I wanted Semgrep's security rules without the Python runtime overhead, so I built a compiler that translates Semgrep YAML patterns into tree-sitter queries at build time.

  The rules get embedded via include_bytes!(), so there's no file loading or parsing at runtime - just pattern matching against ASTs.

  Trickiest part was metavariables. Semgrep patterns like eval($X) need to capture arbitrary expressions, but tree-sitter queries don't have that concept natively. Ended up building a
  translator that converts patterns to S-expressions with captures.

  647 rules across 28 languages. Still has false positives on generated code.

  cargo install rma-cli