How does this skill handle false positives?

It provides strategies for rule tuning, path exclusion, and metadata tagging to ensure security findings are accurate and actionable.

Can I create custom security rules?

Absolutely. The skill contains references and templates for writing custom Semgrep patterns and CodeQL queries tailored to your unique codebase.

Can I use this for CI/CD integration?

Yes, it includes detailed patterns and templates for integrating security scans into GitHub Actions, GitLab CI, and Jenkins pipelines.

Does it help with security compliance?

Yes, it includes specific configurations for auditing code against standards such as OWASP Top 10, PCI-DSS, and SOC 2.

Which SAST tools does this skill support?

The skill provides specialized guidance for Semgrep, SonarQube, and CodeQL, covering setup, custom rules, and deep integration workflows.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: HermeticOrmus

byHermeticOrmus

0•

セキュリティとテスト

Automates the setup and configuration of Static Application Security Testing (SAST) tools to detect vulnerabilities in source code across multiple languages.

This skill provides a comprehensive framework for implementing and optimizing SAST tools like Semgrep, SonarQube, and CodeQL within the software development lifecycle. It enables developers to automate vulnerability detection, create custom security rules tailored to specific codebases, and integrate security checks directly into CI/CD pipelines. By leveraging this skill, teams can reduce false positives, ensure compliance with standards like OWASP Top 10 or PCI-DSS, and foster a DevSecOps culture through proactive code analysis and performance-optimized scanning patterns.

主な機能

01Multi-tool support including Semgrep, SonarQube, and CodeQL

02CI/CD pipeline integration for GitHub Actions, GitLab, and Jenkins

030 GitHub stars

04False positive reduction and scan performance optimization

05Custom security rule creation and pattern matching

06Compliance policy enforcement for PCI-DSS and SOC 2

ユースケース

01Implementing automated security scanning in a new CI/CD pipeline

02Tuning existing SAST configurations to reduce noise and improve developer productivity

03Developing custom Semgrep or CodeQL rules for organization-specific security patterns

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add hermeticormus/after-the-third-cup sast-configuration

For use in Claude.ai and ChatGPT

Download Skill