Can I use this for CI/CD integration?

Yes, it includes specific patterns and templates for integrating security scans into GitHub Actions, GitLab CI, and Jenkins pipelines.

How does this help with false positives?

The skill offers strategies for rule tuning, path filtering, and creating allow lists to minimize noise and focus on legitimate security risks.

Does it support custom security rules?

Absolutely, it includes templates and best practices for writing custom pattern-based rules and queries tailored to your project's unique security requirements.

Which SAST tools does this skill support?

This skill provides specialized configuration guidance for Semgrep, SonarQube, and CodeQL, covering over 30 programming languages.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: HermeticOrmus

byHermeticOrmus

0•

安全与测试

Configures and optimizes static application security testing tools to automate vulnerability detection within the development lifecycle.

This skill empowers Claude to set up, configure, and fine-tune industry-standard Static Application Security Testing (SAST) tools such as Semgrep, SonarQube, and CodeQL. It provides comprehensive guidance for creating custom security rules, establishing CI/CD quality gates, and reducing false positives across multiple programming languages. By integrating defense-in-depth security scanning directly into your workflow, this skill helps teams implement robust DevSecOps practices, enforce compliance policies, and maintain high-security standards without sacrificing development velocity.

主要功能

01Multi-tool configuration for Semgrep, SonarQube, and CodeQL

020 GitHub stars

03CI/CD pipeline integration for DevSecOps automation

04Custom security rule development for diverse programming languages

05Quality gate and compliance policy enforcement (PCI-DSS, SOC 2)

06False positive tuning and scan performance optimization

使用场景

01Integrating automated security scanning into GitHub Actions or GitLab CI/CD pipelines

02Automating vulnerability detection in a new project or legacy codebase

03Developing custom security rules to enforce specific organizational coding standards

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add hermeticormus/alqvimia-contador sast-configuration

For use in Claude.ai and ChatGPT

主要功能

01Multi-tool configuration for Semgrep, SonarQube, and CodeQL

020 GitHub stars

03CI/CD pipeline integration for DevSecOps automation

04Custom security rule development for diverse programming languages

05Quality gate and compliance policy enforcement (PCI-DSS, SOC 2)

06False positive tuning and scan performance optimization

使用场景

01Integrating automated security scanning into GitHub Actions or GitLab CI/CD pipelines

02Automating vulnerability detection in a new project or legacy codebase

03Developing custom security rules to enforce specific organizational coding standards

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add hermeticormus/alqvimia-contador sast-configuration

For use in Claude.ai and ChatGPT