Manual SAST setup is complex and time-consuming. This skill provides ready-to-use configurations for Semgrep, SonarQube, and CodeQL to integrate security scanning into your CI/CD pipeline.
スキルZIPをダウンロード
Claudeでアップロード
設定 → 機能 → スキル → スキルをアップロードへ移動
オンにして利用開始
テストする
「sast-configuration」を使用しています。 Set up Semgrep for a Node.js project
期待される結果:
A complete .semgrep.yml configuration file with OWASP Top 10 rules, plus a GitHub Actions workflow that runs scans on pull requests and blocks merges on high-severity findings.
「sast-configuration」を使用しています。 Create a custom rule for SQL injection
期待される結果:
A Semgrep rule that detects raw SQL queries with string concatenation, with examples showing vulnerable patterns and safe parameterized alternatives.
セキュリティ監査
安全All static analysis findings are false positives. The SKILL.md file contains documentation examples only, not executable code. External command patterns are bash examples in markdown code blocks. SAML reference was misidentified as Windows SAM. No actual security risks detected.
品質スコア
作れるもの
DevSecOps Engineer
Integrate SAST scanning into existing CI/CD pipelines to catch vulnerabilities before deployment. Configure blocking gates for critical findings.
Security Team Lead
Establish baseline security scanning across multiple repositories. Create custom rules for organization-specific security patterns and compliance requirements.
Software Developer
Set up pre-commit hooks to catch security issues locally before pushing code. Learn to interpret and remediate SAST findings efficiently.
これらのプロンプトを試す
Help me set up Semgrep for a Python project. I need basic security rules configured and want to integrate it with GitHub Actions.
Configure a SonarQube quality gate for a Java Spring Boot application. Focus on security hotspots and set appropriate thresholds for blocking builds.
Create a custom Semgrep rule to detect hardcoded API keys in JavaScript files. The rule should match common patterns like apiKey, api_secret, and Bearer tokens.
Design a defense-in-depth SAST strategy using Semgrep, SonarQube, and CodeQL together. Explain how to avoid duplicate findings and optimize scan times for a large polyglot codebase.
ベストプラクティス
- Start with baseline scans before enabling blocking gates to avoid disrupting development workflow
- Exclude test files and generated code to reduce noise and improve scan performance
- Document all rule suppressions and review them quarterly to ensure they remain valid
回避
- Enabling all rules at once without tuning, causing alert fatigue and developer frustration
- Scanning third-party dependencies or vendor code that you cannot modify
- Ignoring false positive tuning, leading to wasted engineering time on non-issues