Remove mcaf-dotnet-semgrep skill

Author: KSemenenko

README.md

@@ -115,7 +115,7 @@ Platform-specific bundles can stay small and still be explicit.
 For example, a typical .NET repo baseline can install `mcaf-dotnet` as the entry skill, `mcaf-dotnet-features`, `mcaf-solution-governance`, `mcaf-testing`, exactly one of `mcaf-dotnet-xunit`, `mcaf-dotnet-tunit`, or `mcaf-dotnet-mstest`, plus `mcaf-dotnet-quality-ci`, `mcaf-dotnet-complexity`, `mcaf-solid-maintainability`, `mcaf-architecture-overview`, and `mcaf-ci-cd`.
 In that setup, `mcaf-dotnet` knows when to open the more specific .NET skills, the repo-root lowercase `.editorconfig` is the default source of truth for formatting and analyzer severity, and `AGENTS.md` records the exact `dotnet build`, `dotnet test`, `dotnet format`, `analyze`, and coverage commands. Nested `.editorconfig` files are allowed when they serve a clear subtree-specific purpose, such as stricter domain rules, generated-code handling, test-specific conventions, or legacy-code containment.
 For .NET code changes, the task is not done when tests are green if the repo also configured formatters, analyzers, coverage, architecture tests, or security gates. Agents should run the repo-defined post-change quality pass before completion.
-If the repo standardizes on concrete tools, install the matching tool skills as well. Typical open or free .NET additions include `mcaf-dotnet-format`, `mcaf-dotnet-code-analysis`, `mcaf-dotnet-analyzer-config`, `mcaf-dotnet-stylecop-analyzers`, `mcaf-dotnet-roslynator`, `mcaf-dotnet-meziantou-analyzer`, `mcaf-dotnet-cloc`, `mcaf-dotnet-coverlet`, `mcaf-dotnet-profiling`, `mcaf-dotnet-quickdup`, `mcaf-dotnet-reportgenerator`, `mcaf-dotnet-resharper-clt`, `mcaf-dotnet-stryker`, `mcaf-dotnet-netarchtest`, `mcaf-dotnet-archunitnet`, `mcaf-dotnet-semgrep`, and `mcaf-dotnet-csharpier`. `mcaf-dotnet-codeql` stays available, but should be chosen only when its hosting and licensing model fits the repository.
+If the repo standardizes on concrete tools, install the matching tool skills as well. Typical open or free .NET additions include `mcaf-dotnet-format`, `mcaf-dotnet-code-analysis`, `mcaf-dotnet-analyzer-config`, `mcaf-dotnet-stylecop-analyzers`, `mcaf-dotnet-roslynator`, `mcaf-dotnet-meziantou-analyzer`, `mcaf-dotnet-cloc`, `mcaf-dotnet-coverlet`, `mcaf-dotnet-profiling`, `mcaf-dotnet-quickdup`, `mcaf-dotnet-reportgenerator`, `mcaf-dotnet-resharper-clt`, `mcaf-dotnet-stryker`, `mcaf-dotnet-netarchtest`, `mcaf-dotnet-archunitnet`, and `mcaf-dotnet-csharpier`. `mcaf-dotnet-codeql` stays available, but should be chosen only when its hosting and licensing model fits the repository.
 
