Skip to content

Add memory-safe language migration skill to /sources/additional-skills #48

Description

@santosomar

This is the second sub-issue of #46 , and depends on #47 (the additional-skills directory reorganization).

Once the /sources/additional-skills/ directory exists, this issue tracks the creation of the full memory-safe-migration skill, including the SKILL.md, reference documents, and the static analysis assessment script.

Background

Memory safety vulnerabilities (buffer overflows, use-after-free, dangling pointers, double-free, data races) account for 60–70% of critical CVEs in major software projects. Government guidance has converged on memory-safe languages as the primary mitigation:

  • CISA/NSA (2025): "Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development"
  • CISA (2023): "The Case for Memory Safe Roadmaps"
  • White House ONCD (2024): "Back to the Building Blocks"

AI coding agents are accelerating software development but will default to whatever language the existing codebase uses — perpetuating memory-unsafe codebases unless given explicit guidance. This skill closes that gap.

Files to create

The following file structure should be created under /sources/additional-skills/memory-safe-migration/:

memory-safe-migration/
├── README.md
├── SKILL.md
├── references/
│   ├── assessment-checklist.md
│   ├── ffi-security.md
│   ├── language-selection.md
│   └── migration-patterns.md
└── scripts/
    └── assess-migration.py

Content requirements per file

SKILL.md — Main skill following the [Agent Skills open standard](https://agentskills.io), with progressive disclosure. Must cover:

  • Proactive prevention: when an agent is about to generate new C/C++ code, check whether a memory-safe alternative is viable and default to it
  • CodeGuard unified source rule with YAML frontmatter
  • Banned unsafe C functions (gets, strcpy, strcat, sprintf, vsprintf) with safe replacements
  • Rules for minimizing and documenting unsafe blocks in Rust
  • Input validation requirements at all FFI boundaries
  • Memory ownership enforcement across FFI (allocator that created memory must free it)
  • No panics across FFI boundaries
  • Safe concurrency patterns
  • Proper resource management in GC languages

references/language-selection.md — Decision matrix mapping use cases to recommended memory-safe languages:

  • Rust: systems programming, cryptography, network stacks, embedded
  • Go: services, CLI tools, DevOps tooling
  • Java / C#: enterprise applications, backend services
  • Swift: Apple platform development

references/ffi-security.md — FFI boundary security rules treating every interface between safe and unsafe code as a security boundary. Must cover input validation, memory ownership, panic safety, thread safety, and string encoding.

references/migration-patterns.md — Side-by-side C/C++ → Rust/Go/Java code examples for: buffers, strings, linked structures, concurrency, error handling, file I/O, and network servers.

references/assessment-checklist.md — Scored priority evaluation checklist covering: vulnerability history, network exposure surface, AI-accelerated risk, and migration feasibility factors.

scripts/assess-migration.py — Python static analysis script that analyzes C/C++ source files and produces a prioritized migration report. Must detect:

  • Unsafe function usage (gets, strcpy, sprintf, etc.)
  • Pointer arithmetic
  • Buffer declarations
  • Network exposure patterns
  • Concurrency patterns
  • Cryptographic code

Must support both human-readable and JSON output for CI/CD integration.

Acceptance criteria

Dependencies

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions