Does it help with reducing false positives?

Yes, the skill provides specific strategies for rule optimization, exclusion patterns, and noise reduction to improve scan accuracy.

Can I use this for CI/CD integration?

Yes, it includes templates and patterns for integrating security scans into GitHub Actions, GitLab CI, and Jenkins pipelines.

What tools does this skill support?

This skill provides specialized configuration guidance and automation patterns for Semgrep, SonarQube, and CodeQL.

Is it suitable for enterprise security compliance?

Absolutely. It covers quality gate settings and rulesets for major compliance standards like PCI-DSS and SOC 2.

SAST Security Configuration

Name: SAST Security Configuration
Author: amurata

byamurata

•

セキュリティとテスト

Configures and optimizes Static Application Security Testing (SAST) tools for automated vulnerability detection across multiple programming languages.

概要

This skill provides comprehensive guidance for setting up and fine-tuning industry-leading SAST tools like Semgrep, SonarQube, and CodeQL. It enables developers to integrate security scanning into CI/CD pipelines, create custom security rules, manage false positives, and maintain high code quality standards. Whether you are establishing a security baseline for a new project or optimizing an existing DevSecOps workflow, this skill helps automate the detection of vulnerabilities and ensures compliance with security best practices.

主な機能

Custom rule creation for Semgrep, SonarQube, and CodeQL
CI/CD pipeline integration for automated security gates
False positive management and scan performance optimization
3 GitHub stars
Support for multi-language security scanning and analysis
Implementation of DevSecOps best practices and compliance policies

ユースケース

Setting up an automated security scanning pipeline for a new web application.
Optimizing SonarQube quality gates to reduce technical debt and security hotspots.
Writing custom Semgrep rules to detect organization-specific code patterns.

概要

主な機能

Custom rule creation for Semgrep, SonarQube, and CodeQL
CI/CD pipeline integration for automated security gates
False positive management and scan performance optimization
3 GitHub stars
Support for multi-language security scanning and analysis
Implementation of DevSecOps best practices and compliance policies

ユースケース

Setting up an automated security scanning pipeline for a new web application.
Optimizing SonarQube quality gates to reduce technical debt and security hotspots.
Writing custom Semgrep rules to detect organization-specific code patterns.