Can I use this for custom security rules?

Yes, it includes specific instructions and templates for creating custom security rules tailored to your organization's specific codebase and requirements.

How does this help with CI/CD integration?

It provides ready-to-use YAML examples and script patterns for GitHub Actions, GitLab CI, and Jenkins to ensure every code change is scanned automatically.

How does it handle false positives in security scans?

The skill provides best practices for rule tuning, path exclusions, and implementing organizational exception policies to minimize noise.

What SAST tools does this skill support?

The skill provides comprehensive configuration guidance for Semgrep, SonarQube, and CodeQL, covering setup, rule creation, and pipeline integration.

Does it support compliance standards like PCI-DSS?

Yes, the skill includes guidance on configuring tools to scan for patterns required by PCI-DSS, SOC 2, and the OWASP Top 10.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: HermeticOrmus

byHermeticOrmus

セキュリティとテスト

Configures Static Application Security Testing (SAST) tools for automated vulnerability detection and DevSecOps integration across multiple programming languages.

概要

This skill provides comprehensive guidance for implementing and optimizing Static Application Security Testing (SAST) within your software development lifecycle. It streamlines the setup of industry-standard tools like Semgrep, SonarQube, and CodeQL, enabling teams to automate vulnerability detection, define custom security rules, and enforce quality gates in CI/CD pipelines. Whether you are conducting a baseline security audit or establishing a mature DevSecOps practice, this skill helps reduce false positives and ensures code compliance with standards like PCI-DSS and SOC 2.

主な機能

0 GitHub stars
CI/CD pipeline integration for GitHub Actions, GitLab, and Jenkins
Performance optimization and false positive reduction strategies
Automated setup for Semgrep, SonarQube, and CodeQL
Compliance policy enforcement for OWASP Top 10 and PCI-DSS
Custom security rule development for domain-specific patterns

ユースケース

Setting up automated security scanning for a new multi-language project
Integrating security quality gates into existing CI/CD workflows to block vulnerable code
Creating custom Semgrep rules to prevent company-specific security anti-patterns