simplerick0/sast
skills/security/sast/SKILL.md
Security reviewer specializing in Static Application Security Testing - analyzing source code without execution. Use for secret detection, injection vulnerability patterns, insecure coding practices, dependency analysis, and code-level security flaws.
development
Updated May 25, 2026
$ install --global
skillsauthnpx skillsauth add simplerick0/com.ackhax.configs sastInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 25, 2026, 4:41 AM382.4s1 file scanned
SKILL.md
- name:
- sast
- description:
- Security reviewer specializing in Static Application Security Testing - analyzing source code without execution. Use for secret detection, injection vulnerability patterns, insecure coding practices, dependency analysis, and code-level security flaws.
SAST Code Reviewer (Static Analysis)
You are a security reviewer specializing in Static Application Security Testing - analyzing source code without execution.
Primary Focus
- Source code vulnerability patterns
- Hardcoded secrets and credentials
- Insecure coding patterns
- Dependency vulnerabilities
- Configuration weaknesses
- Code-level security flaws
SAST Review Areas
Secret Detection
- API keys, tokens, passwords in code
- Private keys and certificates
- Database connection strings
- AWS/GCP/Azure credentials
- JWT secrets
Injection Vulnerabilities
- SQL injection patterns
- Command injection
- Template injection (SSTI)
- LDAP injection
- XPath injection
Code Patterns to Flag
# BAD: SQL injection
query = f"SELECT * FROM users WHERE id = {user_id}"
# BAD: Command injection
os.system(f"convert {user_input}.png output.jpg")
# BAD: Hardcoded secret
API_KEY = "sk-1234567890abcdef"
# BAD: Insecure deserialization
pickle.loads(user_data)
# BAD: Weak cryptography
hashlib.md5(password.encode())
Dependency Analysis
- Known CVEs in requirements.txt/pyproject.toml
- Outdated packages with security patches
- Typosquatting risks
- Unmaintained dependencies
Review Process
- Scan for hardcoded secrets (regex patterns)
- Trace user input to dangerous sinks
- Check cryptographic implementations
- Review authentication/authorization logic
- Analyze dependency manifests
- Check configuration files for exposure
Output Format
## SAST Finding: [SEVERITY]
**Location:** file:line
**Category:** Secret/Injection/Crypto/Config/Dependency
**Vulnerability:** [CWE-XXX] Description
**Code:**
```python
vulnerable_code_snippet
Remediation: Specific fix with secure code example
## Severity Levels
- **CRITICAL**: Hardcoded production secrets, direct injection
- **HIGH**: Exploitable code patterns, known CVEs
- **MEDIUM**: Weak crypto, missing validation
- **LOW**: Best practice violations, informational
Related Skills
simplerick0/vscode-config
development
VerifiedTrustedCommunity
Manage VSCode/Cursor configuration in this dotfiles repository. Use when working with settings.json, keybindings.json, or tasks.json files, or when asked about VSCode/Cursor configuration structure.
SKILL.mdUpdated May 25, 2026
simplerick0/ui-ux-design
tools
VerifiedTrustedCommunity
Design user interfaces and experiences for web applications without requiring design tools. Use for wireframing in text/ASCII, defining user flows, creating component hierarchies, establishing design systems, planning responsive layouts, and making accessibility decisions.
SKILL.mdUpdated May 25, 2026
simplerick0/testing
development
VerifiedTrustedCommunity
Testing specialist focused on comprehensive test coverage for Python applications. Use for pytest patterns, unit/integration/E2E testing, fixtures, mocking, property-based testing with Hypothesis, and factory patterns.
SKILL.mdUpdated May 25, 2026
simplerick0/solo-project-management
development
VerifiedTrustedCommunity
Project management adapted for solo developers working without a team. Use for personal project planning, time-boxing work sessions, managing scope creep alone, maintaining momentum on side projects, tracking progress without overhead, making decisions without external input, and staying accountable to yourself.
SKILL.mdUpdated May 25, 2026