 ### 2.5 Context Rules
 

TUTORIAL.md

@@ -153,7 +153,6 @@ Add tool-specific .NET skills only when the repo standardizes on them:
 - `mcaf-dotnet-reportgenerator`
 - `mcaf-dotnet-resharper-clt`
 - `mcaf-dotnet-roslynator`
-- `mcaf-dotnet-semgrep`
 - `mcaf-dotnet-stryker`
 - `mcaf-dotnet-stylecop-analyzers`
 <!-- MCAF:DOTNET-OPTIONAL-SKILLS-END -->
@@ -190,7 +189,6 @@ The website build generates this list from the actual folders under `skills/`.
 - `mcaf-dotnet-reportgenerator` — [Folder](https://github.com/managedcode/MCAF/blob/main/skills/mcaf-dotnet-reportgenerator), [Raw SKILL](https://raw.githubusercontent.com/managedcode/MCAF/main/skills/mcaf-dotnet-reportgenerator/SKILL.md)
 - `mcaf-dotnet-resharper-clt` — [Folder](https://github.com/managedcode/MCAF/blob/main/skills/mcaf-dotnet-resharper-clt), [Raw SKILL](https://raw.githubusercontent.com/managedcode/MCAF/main/skills/mcaf-dotnet-resharper-clt/SKILL.md)
 - `mcaf-dotnet-roslynator` — [Folder](https://github.com/managedcode/MCAF/blob/main/skills/mcaf-dotnet-roslynator), [Raw SKILL](https://raw.githubusercontent.com/managedcode/MCAF/main/skills/mcaf-dotnet-roslynator/SKILL.md)
-- `mcaf-dotnet-semgrep` — [Folder](https://github.com/managedcode/MCAF/blob/main/skills/mcaf-dotnet-semgrep), [Raw SKILL](https://raw.githubusercontent.com/managedcode/MCAF/main/skills/mcaf-dotnet-semgrep/SKILL.md)
 - `mcaf-dotnet-stryker` — [Folder](https://github.com/managedcode/MCAF/blob/main/skills/mcaf-dotnet-stryker), [Raw SKILL](https://raw.githubusercontent.com/managedcode/MCAF/main/skills/mcaf-dotnet-stryker/SKILL.md)
 - `mcaf-dotnet-stylecop-analyzers` — [Folder](https://github.com/managedcode/MCAF/blob/main/skills/mcaf-dotnet-stylecop-analyzers), [Raw SKILL](https://raw.githubusercontent.com/managedcode/MCAF/main/skills/mcaf-dotnet-stylecop-analyzers/SKILL.md)
 - `mcaf-dotnet-tunit` — [Folder](https://github.com/managedcode/MCAF/blob/main/skills/mcaf-dotnet-tunit), [Raw SKILL](https://raw.githubusercontent.com/managedcode/MCAF/main/skills/mcaf-dotnet-tunit/SKILL.md)

skills/mcaf-dotnet-quality-ci/SKILL.md

@@ -79,7 +79,7 @@ compatibility: "Requires a .NET solution or project; may update `AGENTS.md`, CI
    - `mcaf-dotnet-analyzer-config`
    - analyzer-pack skills such as `mcaf-dotnet-stylecop-analyzers`, `mcaf-dotnet-roslynator`, and `mcaf-dotnet-meziantou-analyzer`
    - coverage/reporting skills such as `mcaf-dotnet-coverlet` and `mcaf-dotnet-reportgenerator`
-   - architecture/security skills such as `mcaf-dotnet-netarchtest`, `mcaf-dotnet-archunitnet`, `mcaf-dotnet-codeql`, and `mcaf-dotnet-semgrep`
+   - architecture/security skills such as `mcaf-dotnet-netarchtest`, `mcaf-dotnet-archunitnet`, and `mcaf-dotnet-codeql`
 8. Avoid overlapping tools with conflicting ownership. If you add an opinionated formatter, define whether it replaces or complements `dotnet format`.
 
