Does it help with compliance scanning?

Yes, it includes configurations specifically designed to audit code against standards like PCI-DSS, SOC 2, and the OWASP Top 10.

Which SAST tools does this skill support?

This skill provides comprehensive configuration guidance for Semgrep, SonarQube, and CodeQL across multiple programming languages.

How does it handle false positives in security scans?

The skill provides strategies for rule tuning, path exclusion, and organizational policy enforcement to ensure scan results are relevant and actionable.

Can I use this for CI/CD pipeline automation?

Yes, it includes ready-to-use templates and patterns for GitHub Actions, GitLab CI, and Jenkins to automate security scanning on every push.

SAST Security Configuration

Name: SAST Security Configuration
Author: HermeticOrmus

byHermeticOrmus

安全与测试

Configures and optimizes Static Application Security Testing (SAST) tools to automate code vulnerability detection and enforce security standards.

关于

The SAST Configuration skill empowers developers to implement robust Static Application Security Testing workflows using industry-standard tools like Semgrep, SonarQube, and CodeQL. It provides specialized guidance for creating custom security rules, establishing quality gates, and integrating automated scans directly into CI/CD pipelines. By automating the identification of vulnerabilities early in the development lifecycle, this skill helps teams maintain high security standards, reduce false positives, and ensure compliance with industry frameworks like OWASP, PCI-DSS, and SOC 2.

主要功能

Quality gate configuration and compliance policy enforcement
Custom security rule development and pattern matching
Automated setup for Semgrep, SonarQube, and CodeQL
Optimization strategies to reduce false positives and scan time
0 GitHub stars
Seamless CI/CD pipeline and pre-commit hook integration

使用场景

Establishing a security baseline for new or existing codebases
Automating vulnerability detection within GitHub Actions or GitLab CI
Developing organization-specific security rules for custom frameworks

关于

主要功能

Quality gate configuration and compliance policy enforcement
Custom security rule development and pattern matching
Automated setup for Semgrep, SonarQube, and CodeQL
Optimization strategies to reduce false positives and scan time
0 GitHub stars
Seamless CI/CD pipeline and pre-commit hook integration

使用场景

Establishing a security baseline for new or existing codebases
Automating vulnerability detection within GitHub Actions or GitLab CI
Developing organization-specific security rules for custom frameworks