Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

ranbot-ai/sast-configuration

Name: sast-configuration
Author: ranbot-ai

skills/sast-configuration/SKILL.md

npx skillsauth add ranbot-ai/awesome-skills sast-configuration

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

SAST Configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

Use this skill when

Set up SAST scanning in CI/CD pipelines
Create custom security rules for your codebase
Configure quality gates and compliance policies
Optimize scan performance and reduce false positives
Integrate multiple SAST tools for defense-in-depth

Do not use this skill when

You only need DAST or manual penetration testing guidance
You cannot access source code or CI/CD pipelines
You need organizational policy decisions rather than tooling setup

Instructions

Identify languages, repos, and compliance requirements.
Choose tools and define a baseline policy.
Integrate scans into CI/CD with gating thresholds.
Tune rules and suppressions based on false positives.
Track remediation and verify fixes.

Safety

Avoid scanning sensitive repos with third-party services without approval.
Prevent leaks of secrets in scan artifacts and logs.

Overview

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.

Core Capabilities

1. Semgrep Configuration

Custom rule creation with pattern matching
Language-specific security rules (Python, JavaScript, Go, Java, etc.)
CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
False positive tuning and rule optimization
Organizational policy enforcement

2. SonarQube Setup

Quality gate configuration
Security hotspot analysis
Code coverage and technical debt tracking
Custom quality profiles for languages
Enterprise integration with LDAP/SAML

3. CodeQL Analysis

GitHub Advanced Security integration
Custom query development
Vulnerability variant analysis
Security research workflows
SARIF result processing

Quick Start

Initial Assessment

Identify primary programming languages in your codebase
Determine compliance requirements (PCI-DSS, SOC 2, etc.)
Choose SAST tool based on language support and integration needs
Review baseline scan to understand current security posture

Basic Setup

# Semgrep quick start
pip install semgrep
semgrep --config=auto --error

# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python

Reference Documentation

Semgrep Rule Creation - Pattern-based security rule development
SonarQube Configuration - Quality gates and profiles
CodeQL Setup Guide - Query development and workflows

Templates & Assets

semgrep-config.yml - Production-ready Semgrep configuration
sonarqube-settings.xml - SonarQube quality profile template
run-sast.sh - Automated SAST execution script

Integration Patterns

CI/CD Pipeline Integration

# GitHub Actions example
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: >-
      p/security-audit
      p/owasp-top-ten

Pre-commit Hook

# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.45.0
  hooks:
    - id: semgrep
      args: ['--config=auto', '--error']

Best Practices

Start with Baseline
- Run initial scan to establish security baseline
- Prioritize critical and high severity findings
- Create remediation roadmap
Incremental Adoption
- Begin with security-focused rules
- Gradually add code quality rules
- Implement blocking only for critical issues
False Positive Management
- Document legitimate suppressions
- Create allow lists for known safe patterns
- Regularly review suppressed findings
Performance Optimization
- Exclude test files and generated code
- Use incremental scanning for large codebases
- Cache scan results in CI/CD
Team Enablement
- Provide security training for developers
- Create internal documentation for common patterns
- Establish security champions program

Common Use Cases

New Project Setup

./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

Custom Rule Development

# See references/semgrep-rules.md for detailed examples
rules:
  - id: hardcoded-jwt-secret
    pattern: jwt.encode($DATA, "...", ...)
    message: JWT secret should not be hardcoded
    severity: ERROR

Compliance Scanning

# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json

Troubleshooting

High False Positive Rate

Review and tune rule sensitivity
Add path filters to exclude test files
Use nostmt metadata for noisy patterns
Create organization-specific rule exceptions

Performance Issues

Enable incremental scanning
Parallelize scans across modules
Optimize rule patterns for efficiency
Cache depende

ranbot-ai/sast-configuration

skills/sast-configuration/SKILL.md

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

4 stars

tools

Updated May 2, 2026

$ install --global

skillsauth

npx skillsauth add ranbot-ai/awesome-skills sast-configuration

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 2, 2026, 5:53 AM49.0s1 file scanned

SKILL.md

name:: sast-configuration
description:: Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.
category:: Security & Systems
source:: antigravity
tags:: [python, javascript, api, ai, workflow, template, document, security, vulnerability, docker]
url:: https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/sast-configuration

SAST Configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

Use this skill when

Set up SAST scanning in CI/CD pipelines
Create custom security rules for your codebase
Configure quality gates and compliance policies
Optimize scan performance and reduce false positives
Integrate multiple SAST tools for defense-in-depth

Do not use this skill when

You only need DAST or manual penetration testing guidance
You cannot access source code or CI/CD pipelines
You need organizational policy decisions rather than tooling setup

Instructions

Identify languages, repos, and compliance requirements.
Choose tools and define a baseline policy.
Integrate scans into CI/CD with gating thresholds.
Tune rules and suppressions based on false positives.
Track remediation and verify fixes.

