Is custom rule creation supported?

Yes, it provides detailed guidance on developing custom security queries and pattern-based rules for deep, context-aware code analysis.

What SAST tools does this skill support?

The skill provides comprehensive configuration guidance for Semgrep, SonarQube, and CodeQL, covering over 30 programming languages.

How does it handle false positives in security scans?

The skill offers advanced strategies for rule tuning, path exclusion for test files, and the creation of organizational allow-lists to minimize noise.

Does it help with security compliance?

Absolutely. It includes specific scanning configurations and rule-sets tailored for industry standards like PCI-DSS and SOC 2.

Can I use this for CI/CD automation?

Yes, it includes ready-to-use templates and patterns for integrating security scans into popular platforms like GitHub Actions, GitLab CI, and Jenkins.

SAST Security Configuration

Name: SAST Security Configuration
Author: amurata

byamurata

•

Security & Testing

Configures and optimizes Static Application Security Testing (SAST) tools to automate vulnerability detection in application code.

About

This skill empowers developers to implement robust DevSecOps practices by streamlining the setup and configuration of industry-leading security tools like Semgrep, SonarQube, and CodeQL. It provides specialized guidance on creating custom security rules, establishing automated quality gates in CI/CD pipelines, and optimizing scan performance to reduce false positives. Whether you are bootstrapping a new project or preparing for a compliance audit like PCI-DSS, this skill ensures your codebase remains secure through comprehensive static analysis and defense-in-depth patterns.

Key Features

3 GitHub stars
Custom security rule development with pattern matching
Multi-tool integration for Semgrep, SonarQube, and CodeQL
False positive tuning and performance optimization
CI/CD pipeline automation for GitHub, GitLab, and Jenkins
Quality gate and compliance policy enforcement

Use Cases

Integrating security quality gates into GitHub Actions to block insecure code merges.
Setting up automated security scanning for a new repository to establish a security baseline.
Developing custom Semgrep rules to detect organization-specific proprietary vulnerabilities.

About

Key Features

3 GitHub stars
Custom security rule development with pattern matching
Multi-tool integration for Semgrep, SonarQube, and CodeQL
False positive tuning and performance optimization
CI/CD pipeline automation for GitHub, GitLab, and Jenkins
Quality gate and compliance policy enforcement

Use Cases

Integrating security quality gates into GitHub Actions to block insecure code merges.
Setting up automated security scanning for a new repository to establish a security baseline.
Developing custom Semgrep rules to detect organization-specific proprietary vulnerabilities.