Which SAST tools does this skill support?

The skill provides specialized guidance and configuration templates for Semgrep, SonarQube, and CodeQL, covering over 30 programming languages.

Can I use this for CI/CD integration?

Yes, it includes ready-to-use patterns for integrating security scans into GitHub Actions, GitLab CI, and Jenkins to automate your security checks.

Is this suitable for compliance scanning?

Absolutely. It includes configurations and profiles designed to meet industry standards like the OWASP Top 10, PCI-DSS, and SOC 2 requirements.

Can I create custom security rules with this skill?

Yes, it offers guidance on writing custom YAML-based rules for Semgrep and advanced query development for CodeQL to catch project-specific security issues.

How does this help with false positives?

It provides strategies for rule tuning, path exclusion, and metadata tagging to filter out noise and focus on critical, actionable security vulnerabilities.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: HermeticOrmus

byHermeticOrmus

Security & Testing

Configures and optimizes Static Application Security Testing (SAST) tools to automate vulnerability detection and enforce secure coding standards.

About

This skill empowers developers and security teams to implement robust Static Application Security Testing (SAST) by providing specialized guidance for tools like Semgrep, SonarQube, and CodeQL. It streamlines the setup of security scanning within CI/CD pipelines, facilitates the creation of custom security rules, and helps reduce false positives through expert fine-tuning. Whether you are establishing a new DevSecOps practice or performing a deep security audit, this skill ensures your codebase remains protected against vulnerabilities through automated, language-specific analysis and compliance-driven policy enforcement.

Key Features

Multi-tool integration for Semgrep, SonarQube, and CodeQL
Custom security rule creation and pattern matching
Automated CI/CD pipeline security gate configuration
False positive reduction and scan performance optimization
Compliance policy enforcement for OWASP, PCI-DSS, and SOC 2
0 GitHub stars

Use Cases

Creating custom security rules to identify organization-specific code smells
Preparing software projects for security audits and compliance certifications
Establishing a DevSecOps pipeline for automated vulnerability detection

About

Key Features

Multi-tool integration for Semgrep, SonarQube, and CodeQL
Custom security rule creation and pattern matching
Automated CI/CD pipeline security gate configuration
False positive reduction and scan performance optimization
Compliance policy enforcement for OWASP, PCI-DSS, and SOC 2
0 GitHub stars

Use Cases

Creating custom security rules to identify organization-specific code smells
Preparing software projects for security audits and compliance certifications
Establishing a DevSecOps pipeline for automated vulnerability detection