Can I use this for CI/CD integration?

Yes, it includes specific patterns and templates for integrating security scans into GitHub Actions, GitLab CI, and Jenkins pipelines.

How does this help with false positives?

The skill offers strategies for rule tuning, path filtering, and creating allow lists to minimize noise and focus on legitimate security risks.

Does it support custom security rules?

Absolutely, it includes templates and best practices for writing custom pattern-based rules and queries tailored to your project's unique security requirements.

Which SAST tools does this skill support?

This skill provides specialized configuration guidance for Semgrep, SonarQube, and CodeQL, covering over 30 programming languages.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: HermeticOrmus

byHermeticOrmus

보안 및 테스팅

Configures and optimizes static application security testing tools to automate vulnerability detection within the development lifecycle.

소개

This skill empowers Claude to set up, configure, and fine-tune industry-standard Static Application Security Testing (SAST) tools such as Semgrep, SonarQube, and CodeQL. It provides comprehensive guidance for creating custom security rules, establishing CI/CD quality gates, and reducing false positives across multiple programming languages. By integrating defense-in-depth security scanning directly into your workflow, this skill helps teams implement robust DevSecOps practices, enforce compliance policies, and maintain high-security standards without sacrificing development velocity.

주요 기능

Multi-tool configuration for Semgrep, SonarQube, and CodeQL
0 GitHub stars
CI/CD pipeline integration for DevSecOps automation
Custom security rule development for diverse programming languages
Quality gate and compliance policy enforcement (PCI-DSS, SOC 2)
False positive tuning and scan performance optimization

사용 사례

Integrating automated security scanning into GitHub Actions or GitLab CI/CD pipelines
Automating vulnerability detection in a new project or legacy codebase
Developing custom security rules to enforce specific organizational coding standards

소개

주요 기능

Multi-tool configuration for Semgrep, SonarQube, and CodeQL
0 GitHub stars
CI/CD pipeline integration for DevSecOps automation
Custom security rule development for diverse programming languages
Quality gate and compliance policy enforcement (PCI-DSS, SOC 2)
False positive tuning and scan performance optimization

사용 사례

Integrating automated security scanning into GitHub Actions or GitLab CI/CD pipelines
Automating vulnerability detection in a new project or legacy codebase
Developing custom security rules to enforce specific organizational coding standards