 ## Bootstrap When Missing

skills/mcaf-dotnet-quality-ci/references/quality-toolchain.md

@@ -7,7 +7,6 @@ Open/free policy for this catalog:
 
 - everything listed here is open source or free to adopt locally
 - `CodeQL` stays in the catalog with an explicit caveat because the hosted GitHub private-repo experience is not universally free
-- if the team needs a security scanner with no such hosting caveat, prefer `mcaf-dotnet-semgrep`
 
 Install policy for this catalog:
 
@@ -50,7 +49,6 @@ These tools are worth adding once the baseline is stable:
 | Architecture tests | `NetArchTest.Rules` | `mcaf-dotnet-netarchtest` | Simple, fluent architectural rules in tests | Good for layered or clean architecture policies |
 | Architecture tests | `ArchUnitNET` | `mcaf-dotnet-archunitnet` | Richer architecture assertions across xUnit, MSTest, and TUnit | Heavier than NetArchTest but more expressive |
 | Deep inspections and cleanup | `JetBrains ReSharper Command Line Tools` | `mcaf-dotnet-resharper-clt` | Powerful ReSharper inspections plus cleanup profiles in CI or local runs | Free official JetBrains CLI package; keep shared policy in solution `.DotSettings` |
-| Security scanning | `Semgrep CE` | `mcaf-dotnet-semgrep` | Fast OSS static analysis across many languages | Community Edition is file/function-scoped for security analysis |
 | Security scanning | `CodeQL` | `mcaf-dotnet-codeql` | Deep GitHub-native query-based analysis | Open ecosystem with private-repo hosting caveats |
 | Opinionated formatter | `CSharpier` | `mcaf-dotnet-csharpier` | Fast one-style formatter for C# and XML | Use only if the repo wants a formatter owner beyond `dotnet format` |
 
@@ -94,7 +92,7 @@ Use the exact commands from `AGENTS.md`. The usual checked-in flow is:
 4. focused `test`
 5. broader `test`
 6. `coverage` and report generation when configured
-7. extra configured gates such as Roslynator, StyleCop, Meziantou, ReSharper CLT, architecture tests, Semgrep, CodeQL, CSharpier, or Stryker
+7. extra configured gates such as Roslynator, StyleCop, Meziantou, ReSharper CLT, architecture tests, CodeQL, CSharpier, or Stryker
 
 Run only the gates the repo actually enabled.
 
@@ -143,5 +141,4 @@ dotnet stryker
 - [CleanupCode](https://www.jetbrains.com/help/resharper/CleanupCode.html)
 - [InspectCode](https://www.jetbrains.com/help/resharper/InspectCode.html)
 - [CodeQL code scanning](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)
-- [Semgrep](https://github.com/semgrep/semgrep)
 - [CSharpier](https://github.com/belav/csharpier)

skills/mcaf-dotnet-semgrep/SKILL.md

@@ -54,7 +54,7 @@ compatibility: "Requires a .NET solution or project; respects root and local `AG
    - `mcaf-dotnet-quality-ci`
    - `mcaf-dotnet-analyzer-config`
    - `mcaf-dotnet-complexity`
-   - tool-specific skills such as `mcaf-dotnet-format`, `mcaf-dotnet-roslynator`, `mcaf-dotnet-stylecop-analyzers`, `mcaf-dotnet-meziantou-analyzer`, `mcaf-dotnet-coverlet`, `mcaf-dotnet-reportgenerator`, `mcaf-dotnet-resharper-clt`, `mcaf-dotnet-netarchtest`, `mcaf-dotnet-archunitnet`, `mcaf-dotnet-semgrep`, `mcaf-dotnet-codeql`, `mcaf-dotnet-csharpier`, and `mcaf-dotnet-stryker`
+   - tool-specific skills such as `mcaf-dotnet-format`, `mcaf-dotnet-roslynator`, `mcaf-dotnet-stylecop-analyzers`, `mcaf-dotnet-meziantou-analyzer`, `mcaf-dotnet-coverlet`, `mcaf-dotnet-reportgenerator`, `mcaf-dotnet-resharper-clt`, `mcaf-dotnet-netarchtest`, `mcaf-dotnet-archunitnet`, `mcaf-dotnet-codeql`, `mcaf-dotnet-csharpier`, and `mcaf-dotnet-stryker`
 4. Route design and structure through:
    - `mcaf-solid-maintainability` for SOLID, SRP, cohesion, and maintainability limits
    - `mcaf-architecture-overview` when system or module boundaries, contracts, or architecture docs need work
@@ -67,7 +67,7 @@ compatibility: "Requires a .NET solution or project; respects root and local `AG
    - focused `test`
    - broader `test`
    - `coverage` and report generation when configured
-   - extra configured gates such as Roslynator, StyleCop, Meziantou, ReSharper CLT, NetArchTest, ArchUnitNET, Semgrep, CodeQL, CSharpier, or Stryker
+   - extra configured gates such as Roslynator, StyleCop, Meziantou, ReSharper CLT, NetArchTest, ArchUnitNET, CodeQL, CSharpier, or Stryker
 7. If the repo does not define these commands clearly, tighten `AGENTS.md` before continuing so later agents stop guessing.
 8. Do not introduce preview language features unless the repo explicitly opts into preview in project or MSBuild settings.
 

