sast-configuration

Sécurité & Conformité

Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.

Documentation

SAST Configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

Use this skill when

Set up SAST scanning in CI/CD pipelines
Create custom security rules for your codebase
Configure quality gates and compliance policies
Optimize scan performance and reduce false positives
Integrate multiple SAST tools for defense-in-depth

Do not use this skill when

You only need DAST or manual penetration testing guidance
You cannot access source code or CI/CD pipelines
You need organizational policy decisions rather than tooling setup

Instructions

1.Identify languages, repos, and compliance requirements.
2.Choose tools and define a baseline policy.
3.Integrate scans into CI/CD with gating thresholds.
4.Tune rules and suppressions based on false positives.
5.Track remediation and verify fixes.

Safety

Avoid scanning sensitive repos with third-party services without approval.
Prevent leaks of secrets in scan artifacts and logs.

Overview

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.

Core Capabilities

1. Semgrep Configuration

Custom rule creation with pattern matching
Language-specific security rules (Python, JavaScript, Go, Java, etc.)
CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
False positive tuning and rule optimization
Organizational policy enforcement

2. SonarQube Setup

Quality gate configuration
Security hotspot analysis
Code coverage and technical debt tracking
Custom quality profiles for languages
Enterprise integration with LDAP/SAML

3. CodeQL Analysis

GitHub Advanced Security integration
Custom query development
Vulnerability variant analysis
Security research workflows
SARIF result processing

Quick Start

Initial Assessment

1.Identify primary programming languages in your codebase
2.Determine compliance requirements (PCI-DSS, SOC 2, etc.)
3.Choose SAST tool based on language support and integration needs
4.Review baseline scan to understand current security posture

Basic Setup

# Semgrep quick start
pip install semgrep
semgrep --config=auto --error

# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python

Reference Documentation

[Semgrep Rule Creation](references/semgrep-rules.md) - Pattern-based security rule development
[SonarQube Configuration](references/sonarqube-config.md) - Quality gates and profiles
[CodeQL Setup Guide](references/codeql-setup.md) - Query development and workflows

Templates & Assets

[semgrep-config.yml](assets/semgrep-config.yml) - Production-ready Semgrep configuration
[sonarqube-settings.xml](assets/sonarqube-settings.xml) - SonarQube quality profile template
[run-sast.sh](scripts/run-sast.sh) - Automated SAST execution script

Integration Patterns

CI/CD Pipeline Integration

# GitHub Actions example
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: >-
      p/security-audit
      p/owasp-top-ten

Pre-commit Hook

# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.45.0
  hooks:
    - id: semgrep
      args: ['--config=auto', '--error']

Best Practices

1.Start with Baseline
Run initial scan to establish security baseline
Prioritize critical and high severity findings
Create remediation roadmap
2.Incremental Adoption
Begin with security-focused rules
Gradually add code quality rules
Implement blocking only for critical issues
3.False Positive Management
Document legitimate suppressions
Create allow lists for known safe patterns
Regularly review suppressed findings
4.Performance Optimization
Exclude test files and generated code
Use incremental scanning for large codebases
Cache scan results in CI/CD
5.Team Enablement
Provide security training for developers
Create internal documentation for common patterns
Establish security champions program

Common Use Cases

New Project Setup

./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

Custom Rule Development

# See references/semgrep-rules.md for detailed examples
rules:
  - id: hardcoded-jwt-secret
    pattern: jwt.encode($DATA, "...", ...)
    message: JWT secret should not be hardcoded
    severity: ERROR

Compliance Scanning

# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json

Troubleshooting

High False Positive Rate

Review and tune rule sensitivity
Add path filters to exclude test files
Use nostmt metadata for noisy patterns
Create organization-specific rule exceptions

Performance Issues

Enable incremental scanning
Parallelize scans across modules
Optimize rule patterns for efficiency
Cache dependencies and scan results

Integration Failures

Verify API tokens and credentials
Check network connectivity and proxy settings
Review SARIF output format compatibility
Validate CI/CD runner permissions

Related Skills

[OWASP Top 10 Checklist](../owasp-top10-checklist/SKILL.md)
[Container Security](../container-security/SKILL.md)
[Dependency Scanning](../dependency-scanning/SKILL.md)

Tool Comparison

| Tool | Best For | Language Support | Cost | Integration |

|------|----------|------------------|------|-------------|

| Semgrep | Custom rules, fast scans | 30+ languages | Free/Enterprise | Excellent |

| SonarQube | Code quality + security | 25+ languages | Free/Commercial | Good |

| CodeQL | Deep analysis, research | 10+ languages | Free (OSS) | GitHub native |

Next Steps

1.Complete initial SAST tool setup
2.Run baseline security scan
3.Create custom rules for organization-specific patterns
4.Integrate into CI/CD pipeline
5.Establish security gate policies
6.Train development team on findings and remediation

Compétences similaires

Explorez d'autres agents de la catégorie Sécurité & Conformité

Voir tout le catalogue

Red Team Tools and Methodology

This skill should be used when the user asks to "follow red team methodology", "perform bug bounty hunting", "automate reconnaissance", "hunt for XSS vulnerabilities", "enumerate subdomains", or needs security researcher techniques and tool configurations from top bug bounty hunters.

VOIR LA FICHE

azure-keyvault-secrets-ts

Manage secrets using Azure Key Vault Secrets SDK for JavaScript (@azure/keyvault-secrets). Use when storing and retrieving application secrets or configuration values.

VOIR LA FICHE

HTML Injection Testing

This skill should be used when the user asks to "test for HTML injection", "inject HTML into web pages", "perform HTML injection attacks", "deface web applications", or "test content injection vulnerabilities". It provides comprehensive HTML injection attack techniques and testing methodologies.

VOIR LA FICHE
Utiliser l'Agent sast-configuration - Outil & Compétence IA | Skills Catalogue | Skills Catalogue