Semgrep - AI Security Best Practices Ruleset

Context

Recently I have been reviewing a few AI related applications at work that cover LLMs, MCP, Langchain and other adjacent technology. It was fortuitous timing that Semgrep released a free ruleset that aims to encourage AI best practices by finding the bad practices.

The categories include

• Hardcoded API keys
• Prompt injection
• Missing refusal handling
• Missing safety settings
• No error handling
• Missing moderation
• Hooks security
• MCP server flaws
• Agentic code execution
• Config file attacks

Quick Test

Installation was covered by brew and I leveraged Claude Code to build a sample application for testing purposes. I have been pretty impressed with Claude Code, which has also build out a whole risk assessment process for me in a few prompts.

I plan to do a bit more research into each of categories and how detection is done in the Semgrep rules.

References

• https://semgrep.dev
• https://github.com/semgrep/ai-best-practices