How does this skill handle false positives?

It provides strategies for rule tuning, path exclusion, and metadata tagging to ensure security findings are accurate and actionable.

Can I create custom security rules?

Absolutely. The skill contains references and templates for writing custom Semgrep patterns and CodeQL queries tailored to your unique codebase.

Can I use this for CI/CD integration?

Yes, it includes detailed patterns and templates for integrating security scans into GitHub Actions, GitLab CI, and Jenkins pipelines.

Does it help with security compliance?

Yes, it includes specific configurations for auditing code against standards such as OWASP Top 10, PCI-DSS, and SOC 2.

Which SAST tools does this skill support?

The skill provides specialized guidance for Semgrep, SonarQube, and CodeQL, covering setup, custom rules, and deep integration workflows.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: HermeticOrmus

byHermeticOrmus

보안 및 테스팅

Automates the setup and configuration of Static Application Security Testing (SAST) tools to detect vulnerabilities in source code across multiple languages.

소개

This skill provides a comprehensive framework for implementing and optimizing SAST tools like Semgrep, SonarQube, and CodeQL within the software development lifecycle. It enables developers to automate vulnerability detection, create custom security rules tailored to specific codebases, and integrate security checks directly into CI/CD pipelines. By leveraging this skill, teams can reduce false positives, ensure compliance with standards like OWASP Top 10 or PCI-DSS, and foster a DevSecOps culture through proactive code analysis and performance-optimized scanning patterns.

주요 기능

Multi-tool support including Semgrep, SonarQube, and CodeQL
CI/CD pipeline integration for GitHub Actions, GitLab, and Jenkins
0 GitHub stars
False positive reduction and scan performance optimization
Custom security rule creation and pattern matching
Compliance policy enforcement for PCI-DSS and SOC 2

사용 사례

Implementing automated security scanning in a new CI/CD pipeline
Tuning existing SAST configurations to reduce noise and improve developer productivity
Developing custom Semgrep or CodeQL rules for organization-specific security patterns

소개

주요 기능

Multi-tool support including Semgrep, SonarQube, and CodeQL
CI/CD pipeline integration for GitHub Actions, GitLab, and Jenkins
0 GitHub stars
False positive reduction and scan performance optimization
Custom security rule creation and pattern matching
Compliance policy enforcement for PCI-DSS and SOC 2

사용 사례

Implementing automated security scanning in a new CI/CD pipeline
Tuning existing SAST configurations to reduce noise and improve developer productivity
Developing custom Semgrep or CodeQL rules for organization-specific security patterns