sast-configuration

by wshobson

Configure and integrate Static Application Security Testing (SAST) tools like Semgrep, SonarQube, and CodeQL for automated code vulnerability detection in CI/CD pipelines. Ideal for DevSecOps and security audit workflows.

Stars0

Favorites0

Comments0

AddedMar 28, 2026

CategorySecurity Audit

Install Command

npx skills add https://github.com/wshobson/agents --skill sast-configuration

Devops

Overview

What is sast-configuration?

The sast-configuration skill provides a practical framework for setting up and managing Static Application Security Testing (SAST) tools in your development workflow. It is designed for developers, DevOps engineers, and security teams who need to automate vulnerability detection in application code using tools like Semgrep, SonarQube, and CodeQL.

Who should use this skill?

Teams implementing DevSecOps practices
Organizations seeking automated security audits in CI/CD pipelines
Developers aiming to enforce secure coding standards
Security auditors requiring custom rule creation and multi-tool integration

Problems solved

Automates vulnerability scanning in source code
Simplifies integration of SAST tools into CI/CD workflows
Enables custom security rule creation and policy enforcement
Reduces false positives and improves scan efficiency

How to Use

Installation Steps

Add the skill to your project:
Use the following command to install:

npx skills add https://github.com/wshobson/agents --skill sast-configuration
Review key documentation:
- Start with SKILL.md for an overview and setup instructions.
- Check README.md, AGENTS.md, and metadata.json for additional context.
- Explore the rules/, resources/, and scripts/ directories for custom rules and automation helpers.
Adapt to your environment:
- Integrate SAST tools (Semgrep, SonarQube, CodeQL) into your CI/CD pipeline (e.g., GitHub Actions, GitLab CI, Jenkins).
- Customize security rules and quality gates to match your codebase and compliance needs.
- Use provided templates and scripts as a starting point, modifying them for your specific requirements.

Best Practices

Regularly update your SAST tool configurations to address new security threats.
Tune rules to minimize false positives and focus on critical vulnerabilities.
Combine multiple SAST tools for broader coverage and defense-in-depth.

FAQ

What SAST tools are supported by sast-configuration?

This skill provides setup and integration guidance for Semgrep, SonarQube, and CodeQL, covering configuration, custom rule creation, and CI/CD integration.

Can I use sast-configuration with my existing CI/CD pipeline?

Yes. The skill includes examples and templates for integrating SAST tools into popular CI/CD systems such as GitHub Actions, GitLab CI, and Jenkins.

Is this skill suitable for enterprise environments?

Yes. It supports advanced features like organizational policy enforcement, custom quality gates, and integration with enterprise authentication systems (e.g., LDAP/SAML for SonarQube).

Where should I start?

Begin by reading the SKILL.md file for a high-level overview, then explore supporting files and directories for detailed setup and customization guidance.

How do I get the most out of this skill?

Adapt the provided configurations and rules to your codebase, regularly review scan results, and iterate on your security policies to ensure ongoing protection.

For a complete file tree and all supporting resources, visit the Files tab in the repository.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

memory-forensics

by wshobson

Master memory forensics with practical workflows for memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Ideal for security analysts investigating incidents or performing malware analysis from RAM dumps.

Security Audit

Favorites 0GitHub 0

mtls-configuration

by wshobson

Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.

Security Audit

Favorites 0GitHub 0

secrets-management

by wshobson

Implement secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, Azure Key Vault, or Google Secret Manager. Ideal for handling sensitive credentials, automating secret rotation, and securing deployment workflows.

Security Audit

Favorites 0GitHub 0

attack-tree-construction

by wshobson

Construct detailed attack trees to map threat scenarios, identify security gaps, and communicate risks. Ideal for threat modeling, penetration testing, and security architecture reviews.

Threat Modeling

Favorites 0GitHub 0

audit

by pbakaus

Perform technical quality checks for accessibility, performance, theming, responsive design, and anti-patterns. Generates a scored report with severity ratings and actionable recommendations. Ideal for frontend code audits and compliance reviews.

Frontend Development

Favorites 0GitHub 0

test2

by roin-orca

test2 helps security auditors test for XSS vulnerabilities by injecting common payloads. Ideal for web application security testing.

Security Audit

Favorites 0GitHub 0

audit-website

by squirrelscan

Comprehensive website audit skill for SEO, performance, security, and technical issues using the squirrelscan CLI. Runs 230+ rules and delivers actionable, LLM-ready reports with health scores, broken links, meta tag checks, and recommendations. Ideal for developers, SEO specialists, and security auditors.

Security Audit

Favorites 0GitHub 0

security-requirement-extraction

by wshobson

Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.

Security Audit

Favorites 0GitHub 0