Which SAST tools does this skill support?

The skill provides specialized guidance and configuration templates for Semgrep, SonarQube, and CodeQL, covering over 30 programming languages.

Can I use this for CI/CD integration?

Yes, it includes ready-to-use patterns for integrating security scans into GitHub Actions, GitLab CI, and Jenkins to automate your security checks.

Is this suitable for compliance scanning?

Absolutely. It includes configurations and profiles designed to meet industry standards like the OWASP Top 10, PCI-DSS, and SOC 2 requirements.

Can I create custom security rules with this skill?

Yes, it offers guidance on writing custom YAML-based rules for Semgrep and advanced query development for CodeQL to catch project-specific security issues.

How does this help with false positives?

It provides strategies for rule tuning, path exclusion, and metadata tagging to filter out noise and focus on critical, actionable security vulnerabilities.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: HermeticOrmus

byHermeticOrmus

0•

セキュリティとテスト

Configures and optimizes Static Application Security Testing (SAST) tools to automate vulnerability detection and enforce secure coding standards.

This skill empowers developers and security teams to implement robust Static Application Security Testing (SAST) by providing specialized guidance for tools like Semgrep, SonarQube, and CodeQL. It streamlines the setup of security scanning within CI/CD pipelines, facilitates the creation of custom security rules, and helps reduce false positives through expert fine-tuning. Whether you are establishing a new DevSecOps practice or performing a deep security audit, this skill ensures your codebase remains protected against vulnerabilities through automated, language-specific analysis and compliance-driven policy enforcement.

主な機能

01Multi-tool integration for Semgrep, SonarQube, and CodeQL

02Custom security rule creation and pattern matching

03Automated CI/CD pipeline security gate configuration

04False positive reduction and scan performance optimization

05Compliance policy enforcement for OWASP, PCI-DSS, and SOC 2

060 GitHub stars

ユースケース

01Creating custom security rules to identify organization-specific code smells

02Preparing software projects for security audits and compliance certifications

03Establishing a DevSecOps pipeline for automated vulnerability detection

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add hermeticormus/hermetic-academy sast-configuration

For use in Claude.ai and ChatGPT

Download Skill