Agent skill

sast-configuration

Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.

View SKILL.md on GitHub Repository
Stars 5
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/camoneart/claude-code/tree/main/skills/sast-configuration

SKILL.md

SAST Configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

Overview

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL. Use this skill when you need to:

  • Set up SAST scanning in CI/CD pipelines
  • Create custom security rules for your codebase
  • Configure quality gates and compliance policies
  • Optimize scan performance and reduce false positives
  • Integrate multiple SAST tools for defense-in-depth

Core Capabilities

1. Semgrep Configuration

  • Custom rule creation with pattern matching
  • Language-specific security rules (Python, JavaScript, Go, Java, etc.)
  • CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
  • False positive tuning and rule optimization
  • Organizational policy enforcement

2. SonarQube Setup

  • Quality gate configuration
  • Security hotspot analysis
  • Code coverage and technical debt tracking
  • Custom quality profiles for languages
  • Enterprise integration with LDAP/SAML

3. CodeQL Analysis

  • GitHub Advanced Security integration
  • Custom query development
  • Vulnerability variant analysis
  • Security research workflows
  • SARIF result processing

Quick Start

Initial Assessment

  1. Identify primary programming languages in your codebase
  2. Determine compliance requirements (PCI-DSS, SOC 2, etc.)
  3. Choose SAST tool based on language support and integration needs
  4. Review baseline scan to understand current security posture

Basic Setup

bash
# Semgrep quick start
pip install semgrep
semgrep --config=auto --error

# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python

Reference Documentation

  • Semgrep Rule Creation - Pattern-based security rule development
  • SonarQube Configuration - Quality gates and profiles
  • CodeQL Setup Guide - Query development and workflows

Templates & Assets

  • semgrep-config.yml - Production-ready Semgrep configuration
  • sonarqube-settings.xml - SonarQube quality profile template
  • run-sast.sh - Automated SAST execution script

Integration Patterns

CI/CD Pipeline Integration

yaml
# GitHub Actions example
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: >-
      p/security-audit
      p/owasp-top-ten

Pre-commit Hook

bash
# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.45.0
  hooks:
    - id: semgrep
      args: ['--config=auto', '--error']

Best Practices

  1. Start with Baseline

    • Run initial scan to establish security baseline
    • Prioritize critical and high severity findings
    • Create remediation roadmap

  2. Incremental Adoption

    • Begin with security-focused rules
    • Gradually add code quality rules
    • Implement blocking only for critical issues

  3. False Positive Management

    • Document legitimate suppressions
    • Create allow lists for known safe patterns
    • Regularly review suppressed findings

  4. Performance Optimization

    • Exclude test files and generated code
    • Use incremental scanning for large codebases
    • Cache scan results in CI/CD

  5. Team Enablement

    • Provide security training for developers
    • Create internal documentation for common patterns
    • Establish security champions program

Common Use Cases

New Project Setup

bash
./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

Custom Rule Development

yaml
# See references/semgrep-rules.md for detailed examples
rules:
  - id: hardcoded-jwt-secret
    pattern: jwt.encode($DATA, "...", ...)
    message: JWT secret should not be hardcoded
    severity: ERROR

Compliance Scanning

bash
# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json

Troubleshooting

High False Positive Rate

  • Review and tune rule sensitivity
  • Add path filters to exclude test files
  • Use nostmt metadata for noisy patterns
  • Create organization-specific rule exceptions

Performance Issues

  • Enable incremental scanning
  • Parallelize scans across modules
  • Optimize rule patterns for efficiency
  • Cache dependencies and scan results

Integration Failures

  • Verify API tokens and credentials
  • Check network connectivity and proxy settings
  • Review SARIF output format compatibility
  • Validate CI/CD runner permissions

Related Skills

  • OWASP Top 10 Checklist
  • Container Security
  • Dependency Scanning

Tool Comparison

Tool Best For Language Support Cost Integration
Semgrep Custom rules, fast scans 30+ languages Free/Enterprise Excellent
SonarQube Code quality + security 25+ languages Free/Commercial Good
CodeQL Deep analysis, research 10+ languages Free (OSS) GitHub native

Next Steps

  1. Complete initial SAST tool setup
  2. Run baseline security scan
  3. Create custom rules for organization-specific patterns
  4. Integrate into CI/CD pipeline
  5. Establish security gate policies
  6. Train development team on findings and remediation

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

camoneart/claude-code

translating-technical-articles

Translates English technical articles (engineering blogs, documentation) to Japanese while preserving layout and structure. Use when the user asks to translate an article, convert English content to Japanese, or mentions translating a URL or technical blog post.

5 0
Explore
camoneart/claude-code

guiding-tdd-development

Guide Test-Driven Development with task splitting, Red-Green-Refactor cycle, and framework auto-detection. Use when developing features with TDD approach, fixing bugs test-first, or when user mentions "TDD", "テスト駆動開発", "test-first", "/tdd".

5 0
Explore
camoneart/claude-code

distributed-tracing

Implement distributed tracing with Jaeger and Tempo to track requests across microservices and identify performance bottlenecks. Use when debugging microservices, analyzing request flows, or implementing observability for distributed systems.

5 0
Explore
camoneart/claude-code

dependency-upgrade

Manage major dependency version upgrades with compatibility analysis, staged rollout, and comprehensive testing. Use when upgrading framework versions, updating major dependencies, or managing breaking changes in libraries.

5 0
Explore
camoneart/claude-code

stripe-integration

Implement Stripe payment processing for robust, PCI-compliant payment flows including checkout, subscriptions, and webhooks. Use when integrating Stripe payments, building subscription systems, or implementing secure checkout flows.

5 0
Explore
camoneart/claude-code

typescript-advanced-types

Master TypeScript's advanced type system including generics, conditional types, mapped types, template literals, and utility types for building type-safe applications. Use when implementing complex type logic, creating reusable type utilities, or ensuring compile-time type safety in TypeScript projects.

5 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results