
messages.create() without system= parameterpy, js/ts
anthropic-missing-max-tokensWARNING
messages.create() without max_tokens= parameterpy, js/ts
anthropic-missing-metadata-user-idWARNING
messages.create() without metadata= for user trackingpy, js/ts
gemini-missing-safety-settingsWARNING
generate_content() without safety_settings= parameterpy, js/ts
gemini-missing-system-instructionWARNING
GenerativeModel() without system_instruction= parameterpy, js/ts
mistral-missing-safe-promptWARNING
chat.complete() without safe_prompt= parameterpy, js/ts
cohere-missing-safety-modeWARNING
chat() without explicit safety_mode= parameterpy, js/ts
Prompt Injection (5 taint rules) Uses Semgrep's taint analysis to trace data flow from web framework request objects (Flask, Django, Express) to LLM API system prompt parameters.
Rule ID
Severity
What it Detects
Languages
openai-user-input-in-system-promptERROR
User input → {"role": "system", "content": X}
py, js/ts
anthropic-user-input-in-system-promptERROR
User input → system= parameter
py, js/ts
gemini-user-input-in-system-promptERROR
User input → system_instruction= parameter
py, js/ts
mistral-user-input-in-system-promptERROR
User input → {"role": "system", "content": X}
py, js/ts
cohere-user-input-in-system-promptERROR
User input → preamble= parameter
py, js/ts
Missing Safeguards (11 rules)
Rule ID
Severity
What it Detects
Languages
openai-missing-system-messageWARNING
messages=[...] with no {"role": "system", ...}py, js/ts
openai-missing-moderationWARNING
chat.completions.create() without moderations.create() in same functionpy
openai-missing-moderation-checkWARNING
Moderation response accessed without checking .flagged
py
mistral-missing-moderationWARNING
chat.complete() without classifiers.moderate() in same functionpy
cohere-safety-mode-offERROR
safety_mode="OFF" explicitly disabling all safety guardrailspy, js/ts
openai-no-error-handlingWARNING
OpenAI API call not in try/except or try/catch
py, js/ts
anthropic-no-error-handlingWARNING
Anthropic API call not in try/except or try/catch
py, js/ts
gemini-no-error-handlingWARNING
Gemini API call not in try/except
py
cohere-no-error-handlingWARNING
Cohere API call not in try/except
py
mistral-no-error-handlingWARNING
Mistral API call not in try/except
py
huggingface-no-error-handlingWARNING
Hugging Face Inference API call not in try/except
py
Claude Code & Cursor Hooks Security (9 rules)
Rule ID
Severity
What it Detects
Languages
hooks-no-input-validationWARNING
json.loads(sys.stdin.read()) without try/except; piping to eval/bashpy, bash
hooks-unquoted-variableERROR
Tainted stdin data flowing to eval, bash -c, sh -c, exec
bash
hooks-path-traversalERROR
Stdin JSON data used in file operations without os.path.realpath()
py, bash
hooks-relative-script-pathWARNING
source ./..., bash ./... — relative path script invocationsbash
hooks-sensitive-file-accessWARNING
Stdin JSON data used in file operations without sensitive file filtering
py, bash
hooks-unconditional-allowERROR
Hook always outputs permissionDecision: "allow" without conditional checks
generic
hooks-stop-missing-active-checkWARNING
Stop hook outputs "block" without checking stop_hook_active (infinite loop)
generic
hooks-dns-exfiltrationERROR
DNS commands (ping, nslookup, dig) with variable expansion for data exfiltration
generic
hooks-wget-pipe-bashERROR
curl ... | bash or wget ... | sh remote code executiongeneric
MCP Server Security (6 rules)
Rule ID
Severity
What it Detects
Languages
mcp-command-injectionERROR
os.system(), subprocess(shell=True), eval() in @mcp.tool() handlerspy
mcp-ssrfERROR
Unvalidated URLs passed to requests.get()/urllib in MCP tools
py
mcp-tool-poisoningERROR
Suspicious directives (<IMPORTANT>, sensitive paths, "do not mention") in tool docstrings
generic
mcp-unsanitized-returnWARNING
External HTTP responses returned directly from MCP tools without sanitization
py
mcp-credential-in-responseWARNING
MCP tool return values containing credential keys (api_key, token, etc.)
py
mcp-hardcoded-config-secretERROR
Plaintext API keys (sk-*, hf_*, AIza*) in MCP config JSON files
generic
Agent Config File Security (5 rules)
Rule ID
Severity
What it Detects
Languages
ai-config-hidden-unicodeERROR
Invisible zero-width Unicode characters in .cursorrules, copilot-instructions.md, CLAUDE.md
generic
ide-settings-executable-pathWARNING
Executable path overrides in .vscode/settings.json pointing to relative paths
generic
claude-settings-bypass-permissionsERROR
bypassPermissions, allowUnsandboxedCommands, enableWeakerNestedSandbox in settingsgeneric
claude-settings-env-url-overrideERROR
ANTHROPIC_BASE_URL/OPENAI_BASE_URL overrides redirecting API trafficgeneric
claude-settings-auto-enable-mcpWARNING
enableAllProjectMcpServers: true auto-loading untrusted MCP serversgeneric
Agentic Code Execution Safety (3 rules)
Rule ID
Severity
What it Detects
Languages
llm-output-to-execERROR
LLM API response flowing to eval(), exec(), subprocess(shell=True), os.system()
py, js/ts
langchain-dangerous-execERROR
PythonREPL.run(), BashProcess.run(), PythonAstREPLTool usagepy
agent-unbounded-loopWARNING
while True loop with LLM API calls and no break conditionpy
rules/<rule-id>/
<rule-id>.yaml # Semgrep rule definition (one or more sub-rules)
<rule-id>.py # Python test file
<rule-id>.js # JS/TS test file (if applicable)
<rule-id>.go # Go test file (if applicable)
Create a rule directory: rules/<rule-id>/
Write test files with # ruleid: and # ok: annotations
Write the YAML rule
Validate: semgrep --validate --config rules/<rule-id>/
Test: semgrep --test rules/<rule-id>/
# Validate all rules# Run all testsSee LICENSE for details.