The @semgrep by @r2cdev is a wonderful tool that I have been experimenting with lately. https://blog.anantshri.info/semgrep-scanning-unusuals-extensions/ this blog post describes a hack to make it works for unusual extensions. It might also help with fixing/adding feature https://github.com/returntocorp/semgrep/issues/3090