Compétences sast-configuration
🛡️

sast-configuration

Sûr 🌐 Accès réseau⚙️ Commandes externes📁 Accès au système de fichiers

Configure SAST tools for secure code scanning

You need consistent SAST tool setup across your projects. This skill provides guidance for configuring Semgrep, SonarQube, and CodeQL with custom rules and CI integration.

Prend en charge: Claude Codex Code(CC)
📊 69 Adéquat
1

Télécharger le ZIP du skill

2

Importer dans Claude

Allez dans Paramètres → Capacités → Skills → Importer un skill

3

Activez et commencez à utiliser

Tester

Utilisation de "sast-configuration". Create a SAST plan for a JavaScript monorepo using Semgrep and CodeQL.

Résultat attendu:

  • Select Semgrep auto rules plus OWASP Top Ten pack for JavaScript.
  • Run CodeQL on main branches and pull requests with SARIF upload.
  • Exclude build and vendor directories to improve scan time.
  • Fail the build only on critical and high findings.

Utilisation de "sast-configuration". How do I create a custom Semgrep rule for hardcoded API keys?

Résultat attendu:

  • Define a pattern matching common key formats like 'sk-' prefixes.
  • Use message field to explain why hardcoded keys are a risk.
  • Set severity to ERROR for CI pipeline blocking.
  • Test rule against sample vulnerable code before deployment.

Utilisation de "sast-configuration". Set up SonarQube quality gate for PCI-DSS compliance.

Résultat attendu:

  • Configure quality profile with security-related rules enabled.
  • Set up custom metric thresholds for vulnerable code density.
  • Integrate SARIF import for external SAST tool results.
  • Configure email notifications for quality gate failures.

Audit de sécurité

Sûr
v4 • 1/17/2026

This is a pure documentation skill containing only guidance and example commands for configuring SAST tools. All 32 static findings are false positives triggered by security-related terminology in documentation. The skill describes legitimate defensive security practices (Semgrep, SonarQube, CodeQL configuration) with no executable code, file access, network calls, or command execution. Behavior matches stated purpose of providing SAST configuration guidance.

2
Fichiers analysés
367
Lignes analysées
3
résultats
4
Total des audits

Facteurs de risque

🌐 Accès réseau (2)
skill-report.json:6 SKILL.md:93
⚙️ Commandes externes (11)
SKILL.md:52-63 SKILL.md:63-80 SKILL.md:80-88 SKILL.md:88-91 SKILL.md:91-98 SKILL.md:98-130 SKILL.md:130-132 SKILL.md:132-135 SKILL.md:135-142 SKILL.md:142-145 SKILL.md:145-148
📁 Accès au système de fichiers (3)
SKILL.md:172 SKILL.md:173 SKILL.md:174
Audité par: claude Voir l’historique des audits →

Score de qualité

38
Architecture
100
Maintenabilité
85
Contenu
22
Communauté
100
Sécurité
91
Conformité aux spécifications

Ce que vous pouvez construire

SAST baseline rollout

Plan and configure Semgrep, SonarQube, and CodeQL for an initial organization baseline scan.

CI pipeline integration

Add SAST checks to GitHub Actions or GitLab CI with clear failure gates.

Custom rule authoring

Create targeted rules to detect risky patterns in a specific codebase.

Essayez ces prompts

Beginner setup 
Set up a basic Semgrep scan for a Python project and suggest a minimal CI step.
Pipeline hardening 
Define a CI workflow that blocks merges on critical SAST findings and keeps noise low.
Rule tuning 
Suggest rule tuning and path exclusions to reduce false positives in a large monorepo.
Advanced multi-tool 
Design a plan to combine Semgrep, SonarQube, and CodeQL with clear ownership and reporting.

Bonnes pratiques

  • Start with a baseline scan and prioritize critical issues first
  • Document suppressions and review them regularly
  • Cache dependencies and use incremental scans for speed

Éviter

  • Blocking merges on low severity findings
  • Ignoring false positives without documentation
  • Scanning generated or vendor code by default

Foire aux questions

Which platforms does this skill support?
It provides guidance for Semgrep, SonarQube, and CodeQL across common CI platforms.
What are the limits of this skill?
It does not execute scans or modify your CI configuration directly.
Can it integrate with my existing CI pipeline?
Yes, it offers examples for GitHub Actions, GitLab CI, and pre-commit hooks.
Is my data accessed or stored?
No, the skill content is static documentation and does not access files or transmit data.
How do I troubleshoot noisy results?
Use rule tuning, path exclusions, and documented suppressions to reduce noise.
How does it compare to using one tool only?
It helps plan a multi-tool approach for stronger coverage and defense in depth.

Détails du développeur

Auteur

wshobson

Licence

MIT

Dépôt

https://github.com/wshobson/agents/tree/main/plugins/security-scanning/skills/sast-configuration

Réf

main

Structure de fichiers

📄 SKILL.md