Which SAST tools does this skill support?

The skill provides comprehensive configuration and integration guidance for Semgrep, SonarQube, and CodeQL.

Can I create custom security rules with this skill?

Yes, it includes specialized patterns and templates for developing custom security rules tailored to your specific codebase and security requirements.

Does it support CI/CD integration?

Absolutely. It provides ready-to-use YAML configurations and scripts for integrating security scans into GitHub Actions, GitLab CI, and Jenkins.

How does it handle false positives?

It includes best practices for rule tuning, path exclusions, and organizational policy enforcement to minimize noise and focus on critical vulnerabilities.

Can I use this for compliance scanning?

Yes, the skill includes configurations specifically designed for compliance standards like PCI-DSS, SOC 2, and the OWASP Top 10.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: kivilaid

bykivilaid

•

セキュリティとテスト

Configures and automates Static Application Security Testing (SAST) tools for comprehensive vulnerability detection in application code.

概要

This skill streamlines the implementation of DevSecOps by providing expert guidance on setting up and optimizing SAST tools like Semgrep, SonarQube, and CodeQL. It enables developers to automate code security audits, develop custom security rules, and establish automated quality gates within CI/CD pipelines. By leveraging this skill, teams can improve their security posture through proactive vulnerability detection, false-positive reduction, and compliance-driven scanning across multiple programming languages.

主な機能

Custom security rule creation and pattern matching
6 GitHub stars
Multi-tool setup for Semgrep, SonarQube, and CodeQL
Compliance-focused scanning for PCI-DSS and OWASP standards
CI/CD pipeline integration patterns (GitHub, GitLab, Jenkins)
False positive tuning and performance optimization

ユースケース

Creating custom detection patterns for organization-specific security requirements
Establishing a security baseline for new or existing codebases
Integrating automated security gates into the development lifecycle

概要

主な機能

Custom security rule creation and pattern matching
6 GitHub stars
Multi-tool setup for Semgrep, SonarQube, and CodeQL
Compliance-focused scanning for PCI-DSS and OWASP standards
CI/CD pipeline integration patterns (GitHub, GitLab, Jenkins)
False positive tuning and performance optimization

ユースケース

Creating custom detection patterns for organization-specific security requirements
Establishing a security baseline for new or existing codebases
Integrating automated security gates into the development lifecycle