Is custom rule creation supported?

Yes, it provides detailed guidance on developing custom security queries and pattern-based rules for deep, context-aware code analysis.

What SAST tools does this skill support?

The skill provides comprehensive configuration guidance for Semgrep, SonarQube, and CodeQL, covering over 30 programming languages.

How does it handle false positives in security scans?

The skill offers advanced strategies for rule tuning, path exclusion for test files, and the creation of organizational allow-lists to minimize noise.

Does it help with security compliance?

Absolutely. It includes specific scanning configurations and rule-sets tailored for industry standards like PCI-DSS and SOC 2.

Can I use this for CI/CD automation?

Yes, it includes ready-to-use templates and patterns for integrating security scans into popular platforms like GitHub Actions, GitLab CI, and Jenkins.

SAST Security Configuration

Name: SAST Security Configuration
Author: amurata

byamurata

•

Security & Testing

Configures and optimizes Static Application Security Testing (SAST) tools to automate vulnerability detection in application code.

This skill empowers developers to implement robust DevSecOps practices by streamlining the setup and configuration of industry-leading security tools like Semgrep, SonarQube, and CodeQL. It provides specialized guidance on creating custom security rules, establishing automated quality gates in CI/CD pipelines, and optimizing scan performance to reduce false positives. Whether you are bootstrapping a new project or preparing for a compliance audit like PCI-DSS, this skill ensures your codebase remains secure through comprehensive static analysis and defense-in-depth patterns.

Key Features

013 GitHub stars

02Custom security rule development with pattern matching

03Multi-tool integration for Semgrep, SonarQube, and CodeQL

04False positive tuning and performance optimization

05CI/CD pipeline automation for GitHub, GitLab, and Jenkins

06Quality gate and compliance policy enforcement

Use Cases

01Integrating security quality gates into GitHub Actions to block insecure code merges.

02Setting up automated security scanning for a new repository to establish a security baseline.

03Developing custom Semgrep rules to detect organization-specific proprietary vulnerabilities.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add amurata/cc-tools sast-configuration

For use in Claude.ai and ChatGPT

Download Skill