skills/mcaf-dotnet-semgrep/references/semgrep.md

@@ -14,7 +14,7 @@ Use `mcaf-dotnet` as the entry skill when a task spans more than one .NET concer
 | .NET quality gates, analyzer stack, coverage, mutation, or security gate selection | `mcaf-dotnet-quality-ci` |
 | repo-root `.editorconfig` authoring and analyzer severity ownership | `mcaf-dotnet-analyzer-config` |
 | complex methods, maintainability metrics, and coupling thresholds | `mcaf-dotnet-complexity` |
-| one concrete tool such as Roslynator, StyleCop, Coverlet, ReportGenerator, ReSharper CLT, Semgrep, or CSharpier | the exact tool skill |
+| one concrete tool such as Roslynator, StyleCop, Coverlet, ReportGenerator, ReSharper CLT, or CSharpier | the exact tool skill |
 | SOLID-driven refactors and maintainability-limit enforcement | `mcaf-solid-maintainability` |
 | architecture map or boundary documentation | `mcaf-architecture-overview` |
 | architecture rules in executable tests | `mcaf-dotnet-netarchtest` or `mcaf-dotnet-archunitnet` |

skills/mcaf-dotnet/SKILL.md

@@ -8,7 +8,7 @@ Start from checked-in repo state:
 
 ```bash
 rg -n "TargetFramework|TargetFrameworks|LangVersion|UseMicrosoftTestingPlatformRunner|TestingPlatformDotnetTestSupport|EnableNETAnalyzers|AnalysisLevel|TreatWarningsAsErrors" -g '*.csproj' -g 'Directory.Build.*' .
-rg -n "xunit|xunit\\.v3|TUnit|MSTest|StyleCopAnalyzers|Roslynator|Meziantou|coverlet|ReportGenerator|JetBrains\\.ReSharper\\.GlobalTools|NetArchTest|ArchUnitNET|Semgrep|CodeQL|CSharpier" -g '*.csproj' -g '.config/dotnet-tools.json' .
+rg -n "xunit|xunit\\.v3|TUnit|MSTest|StyleCopAnalyzers|Roslynator|Meziantou|coverlet|ReportGenerator|JetBrains\\.ReSharper\\.GlobalTools|NetArchTest|ArchUnitNET|CodeQL|CSharpier" -g '*.csproj' -g '.config/dotnet-tools.json' .
 rg --files -g '.editorconfig' -g '*.sln.DotSettings'
 ```
 
@@ -32,7 +32,7 @@ Use the repo's exact commands from `AGENTS.md`. If the repo has no wrappers, the
 4. focused `test`
 5. broader `test`
 6. `coverage` and report generation when configured
-7. extra configured gates such as Roslynator, StyleCop, Meziantou, ReSharper CLT, architecture tests, Semgrep, CodeQL, CSharpier, or Stryker
+7. extra configured gates such as Roslynator, StyleCop, Meziantou, ReSharper CLT, architecture tests, CodeQL, CSharpier, or Stryker
 
 ## 4. Completion Rule