Is this skill specific to a certain programming language?

No, it covers a wide range of environments including Python, JavaScript, Go, and Java, with language-specific security profiles for each.

Does it support custom security rules?

Absolutely. It provides detailed guidance and templates for creating custom security patterns and rules tailored to your project's specific security needs.

How does it handle false positives?

The skill offers strategies for tuning rule sensitivity, excluding specific paths like test files, and implementing organization-specific exceptions to reduce noise.

Can I use this for CI/CD integration?

Yes, the skill includes templates and patterns for integrating security scans into GitHub Actions, GitLab CI, Jenkins, and pre-commit hooks.

What tools does this skill support?

It provides comprehensive configuration guidance for major SAST tools including Semgrep, SonarQube, and CodeQL across various programming languages.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: HermeticOrmus

byHermeticOrmus

Security & Testing

Configures and optimizes Static Application Security Testing (SAST) tools to automate code vulnerability detection and enforce DevSecOps best practices.

About

This skill provides specialized guidance for implementing comprehensive Static Application Security Testing (SAST) across modern software projects. It streamlines the setup of industry-standard tools like Semgrep, SonarQube, and CodeQL, enabling developers to automate vulnerability detection, create custom security rules, and integrate security checkpoints directly into CI/CD pipelines. It is particularly useful for teams looking to 'shift security left,' reduce technical debt, and ensure compliance with security standards like PCI-DSS or SOC 2 through automated, high-performance code analysis.

Key Features

Performance optimization and false-positive reduction strategies
Language-specific security profiling and compliance mapping
CI/CD pipeline integration and quality gate enforcement
Custom security rule creation and pattern matching
Multi-tool setup for Semgrep, SonarQube, and CodeQL
0 GitHub stars

Use Cases

Setting up automated security scanning in GitHub Actions or GitLab CI pipelines
Implementing blocking quality gates to prevent insecure code from reaching production
Creating custom security rules to catch organization-specific code vulnerabilities

About

Key Features

Performance optimization and false-positive reduction strategies
Language-specific security profiling and compliance mapping
CI/CD pipeline integration and quality gate enforcement
Custom security rule creation and pattern matching
Multi-tool setup for Semgrep, SonarQube, and CodeQL
0 GitHub stars

Use Cases

Setting up automated security scanning in GitHub Actions or GitLab CI pipelines
Implementing blocking quality gates to prevent insecure code from reaching production
Creating custom security rules to catch organization-specific code vulnerabilities