taint-instrumentation-assistant

Sets up taint tracking by defining sources, sinks, and sanitizers from Project CodeGuard's input-validation taxonomy, then configures the target tool (CodeQL, Semgrep, custom instrumentation). Use when wiring taint analysis into CI, when the user asks for taint tracking, or when you need a source/sink catalog for a specific language.

Install with Tessl CLI

npx tessl i github:santosomar/general-secure-coding-agent-skills --skill taint-instrumentation-assistant

What are skills?

Quality

92%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SKILL.md

Review

Evals

Taint Instrumentation Assistant

This skill delegates to Project CodeGuard for its source/sink/sanitizer taxonomy — specifically codeguard-0-input-validation-injection, which defines the trust boundaries (HTTP params, env, files, IPC) and dangerous sinks (query execution, shell, eval, filesystem) per language.

Upstream: https://github.com/cosai-oasis/project-codeguard/tree/main/skills/software-security

Dispatch

Taint component	CodeGuard source
Sources	`codeguard-0-input-validation-injection` → "Core Strategy" trust boundaries, per-framework request-object tables
Sinks	Same rule → SQL/LDAP/OS-command sections; plus `codeguard-0-xml-and-serialization` for deserialization sinks
Sanitizers	Same rule → parameterization APIs, escaping functions, allow-list validators listed as "primary defense"

Workflow

Pull the language-specific source/sink/sanitizer lists from the CodeGuard rules above.
Translate into the target tool's format: CodeQL .ql source/sink predicates, Semgrep pattern-sources/pattern-sinks, or inline annotations.
Sanitizers are allow-listed, not inferred — only CodeGuard-recognized sanitizers suppress a flow. A regex-based "sanitizer" does not count.
Run and verify: inject a known-tainted flow and confirm it's flagged before trusting the configuration.

Repository: santosomar/general-secure-coding-agent-skills
Commit: 47d56bb
Last updated: about 18 hours ago
Created: about 18 hours ago

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.