wshobson/sast-configuration
plugins/security-scanning/skills/sast-configuration/SKILL.md
Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.
$ install --global
skillsauthnpx skillsauth add wshobson/agents sast-configurationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 3, 2026, 2:07 AM172.2s1 file scanned
SKILL.md
- name:
- sast-configuration
- description:
- Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.
SAST Configuration
Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.
Overview
This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL. Use this skill when you need to:
- Set up SAST scanning in CI/CD pipelines
- Create custom security rules for your codebase
- Configure quality gates and compliance policies
- Optimize scan performance and reduce false positives
- Integrate multiple SAST tools for defense-in-depth
Core Capabilities
1. Semgrep Configuration
- Custom rule creation with pattern matching
- Language-specific security rules (Python, JavaScript, Go, Java, etc.)
- CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
- False positive tuning and rule optimization
- Organizational policy enforcement
2. SonarQube Setup
- Quality gate configuration
- Security hotspot analysis
- Code coverage and technical debt tracking
- Custom quality profiles for languages
- Enterprise integration with LDAP/SAML
3. CodeQL Analysis
- GitHub Advanced Security integration
- Custom query development
- Vulnerability variant analysis
- Security research workflows
- SARIF result processing
Quick Start
Initial Assessment
- Identify primary programming languages in your codebase
- Determine compliance requirements (PCI-DSS, SOC 2, etc.)
- Choose SAST tool based on language support and integration needs
- Review baseline scan to understand current security posture
Basic Setup
# Semgrep quick start
pip install semgrep
semgrep --config=auto --error
# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:10.8-community
# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python
Integration Patterns
CI/CD Pipeline Integration
# GitHub Actions example
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/owasp-top-ten
Pre-commit Hook
# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
rev: v1.45.0
hooks:
- id: semgrep
args: ['--config=auto', '--error']
Best Practices
-
Start with Baseline
- Run initial scan to establish security baseline
- Prioritize critical and high severity findings
- Create remediation roadmap
-
Incremental Adoption
- Begin with security-focused rules
- Gradually add code quality rules
- Implement blocking only for critical issues
-
False Positive Management
- Document legitimate suppressions
- Create allow lists for known safe patterns
- Regularly review suppressed findings
-
Performance Optimization
- Exclude test files and generated code
- Use incremental scanning for large codebases
- Cache scan results in CI/CD
-
Team Enablement
- Provide security training for developers
- Create internal documentation for common patterns
- Establish security champions program
Common Use Cases
New Project Setup
./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube
Custom Rule Development
# See references/semgrep-rules.md for detailed examples
rules:
- id: hardcoded-jwt-secret
pattern: jwt.encode($DATA, "...", ...)
message: JWT secret should not be hardcoded
severity: ERROR
Compliance Scanning
# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json
Troubleshooting
High False Positive Rate
- Review and tune rule sensitivity
- Add path filters to exclude test files
- Use nostmt metadata for noisy patterns
- Create organization-specific rule exceptions
Performance Issues
- Enable incremental scanning
- Parallelize scans across modules
- Optimize rule patterns for efficiency
- Cache dependencies and scan results
Integration Failures
- Verify API tokens and credentials
- Check network connectivity and proxy settings
- Review SARIF output format compatibility
- Validate CI/CD runner permissions
Related Skills
- OWASP Top 10 Checklist
- Container Security
- Dependency Scanning
Tool Comparison
| Tool | Best For | Language Support | Cost | Integration | | --------- | ------------------------ | ---------------- | --------------- | ------------- | | Semgrep | Custom rules, fast scans | 30+ languages | Free/Enterprise | Excellent | | SonarQube | Code quality + security | 25+ languages | Free/Commercial | Good | | CodeQL | Deep analysis, research | 10+ languages | Free (OSS) | GitHub native |
Next Steps
- Complete initial SAST tool setup
- Run baseline security scan
- Create custom rules for organization-specific patterns
- Integrate into CI/CD pipeline
- Establish security gate policies
- Train development team on findings and remediation
Related Skills
wshobson/social-publishing
development
VerifiedTrustedCommunity
Schedule and publish social media posts across 13 platforms (X, LinkedIn, Instagram, Facebook Pages, TikTok, Discord, Telegram, YouTube, Reddit, WordPress, Pinterest) via the SocialClaw API. Use when the user wants to publish, schedule, or manage social media content programmatically. Requires SOCIALCLAW_API_KEY.
36,323SKILL.mdUpdated Jun 4, 2026
wshobson/responsive-design
development
VerifiedTrustedCommunity
Implement modern responsive layouts using container queries, fluid typography, CSS Grid, and mobile-first breakpoint strategies. Use when building adaptive interfaces, implementing fluid layouts, or creating component-level responsive behavior.
35,887SKILL.mdUpdated Apr 25, 2026
wshobson/react-native-design
development
VerifiedTrustedCommunity
Master React Native styling, navigation, and Reanimated animations for cross-platform mobile development. Use when building React Native apps, implementing navigation patterns, or creating performant animations.
35,887SKILL.mdUpdated Apr 25, 2026
wshobson/mobile-android-design
development
VerifiedTrustedCommunity
Master Material Design 3 and Jetpack Compose patterns for building native Android apps. Use when designing Android interfaces, implementing Compose UI, or following Google's Material Design guidelines.
35,887SKILL.mdUpdated Apr 25, 2026