How do I install Sast Configuration?

Install Sast Configuration with a single command: npx mdskills install sickn33/sast-configuration. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Sast Configuration?

Sast Configuration works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Sast Configuration

Name: Sast Configuration: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

Testing & QAIntermediate

Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/sast-configuration

Fork & Edit

Skill Advisor8.0

Comprehensive SAST setup guide with multi-tool coverage, integration patterns, and tuning strategies.

+Covers three major SAST tools with practical examples and comparison table
+Includes CI/CD integration patterns, custom rule templates, and troubleshooting
+Addresses false positive management and performance optimization explicitly
-References external files (references/, assets/, scripts/) that may not exist

SKILL.md

Edit in Browser

1---
2name: sast-configuration
3description: Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.
4---
5 
6# SAST Configuration
7 
8Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.
9 
10## Use this skill when
11 
12- Set up SAST scanning in CI/CD pipelines
13- Create custom security rules for your codebase
14- Configure quality gates and compliance policies
15- Optimize scan performance and reduce false positives
16- Integrate multiple SAST tools for defense-in-depth
17 
18## Do not use this skill when
19 
20- You only need DAST or manual penetration testing guidance
21- You cannot access source code or CI/CD pipelines
22- You need organizational policy decisions rather than tooling setup
23 
24## Instructions
25 
261. Identify languages, repos, and compliance requirements.
272. Choose tools and define a baseline policy.
283. Integrate scans into CI/CD with gating thresholds.
294. Tune rules and suppressions based on false positives.
305. Track remediation and verify fixes.
31 
32## Safety
33 
34- Avoid scanning sensitive repos with third-party services without approval.
35- Prevent leaks of secrets in scan artifacts and logs.
36 
37## Overview
38 
39This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.
40 
41## Core Capabilities
42 
43### 1. Semgrep Configuration
44- Custom rule creation with pattern matching
45- Language-specific security rules (Python, JavaScript, Go, Java, etc.)
46- CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
47- False positive tuning and rule optimization
48- Organizational policy enforcement
49 
50### 2. SonarQube Setup
51- Quality gate configuration
52- Security hotspot analysis
53- Code coverage and technical debt tracking
54- Custom quality profiles for languages
55- Enterprise integration with LDAP/SAML
56 
57### 3. CodeQL Analysis
58- GitHub Advanced Security integration
59- Custom query development
60- Vulnerability variant analysis
61- Security research workflows
62- SARIF result processing
63 
64## Quick Start
65 
66### Initial Assessment
671. Identify primary programming languages in your codebase
682. Determine compliance requirements (PCI-DSS, SOC 2, etc.)
693. Choose SAST tool based on language support and integration needs
704. Review baseline scan to understand current security posture
71 
72### Basic Setup
73```bash
74# Semgrep quick start
75pip install semgrep
76semgrep --config=auto --error
77 
78# SonarQube with Docker
79docker run -d --name sonarqube -p 9000:9000 sonarqube:latest
80 
81# CodeQL CLI setup
82gh extension install github/gh-codeql
83codeql database create mydb --language=python
84```
85 
86## Reference Documentation
87 
88- [Semgrep Rule Creation](references/semgrep-rules.md) - Pattern-based security rule development
89- [SonarQube Configuration](references/sonarqube-config.md) - Quality gates and profiles
90- [CodeQL Setup Guide](references/codeql-setup.md) - Query development and workflows
91 
92## Templates & Assets
93 
94- [semgrep-config.yml](assets/semgrep-config.yml) - Production-ready Semgrep configuration
95- [sonarqube-settings.xml](assets/sonarqube-settings.xml) - SonarQube quality profile template
96- [run-sast.sh](scripts/run-sast.sh) - Automated SAST execution script
97 
98## Integration Patterns
99 
100### CI/CD Pipeline Integration
101```yaml
102# GitHub Actions example
103- name: Run Semgrep
104  uses: returntocorp/semgrep-action@v1
105  with:
106    config: >-
107      p/security-audit
108      p/owasp-top-ten
109```
110 
111### Pre-commit Hook
112```bash
113# .pre-commit-config.yaml
114- repo: https://github.com/returntocorp/semgrep
115  rev: v1.45.0
116  hooks:
117    - id: semgrep
118      args: ['--config=auto', '--error']
119```
120 
121## Best Practices
122 
1231. **Start with Baseline**
124   - Run initial scan to establish security baseline
125   - Prioritize critical and high severity findings
126   - Create remediation roadmap
127 
1282. **Incremental Adoption**
129   - Begin with security-focused rules
130   - Gradually add code quality rules
131   - Implement blocking only for critical issues
132 
1333. **False Positive Management**
134   - Document legitimate suppressions
135   - Create allow lists for known safe patterns
136   - Regularly review suppressed findings
137 
1384. **Performance Optimization**
139   - Exclude test files and generated code
140   - Use incremental scanning for large codebases
141   - Cache scan results in CI/CD
142 
1435. **Team Enablement**
144   - Provide security training for developers
145   - Create internal documentation for common patterns
146   - Establish security champions program
147 
148## Common Use Cases
149 
150### New Project Setup
151```bash
152./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube
153```
154 
155### Custom Rule Development
156```yaml
157# See references/semgrep-rules.md for detailed examples
158rules:
159  - id: hardcoded-jwt-secret
160    pattern: jwt.encode($DATA, "...", ...)
161    message: JWT secret should not be hardcoded
162    severity: ERROR
163```
164 
165### Compliance Scanning
166```bash
167# PCI-DSS focused scan
168semgrep --config p/pci-dss --json -o pci-scan-results.json
169```
170 
171## Troubleshooting
172 
173### High False Positive Rate
174- Review and tune rule sensitivity
175- Add path filters to exclude test files
176- Use nostmt metadata for noisy patterns
177- Create organization-specific rule exceptions
178 
179### Performance Issues
180- Enable incremental scanning
181- Parallelize scans across modules
182- Optimize rule patterns for efficiency
183- Cache dependencies and scan results
184 
185### Integration Failures
186- Verify API tokens and credentials
187- Check network connectivity and proxy settings
188- Review SARIF output format compatibility
189- Validate CI/CD runner permissions
190 
191## Related Skills
192 
193- [OWASP Top 10 Checklist](../owasp-top10-checklist/SKILL.md)
194- [Container Security](../container-security/SKILL.md)
195- [Dependency Scanning](../dependency-scanning/SKILL.md)
196 
197## Tool Comparison
198 
199| Tool | Best For | Language Support | Cost | Integration |
200|------|----------|------------------|------|-------------|
201| Semgrep | Custom rules, fast scans | 30+ languages | Free/Enterprise | Excellent |
202| SonarQube | Code quality + security | 25+ languages | Free/Commercial | Good |
203| CodeQL | Deep analysis, research | 10+ languages | Free (OSS) | GitHub native |
204 
205## Next Steps
206 
2071. Complete initial SAST tool setup
2082. Run baseline security scan
2093. Create custom rules for organization-specific patterns
2104. Integrate into CI/CD pipeline
2115. Establish security gate policies
2126. Train development team on findings and remediation
213

Full transparency — inspect the skill content before installing.