Labsco
mstfknn logo

sast-skills

from mstfknn

Collection of agent skills that turn your AI coder into a SAST scanner

šŸ”„šŸ”„šŸ”„āœ“ VerifiedFreeQuick setup

šŸ›”ļø sast-skills

Turn your LLM coding assistant into a fully featured SAST scanner.

Drop-in agent skills for 14 AI assistants — Claude Code, OpenAI Codex CLI, Gemini CLI, GitHub Copilot, Cursor, Windsurf, OpenCode, Cline, Antigravity, Aider, Kilo Code, Augment Code, Hermes Agent, and Mistral Vibe.

Claude Code with Opus is recommended for quality; any capable model works.

šŸ“‘ Table of contents


✨ Highlights

  • 68 skills across 64 vulnerability classes — injection (incl. XPath, expression-language, CSV-formula, XML-bomb variants), broken access control, API & session depth (rate-limiting, OAuth/OIDC, session fixation, shadow routes), weak crypto, file handling, supply chain, CI/CD & cloud-metadata risks, business logic & payment abuse, agentic/MCP security (skill-config poisoning, MCP tool poisoning, config-as-execution, over-privileged agent identity), and LLM/agent runtime (excessive agency, RAG isolation, unsafe tool calling, memory poisoning, denial-of-wallet), plus a tech-stack router.
  • Four-phase orchestration — reconnaissance → parallel detection → consolidated report → evidence-based triage, driven entirely from CLAUDE.md / AGENTS.md.
  • Idempotent & resumable — each phase skips work whose output already exists; re-run after fixing issues to refresh only what's stale.
  • Machine-readable output — every skill emits canonical JSON; sast-skills export aggregates to JSON, SARIF 2.1.0, or HTML for GitHub Code Scanning and CI.
  • Cross-assistant — identical skills ship for Claude Code (.claude/skills) and every AGENTS.md assistant (.agents/skills).
  • Zero-config CLI — install / update / uninstall / doctor / export, published from GitHub Actions with npm provenance (SLSA attestation).

šŸ”„ Flow

The orchestrator executes four phases — reconnaissance, parallel detection, synthesis, and triage:

flowchart TD
    U(["User: Run vulnerability scan"]) --> R{"CLAUDE.md / AGENTS.md orchestrator"}
    R --> S1["Step 1 — sast-analysis<br/>codebase and architecture map"]
    S1 -->|sast/architecture.md| S2["Step 2 — parallel vulnerability scan<br/>64 skills: recon, batched verify, merge"]
    S2 -->|sast/*-results.md and *-results.json| S3["Step 3 — sast-report<br/>consolidate and rank"]
    S3 -->|sast/final-report.md| S4["Step 4 — sast-triage<br/>false-positive elimination,<br/>severity adjustment with evidence"]
    S4 -->|sast/final-report-triaged.md and triaged.json| EXP["npx sast-skills export<br/>JSON, SARIF, HTML"]
    EXP --> CS(["GitHub Code Scanning, CI, dashboards"])

Every step is idempotent: if its output file already exists, the orchestrator skips it. Re-run the scan after fixing issues to refresh only what's stale.


šŸ” What it detects

All skills follow the same three-phase pattern: recon → batched verify (parallel subagents, 3 per batch) → merge. Each writes a human-readable markdown report and a canonical JSON findings file that sast-skills export aggregates.

Reconnaissance & Synthesis

SkillRole
sast-analysisCodebase recon, architecture mapping, threat model
sast-stackTech-stack router — picks which detection skills to run per project
sast-reportConsolidate per-class findings into a ranked report
sast-triageRemove false positives and adjust severities with codebase evidence

Injection

SkillVulnerability Class
sast-sqliSQL injection
sast-nosqlNoSQL injection (Mongo, Firestore, DynamoDB)
sast-ldapLDAP filter / DN injection
sast-graphqlUnsafe GraphQL document construction
sast-xssCross-Site Scripting
sast-sstiServer-Side Template Injection
sast-rceRemote Code Execution (command injection, eval, unsafe deserialization)
sast-xxeXML External Entity
sast-ssrfServer-Side Request Forgery
sast-openredirectOpen redirect (phishing / OAuth token theft)
sast-crlfCRLF / HTTP response splitting (header injection)
sast-ssrfimdsCloud metadata SSRF (IMDSv1 credential theft)
sast-unsafeconsumptionUnvalidated third-party API response into a sink (second-order injection)
sast-xpathXPath injection (user input into an XPath expression)
sast-csvinjFormula / CSV injection in spreadsheet exports
sast-elinjExpression-language injection (OGNL / SpEL / MVEL / JEXL)

