Does it support custom security rule creation?

Absolutely. It includes specific guidance and templates for developing custom rules that target unique security requirements or proprietary code patterns.

How does this skill help with false positives?

It provides strategies for rule tuning, pattern optimization, and exclusion management to ensure developers only spend time on actionable security findings.

Can I use this for CI/CD integration?

Yes, it includes templates and examples for integrating security scans into various platforms like GitHub Actions, GitLab CI, and Jenkins.

Which SAST tools does this skill support?

The skill provides comprehensive configuration guidance for Semgrep, SonarQube, and CodeQL, covering a wide range of programming languages and frameworks.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: HermeticOrmus

byHermeticOrmus

0•

安全与测试

Configures and optimizes Static Application Security Testing (SAST) tools to automate vulnerability detection within your codebase.

This skill streamlines the implementation of DevSecOps by providing expert guidance on setting up and fine-tuning industry-leading SAST tools like Semgrep, SonarQube, and CodeQL. It assists developers in creating custom security rules, establishing quality gates, and integrating automated scanning into CI/CD pipelines. Whether you are aiming for regulatory compliance or simply reducing technical debt, this skill helps minimize false positives and ensures a robust security posture across multiple programming languages and frameworks.

主要功能

01Custom security rule and pattern matching creation

02Compliance-focused policy enforcement for PCI-DSS and SOC 2

03Multi-tool setup for Semgrep, SonarQube, and CodeQL

04CI/CD pipeline integration for automated security gates

050 GitHub stars

06False positive reduction and scan performance tuning

使用场景

01Conducting a baseline security audit and remediation roadmap for legacy codebases

02Implementing automated security scanning in a new GitHub Actions or GitLab CI pipeline

03Creating organization-specific security rules to catch proprietary code vulnerabilities

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add hermeticormus/after-the-third-cup sast-configuration

For use in Claude.ai and ChatGPT

Download Skill