Safety

Avoid scanning sensitive repos with third-party services without approval.
Prevent leaks of secrets in scan artifacts and logs.

Overview

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.

Core Capabilities

1. Semgrep Configuration

Custom rule creation with pattern matching
Language-specific security rules (Python, JavaScript, Go, Java, etc.)
CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
False positive tuning and rule optimization
Organizational policy enforcement

2. SonarQube Setup

Quality gate configuration
Security hotspot analysis
Code coverage and technical debt tracking
Custom quality profiles for languages
Enterprise integration with LDAP/SAML

3. CodeQL Analysis

GitHub Advanced Security integration
Custom query development
Vulnerability variant analysis
Security research workflows
SARIF result processing

Quick Start

Initial Assessment

Identify primary programming languages in your codebase
Determine compliance requirements (PCI-DSS, SOC 2, etc.)
Choose SAST tool based on language support and integration needs
Review baseline scan to understand current security posture

Basic Setup

# Semgrep quick start
pip install semgrep
semgrep --config=auto --error

# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python

Reference Documentation

Semgrep Rule Creation - Pattern-based security rule development
SonarQube Configuration - Quality gates and profiles
CodeQL Setup Guide - Query development and workflows

Templates & Assets

semgrep-config.yml - Production-ready Semgrep configuration
sonarqube-settings.xml - SonarQube quality profile template
run-sast.sh - Automated SAST execution script

Integration Patterns

CI/CD Pipeline Integration

# GitHub Actions example
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: >-
      p/security-audit
      p/owasp-top-ten

Pre-commit Hook

# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.45.0
  hooks:
    - id: semgrep
      args: ['--config=auto', '--error']

Best Practices

Start with Baseline
- Run initial scan to establish security baseline
- Prioritize critical and high severity findings
- Create remediation roadmap
Incremental Adoption
- Begin with security-focused rules
- Gradually add code quality rules
- Implement blocking only for critical issues
False Positive Management
- Document legitimate suppressions
- Create allow lists for known safe patterns
- Regularly review suppressed findings
Performance Optimization
- Exclude test files and generated code
- Use incremental scanning for large codebases
- Cache scan results in CI/CD
Team Enablement
- Provide security training for developers
- Create internal documentation for common patterns
- Establish security champions program

Common Use Cases

New Project Setup

./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

Custom Rule Development

# See references/semgrep-rules.md for detailed examples
rules:
  - id: hardcoded-jwt-secret
    pattern: jwt.encode($DATA, "...", ...)
    message: JWT secret should not be hardcoded
    severity: ERROR

Compliance Scanning

# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json

Troubleshooting

High False Positive Rate

Review and tune rule sensitivity
Add path filters to exclude test files
Use nostmt metadata for noisy patterns
Create organization-specific rule exceptions

Performance Issues

Enable incremental scanning
Parallelize scans across modules
Optimize rule patterns for efficiency
Cache depende

Related Skills

ranbot-ai/nextjs-seo-indexing

testing

VerifiedTrustedCommunity

Fix SEO indexing issues, crawl budget problems, and Search Console coverage errors for Next.js apps. Covers canonical tags, noindex audits, sitemap health, static rendering, and internal linking.

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/nextjs-seo-indexing

ranbot-ai/moatmri

data-ai

VerifiedTrustedCommunity

Analyze AI disruption pressure across a business, map competitive exposure, and produce a 90-day defensive action plan.

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/skills/longbridge

tools

VerifiedTrustedCommunity

--- name: longbridge description: 125+ agent skills for Longbridge Securities — real-time quotes, charts, fundamentals, portfolio analysis, options, and more for HK/US/A-share/SG markets. Trilingual: Simplified Chinese, Traditional category: AI & Agents source: antigravity tags: [api, mcp, claude, ai, agent, security, cro] url: https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/longbridge --- # Longbridge ## Overview Longbridge is the official skill collection for Longbr

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/skills/longbridge

ranbot-ai/github-actions-advanced

tools

VerifiedTrustedCommunity

Design, debug, and harden GitHub Actions CI/CD workflows, including reusable workflows, matrix builds, self-hosted runners, OIDC authentication, caching, environments, secrets, and release automation.

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/github-actions-advanced

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/ranbot-ai/awesome-skills.git

# Copy into Claude Code skills folder (global)
cp -r awesome-skills/skills/sast-configuration ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

ranbot-ai/awesome-skills

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT