What tools does the SAST Configuration skill support?

This skill provides configuration and optimization guidance for leading SAST tools including Semgrep, SonarQube, and CodeQL.

Does it help with compliance requirements?

Absolutely; it includes specialized scanning templates for PCI-DSS and SOC 2 to ensure your code meets specific industry compliance standards.

Can I use this for CI/CD integration?

Yes, it includes specific implementation patterns and templates for integrating security scans into GitHub Actions, GitLab CI, and Jenkins.

Is it suitable for large-scale enterprise codebases?

Yes, the skill offers optimization strategies such as incremental scanning, path filtering, and parallelization to maintain high performance even on large projects.

How does this skill handle false positives?

The skill provides best practices for tuning rule sensitivity, creating allow lists, and documenting legitimate suppressions to ensure your security reports are actionable and low-noise.

SAST Security Configuration

Name: SAST Security Configuration
Author: HermeticOrmus

byHermeticOrmus

0•

Security & Testing

Configures and optimizes Static Application Security Testing (SAST) tools to automate vulnerability detection within the development lifecycle.

The SAST Configuration skill provides professional guidance for implementing robust security scanning by configuring industry-standard tools like Semgrep, SonarQube, and CodeQL. It assists developers and DevSecOps teams in establishing security baselines, creating custom detection rules tailored to specific codebases, and integrating automated checks directly into CI/CD pipelines to catch vulnerabilities before they reach production. By streamlining the setup of quality gates and compliance policies, this skill ensures a defense-in-depth approach to application security.

Key Features

01Quality gate and compliance policy configuration (PCI-DSS, SOC 2)

020 GitHub stars

03Custom security rule creation with advanced pattern matching

04CI/CD pipeline integration for GitHub, GitLab, and Jenkins

05Automated setup for Semgrep, SonarQube, and CodeQL

06False positive tuning and scan performance optimization

Use Cases

01Establishing a security scanning baseline for a new enterprise software project

02Implementing automated DevSecOps workflows within GitHub Actions or GitLab CI

03Developing custom security rules to detect organization-specific code vulnerabilities

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add hermeticormus/alqvimia-contador sast-configuration

For use in Claude.ai and ChatGPT

Download Skill