Labsco
wshobson logo

sast-configuration

โ˜… 37,559

by wshobson ยท part of wshobson/agents

Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.

๐Ÿงฉ One of 7 skills in the wshobson/agents package โ€” works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates โ€” you don't need to read it to use the skill, but it's here to audit before installing.

SAST Configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

Overview

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL. Use this skill when you need to:

  • Set up SAST scanning in CI/CD pipelines
  • Create custom security rules for your codebase
  • Configure quality gates and compliance policies
  • Optimize scan performance and reduce false positives
  • Integrate multiple SAST tools for defense-in-depth

Core Capabilities

1. Semgrep Configuration

  • Custom rule creation with pattern matching
  • Language-specific security rules (Python, JavaScript, Go, Java, etc.)
  • CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
  • False positive tuning and rule optimization
  • Organizational policy enforcement

2. SonarQube Setup

  • Quality gate configuration
  • Security hotspot analysis
  • Code coverage and technical debt tracking
  • Custom quality profiles for languages
  • Enterprise integration with LDAP/SAML

3. CodeQL Analysis

  • GitHub Advanced Security integration
  • Custom query development
  • Vulnerability variant analysis
  • Security research workflows
  • SARIF result processing

Integration Patterns

CI/CD Pipeline Integration

# GitHub Actions example
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: >-
      p/security-audit
      p/owasp-top-ten

Pre-commit Hook

# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.45.0
  hooks:
    - id: semgrep
      args: ['--config=auto', '--error']

Best Practices

  1. Start with Baseline

    • Run initial scan to establish security baseline
    • Prioritize critical and high severity findings
    • Create remediation roadmap
  2. Incremental Adoption

    • Begin with security-focused rules
    • Gradually add code quality rules
    • Implement blocking only for critical issues
  3. False Positive Management

    • Document legitimate suppressions
    • Create allow lists for known safe patterns
    • Regularly review suppressed findings
  4. Performance Optimization

    • Exclude test files and generated code
    • Use incremental scanning for large codebases
    • Cache scan results in CI/CD
  5. Team Enablement

    • Provide security training for developers
    • Create internal documentation for common patterns
    • Establish security champions program

Common Use Cases

New Project Setup

./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

Custom Rule Development

# See references/semgrep-rules.md for detailed examples
rules:
  - id: hardcoded-jwt-secret
    pattern: jwt.encode($DATA, "...", ...)
    message: JWT secret should not be hardcoded
    severity: ERROR

Compliance Scanning

# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json

Tool Comparison

ToolBest ForLanguage SupportCostIntegration
SemgrepCustom rules, fast scans30+ languagesFree/EnterpriseExcellent
SonarQubeCode quality + security25+ languagesFree/CommercialGood
CodeQLDeep analysis, research10+ languagesFree (OSS)GitHub native

Next Steps

  1. Complete initial SAST tool setup
  2. Run baseline security scan
  3. Create custom rules for organization-specific patterns
  4. Integrate into CI/CD pipeline
  5. Establish security gate policies
  6. Train development team on findings and remediation