variant-analysis_skill

This skill helps you locate variant vulnerabilities across codebases by pattern-based analysis and systematic auditing guidance.
  • Python

3k

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill trailofbits/skills --skill variant-analysis

  • METHODOLOGY.md9.4 KB
  • SKILL.md5.5 KB

Overview

This skill finds similar vulnerabilities and bug variants across a codebase using pattern-based analysis and iterative generalization. It helps turn one confirmed issue into a systematic search for related instances, producing prioritized findings with confidence and exploitability assessments. Use it to refine hunting queries and guide audits after an initial problem is identified.

How this skill works

The skill inspects a confirmed vulnerable instance, crafts an exact-match pattern, then incrementally abstracts that pattern while reviewing new matches. It supports ripgrep, Semgrep, and CodeQL as tool options depending on speed and analysis depth, and it enforces a one-change-at-a-time workflow to control false positives. Results are triaged with location, confidence, exploitability, and priority annotations.

When to use it

  • After finding a concrete vulnerability and you need to locate variants
  • When building or refining Semgrep or CodeQL queries for a security pattern
  • During systematic code audits following discovery of an initial bug
  • When hunting for bug families that share a common root cause
  • To analyze how one root cause manifests across different modules and call paths

Best practices

  • Start with an exact-match pattern that only hits the original instance
  • Generalize one element at a time and review all new matches after each change
  • Search the entire repository root; don’t limit scope to a single module
  • Enumerate semantically related functions/attributes instead of a single literal
  • Stop or revert if false positives exceed ~50% and document reasoning

Example use cases

  • Turn a confirmed SQL injection into Semgrep/CodeQL queries to find similar sinks across services
  • Generalize an access-control bypass to discover related logic errors in other modules
  • Create CodeQL dataflow queries to find tainted-value propagation variants
  • Build a prioritized triage report with exploitability and confidence for a security team
  • Refine ripgrep-to-Semgrep workflow: exact-match → controlled abstraction → dataflow analysis

FAQ

Use ripgrep for a fast surface search and exact matches, then move to Semgrep or CodeQL for richer pattern and dataflow analyses.

How do I know when I've over-generalized a pattern?

If more than roughly 50% of new matches are false positives, revert the last abstraction or try a different abstraction point; classify matches during each step.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
variant-analysis skill by trailofbits/skills | VeilStrat