Add semgrep-scanner and semgrep-triager agents to static-analysis

[dguido]

Summary

• Adds semgrep-scanner agent (Bash) for parallel semgrep CLI scans per language category
• Adds semgrep-triager agent (Read, Grep, Glob, Write) for classifying findings as true/false positives
• Updates SKILL.md Steps 4/5 to reference the new agent types
• Bumps plugin version to 1.1.0

New files

• plugins/static-analysis/agents/semgrep-scanner.md (71 lines)
• plugins/static-analysis/agents/semgrep-triager.md (107 lines)

Test plan

• YAML frontmatter parses correctly for both agent files
• {baseDir}/skills/semgrep/references/scanner-task-prompt.md resolves correctly
• {baseDir}/skills/semgrep/references/triage-task-prompt.md resolves correctly
• SKILL.md changes don't break existing skill trigger behavior
• marketplace.json version matches plugin.json (both 1.1.0)

🤖 Generated with Claude Code

[dguido]

Code Review Summary

Findings by severity

• P2 (Important): 3
• P3 (Nice to have): 1 (fixed), 2 (dismissed)
• P4 (Informational): 3

Fixed (3 P2 + 1 P3)

1. P2: scanner-task-prompt.md still referenced subagent_type: Bash — Updated to semgrep-scanner to match the SKILL.md Step 4 change. Without this fix, anyone following the reference template would spawn the wrong subagent type.

2. P2: triage-task-prompt.md still referenced subagent_type: general-purpose — Updated to semgrep-triager to match the SKILL.md Step 5 change. Same inconsistency as above.

3. P2: README.md missing agents documentation — Added an "Agents Included" table listing both new agents with their tools and purposes, so users browsing the README know agents are available.

4. P3: SKILL.md Agents table column header said "Type" instead of "Tools" — Fixed to "Tools" since the column lists tool names (Bash, Read/Grep/Glob/Write), not agent types.

Dismissed (2 P3)

5. P3: {baseDir} vs ${CLAUDE_PLUGIN_ROOT} in agent files — The agents use {baseDir}/skills/semgrep/references/... paths. While official docs suggest ${CLAUDE_PLUGIN_ROOT} for plugins, {baseDir} is the established convention across all agent PRs in this series and the existing codebase. This is a cross-cutting concern that would need to be addressed repo-wide if at all. Dismissed as not specific to this PR.

6. P3: semgrep-triager missing Bash tool — The triager workflow (read JSON findings, search source context, write triage output) is fully served by Read, Grep, Glob, and Write. No shell commands are needed for the described workflow.

Informational (P4, no action taken)

7. Version bump 1.0.3 -> 1.1.0 is appropriate for new agent additions.
8. Agent files don't need "When to Use" / "When NOT to Use" sections (those are SKILL.md requirements, not agent requirements).
9. Agent descriptions are adequately specific for trigger matching.

Quality pipeline

All validation checks pass:

• JSON validation (marketplace.json, plugin.json)
• Marketplace consistency check
• SKILL.md frontmatter validation
• No hardcoded user paths
• No personal emails
• Pre-commit hooks (ruff, shellcheck, shfmt, yaml, json, trailing whitespace, end of files)

Fixes committed as f9702e1.

[CLAassistant]

All committers have signed the CLA.

[axelm-tob]

Running into permission issues when spawning static-analysis:semgrep-scanner:

The X scanner was denied Bash access. Let me re-launch both scanners directly with explicit commands.

Tool permissions seem correct as currently defined, but require further debugging.