artifex1/sast-pipeline
skills/sast-pipeline/SKILL.md
Running the SAiST (Static AI-assisted Security Testing) pipeline against a codebase. Use when the user wants to run static analysis rules, detect code smells, find vulnerability patterns, or scan code with the built-in rule engine. Covers the full init → resolve gaps → run rules flow.
$ install --global
skillsauthnpx skillsauth add artifex1/auditor-addon sast-pipelineInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 7:43 AM4.0s1 file scanned
SKILL.md
- name:
- sast-pipeline
- description:
- Running the SAiST (Static AI-assisted Security Testing) pipeline against a codebase. Use when the user wants to run static analysis rules, detect code smells, find vulnerability patterns, or scan code with the built-in rule engine. Covers the full init → resolve gaps → run rules flow.
- argument-hint:
- <files or scope>
SAiST Pipeline
Three-phase static analysis: init → resolve gaps → run rules.
Phase 1: Init Scan
sast_init_scan({
files: ["src/**/*.sol"],
languages: ["solidity"],
context: {
domainOverrides: { "rust": "on-chain" }, // e.g. Anchor/CosmWasm
framework: "anchor"
}
})
Builds SymbolMap (functions, state variables, call edges, modifiers, state reads/writes). Computes hotspots (functions in the most call chains). Detects gaps — callees the static pass cannot resolve:
unresolved_callee: target not found in scopeinterface_dispatch: call through interface (concrete impl unknown)external_library: target exists but out-of-scope
Returns scanId, gaps (prioritized high/medium/low by hotspot proximity), hotspots. Status is needs_resolution if gaps exist, ready if none.
Phase 2: Resolve Gaps (optional)
Review gaps and resolve what you can. Each gap has id, type, qualifiedName, callSite, codeSnippet, priority.
Triage:
- high (in hotspots): read code, determine writesState/callsExternal
- medium (public callers): resolve if affecting rule accuracy
- low (internal): often safe to skip
sast_resolve_gaps({
scanId: "abc123",
resolutions: [{
gapId: "deadbeef1234",
facts: { writesState: ["balances"], callsExternal: false },
resolvedBy: "agent",
confidence: "medium"
}]
})
Skip entirely if gap count is zero or all low priority.
Phase 3: Run Rules
sast_run_rules({
scanId: "abc123",
includeSeverity: ["critical", "high", "medium"],
includeKind: ["issue", "smell"],
})
Filters: ruleIds (specific IDs), includeSeverity, includeKind (issue, smell, pointer).
Finding Kinds
| Kind | Confidence | Meaning |
|---|---|---|
| issue | high | Confirmed defect — must fix |
| smell | medium | Likely problem — investigate |
| pointer | low | Suspicious pattern — verify manually |
Pointer rules flag syntactic patterns (rounding in branch conditions, few fields in EIP-712 hashes, inconsistent guard-vs-assignment) that have historically led to vulnerabilities. Expect false positives.
Custom Rules
Besides shipped rules, the pipeline supports per-engagement custom rules. Pass file paths via customRulePaths:
sast_run_rules({
scanId: "abc123",
customRulePaths: ["./rules/CUSTOM-001-unbounded-loop.ts"],
})
Both .ts and .js paths are accepted. TypeScript files are compiled on-the-fly by tsx — no build step needed. Custom rule IDs must use the CUSTOM- prefix. Use the rule-authoring skill to create them.
Flywheel: Find an issue → recognize it's a pattern → write a custom rule → test it flags the known instance → run it against the full codebase to find more.
Typical Workflow
- Init scan with all in-scope files
- If gaps > 0 and high priority: read relevant code, resolve
- Run rules with
includeKind: ["issue", "smell"] - Validate findings against code at reported locations
- Optionally run
includeKind: ["pointer"]for lower-confidence flags - If a confirmed finding is a repeatable pattern, write a custom rule (rule-authoring skill) and re-scan
- Write up confirmed findings with the scribe skill
Related Skills
artifex1/threat-modeling
development
VerifiedTrustedCommunity
Analyzing codebases to systematically identify and categorize potential security threats, producing a threat model report before code-level auditing. Use when starting an engagement and wanting to map the attack surface, identify high-value assets, and enumerate threat agents before diving into code-level analysis.
4SKILL.mdUpdated Apr 4, 2026
artifex1/security-auditor
development
VerifiedTrustedCommunity
Conducting interactive security audits using the Map & Probe methodology. Use when the user wants to perform a security review of source code, find vulnerabilities, audit a codebase, or analyze code for security issues.
4SKILL.mdUpdated Apr 4, 2026
artifex1/scribe
testing
VerifiedTrustedCommunity
Technical writing for formal security audit reports. Use when the user wants to write up a security finding, create a formal issue report, or draft system overview and security model sections for an audit report.
4SKILL.mdUpdated Apr 4, 2026
artifex1/rule-authoring
development
VerifiedTrustedCommunity
Writing SAiST static analysis rules — both shipped rules in the auditor-addon repo and custom per-engagement rules in audit workspaces. Use when the user wants to create a new detection rule, add a security check, implement a code smell detector, turn a confirmed finding into a reusable rule, or extend the rule set. Covers rule types (shallow, deep, MapRule), the trait system, language scoping, finding kinds, custom rules, and testing patterns.
4SKILL.mdUpdated Apr 4, 2026