Access control & Auth

SkillVulnerability Class
sast-idorInsecure Direct Object Reference
sast-missingauthMissing auth / broken function-level authorization
sast-jwtInsecure JWT implementations
sast-csrfCross-Site Request Forgery
sast-corsCORS misconfiguration
sast-cookieflagsMissing HttpOnly / Secure / SameSite on session cookies
sast-massassignMass assignment / overposting (privilege escalation)
sast-secheadersMissing security headers (CSP, HSTS, X-Frame-Options, SRI)
sast-ratelimitMissing rate limit on auth / expensive endpoints
sast-sessionSession fixation + low-entropy session IDs
sast-oauthOAuth / OIDC misconfig (redirect_uri, state, PKCE)
sast-routeinventoryShadow / debug / admin routes left registered
sast-postmessagepostMessage / CSWSH / reverse-tabnabbing origin trust

Files, crypto & runtime

SkillVulnerability Class
sast-pathtraversalPath / directory traversal
sast-fileuploadInsecure file upload
sast-cryptoWeak primitives, bad modes, IV reuse, weak PRNG
sast-prototypeJavaScript prototype pollution
sast-redosCatastrophic-backtracking regex DoS
sast-raceRace conditions and TOCTOU
sast-deserInsecure deserialization (gadget chains, pickle, unserialize)
sast-tlsDisabled TLS certificate / hostname verification
sast-zipslipZip Slip — archive-extraction path traversal
sast-dangerousapiDangerous API sinks (eval / exec / reflection / native bridges)
sast-xmlbombXML entity-expansion DoS (billion laughs / quadratic blowup)

Data exposure & supply chain

SkillVulnerability Class
sast-hardcodedsecretsAPI keys / tokens / credentials in client-facing code
sast-piiPII and credential leakage to logs / telemetry / error pages
sast-depsKnown-vulnerable dependencies (CVE in lockfiles)
sast-iacInsecure IaC (Dockerfile / Terraform / Kubernetes / GitHub Actions)
sast-errorhandlingFail-open logic, stack-trace / secret leaks, debug mode
sast-excessivedataExcessive data exposure in API responses
sast-pipelineinjCI/CD pipeline injection (untrusted event payloads)
sast-depconfusionDependency confusion + install-time script execution
sast-lockfileMissing lockfile / unpinned dependency hashes
sast-cloudsdkCloud SDK misuse (public bucket, hardcoded key, broad IAM)

Business logic & LLM-specific

SkillVulnerability Class
sast-businesslogicPrice manipulation, workflow bypass, reward abuse
sast-paymentlogicE-commerce payment abuse (price / coupon / refund / balance race)
sast-promptinjectionUntrusted text reaching an LLM prompt (OWASP LLM #1)
sast-llmoutputUnvalidated LLM output reaching code / HTML / SQL / shell sinks (OWASP LLM #2)

Agentic & MCP security

The 2026-era attack surface most signature scanners miss — natural-language manipulation, MCP tool poisoning, config-as-execution, and over-privileged agent identities. These skills use an LLM-driven verify step, not regex matching.

SkillVulnerability Class
sast-skillauditHidden-instruction / shell-sink in untrusted skill or agent config
sast-mcpsecMCP server tool poisoning + missing tool-auth
sast-configrceRepo config that auto-executes shell at project open / checkout
sast-agentidentityOver-privileged non-human (agent / CI) identity

LLM & agent runtime

Runtime behaviour of LLM and agent applications — tool authority, retrieval isolation, prompt-secret hygiene, memory trust, and cost bounds. The tech-stack router gates these so they never run on codebases with no LLM/agent dependencies.

SkillVulnerability Class
sast-excessiveagencyExcessive agent authority (state-changing tools, no human-in-the-loop)
sast-toolcallingLLM tool dispatch without an allow-list / argument validation
sast-ragleakRAG cross-tenant leak + indirect injection (missing retrieval ACL filter)
sast-systempromptleakSecrets in system prompts; prompt logged or echoed to callers
sast-memorypoisonUntrusted data persisted to agent memory and later trusted
sast-llmdosUnbounded LLM tokens / agent loops (denial-of-wallet)

šŸ”Œ CI integrations

GitHub Code Scanning (SARIF)

Composite action at .github/actions/scan/action.yml:

- uses: mstfknn/sast-skills/.github/actions/scan@main
  with:
    input: sast/
    output: sast-skills.sarif

This runs sast-skills export --format sarif and uploads the result to Code Scanning via github/codeql-action/upload-sarif@v3.

Pre-commit hook

Copy hooks/pre-commit into .git/hooks/pre-commit to make sast-skills doctor gate every commit.

Docker

docker build -t sast-skills .
docker run --rm -v "$PWD:/work" sast-skills export --input sast/ --format sarif --output report.sarif

The bundled Dockerfile is node:20-alpine-based with sast-skills set as the entrypoint.


šŸ¤ Contributing

See CONTRIBUTING.md. Developer loop:

npm install
npm test                                  # vitest suite (TDD-guard enabled; count shown in the tests badge)
npm run sync                              # mirror .claude/skills → .agents/skills
node scripts/scaffold-skill.js sast-foo   # stub a new skill in both trees
node scripts/register-skill.js sast-foo foo "Foo" "Foo injection description"
npm run lint:md                           # markdownlint

prepublishOnly runs npm run sync && npm test — a dirty mirror or a red test aborts npm publish.


šŸ“„ License

MIT — see LICENSE.