sast-configuration

by wshobson

The sast-configuration skill helps configure Semgrep, SonarQube, and CodeQL for real SAST workflows. Use it to plan install steps, CI/CD integration, custom rules, quality gates, and false-positive tuning for Security Audit and repo-specific scanning.

Stars32.6k

Favorites0

Comments0

AddedMar 30, 2026

CategorySecurity Audit

Install Command

npx skills add wshobson/agents --skill sast-configuration

Curation Score

This skill scores 76/100, which means it is a solid directory listing candidate: users can reasonably understand when to invoke it and what value it provides, but they should expect advisory guidance rather than a tightly executable install-and-run workflow.

76/100

Strengths

Strong triggerability: the description and overview clearly frame use cases like CI/CD SAST setup, custom rule creation, quality gates, and false-positive tuning.
Good agent leverage: it consolidates guidance for multiple real tools—Semgrep, SonarQube, and CodeQL—so an agent has more specific structure than a generic security prompt.
Substantial workflow content: the skill body is lengthy and organized with many headings, code fences, and practical topics such as CI integration, custom rules, compliance policies, and scan optimization.

Cautions

Operational execution is partly implicit: there are no support files, scripts, references, or install commands, so agents may still need to infer exact commands and tool-specific setup details.
Trust and decision support are moderate rather than high because the repository evidence shows guidance text only, with no bundled examples, templates, or linked source files to validate workflows.

Security Configuration Ci Cd Workflow Automation

Overview

Overview of sast-configuration skill

What the sast-configuration skill does

The sast-configuration skill helps an agent design and tune Static Application Security Testing workflows for real repositories, not just name popular tools. It focuses on configuring SAST tools such as Semgrep, SonarQube, and CodeQL for automated code scanning, custom rules, CI/CD integration, quality gates, and false-positive reduction.

Who should use this skill

This sast-configuration skill is best for:

security engineers standardizing scanning across teams
platform and DevSecOps engineers adding SAST to CI/CD
developers who need working starter configurations, not theory
teams comparing Semgrep, SonarQube, and CodeQL for Security Audit workflows

If your job is “make security scanning useful in our repo without overwhelming developers,” this skill is a strong fit.

The real job-to-be-done

Most users do not need a generic explanation of SAST. They need help turning a messy goal like “scan our monorepo for security issues” into concrete decisions:

which tool fits the stack and hosting model
what to scan first
how to wire scans into pull requests and main branch pipelines
how to tune rules to reduce noisy findings
when to use custom rules versus built-in checks

That practical decision support is where sast-configuration is more useful than an ordinary one-shot prompt.

What makes this skill different

The main differentiator is breadth plus configuration focus. Instead of covering one scanner in isolation, the skill spans:

Semgrep for flexible rule-based scanning and custom patterns
SonarQube for quality gates, hotspots, and broader code health workflows
CodeQL for GitHub-native security analysis and custom query paths

That makes sast-configuration for Security Audit especially useful when you need a recommendation, not just syntax help.

What to know before you install

This skill is guidance-heavy. The repository evidence shows a single SKILL.md with no helper scripts or packaged templates, so expect the value to come from how the agent structures setup and tradeoff decisions rather than from ready-made automation artifacts. Install it if you want better planning, stronger prompts, and clearer configuration direction. Do not expect a drop-in scanner bundle.

How to Use sast-configuration skill

How to install sast-configuration

Use the standard skills install flow for the repository:

npx skills add https://github.com/wshobson/agents --skill sast-configuration

After install, confirm the skill is available in your agent environment, then invoke it with a repository-specific security setup task.

Read this file first

Start with:

plugins/security-scanning/skills/sast-configuration/SKILL.md

Because this skill has no visible support files, reading SKILL.md first gives you nearly all of the available implementation guidance. For adoption decisions, scan the sections covering:

Semgrep configuration
SonarQube setup
CodeQL analysis
CI/CD integration
custom rule creation
performance and false-positive tuning

What input the skill needs

The quality of sast-configuration usage depends heavily on the context you provide. At minimum, give the agent:

primary languages and frameworks
repository type: single app, service fleet, or monorepo
CI platform: GitHub Actions, GitLab CI, Jenkins, etc.
hosting constraints: SaaS allowed or self-hosted only
compliance needs: OWASP, internal policy, audit evidence
current pain points: false positives, slow scans, poor PR feedback, no custom rules
desired outcome: starter setup, migration plan, tuning plan, or multi-tool strategy

Without those details, the agent can only produce generic setup advice.

Best prompt shape for strong outputs

A weak request looks like:

Set up SAST for our app.

A stronger sast-configuration guide prompt looks like:

Use the sast-configuration skill to propose a SAST setup for a GitHub-hosted monorepo with Python and JavaScript services. We want PR-time checks under 10 minutes, deeper scanning on main, low false positives for developers, and GitHub-native reporting where possible. Compare Semgrep, CodeQL, and SonarQube, recommend one primary approach, and include CI workflow structure, tuning priorities, and where custom rules are worth the effort.

This works better because it supplies stack, platform, latency target, reporting preference, and decision criteria.

Turn rough goals into actionable asks

Ask for one of these specific outputs instead of “configuration help”:

a tool recommendation with tradeoffs
a phased rollout plan for one repo or one org
a PR pipeline design versus nightly deep scans
a false-positive reduction strategy
custom rule candidates for your framework or internal APIs
a migration path from one SAST tool to another

Narrow requests produce more install-ready output.

Suggested workflow for real projects

A practical workflow with the sast-configuration skill is:

describe your stack, CI, and constraints
ask for tool selection or confirmation
request a minimal starter configuration
ask for tuning guidance after the first scan results
iterate on exclusions, severity thresholds, and custom rules
add governance items like quality gates or policy enforcement

This staged approach is better than trying to design a perfect enterprise rollout in one prompt.

When to choose Semgrep, SonarQube, or CodeQL

Use the skill to make a recommendation, but these starting heuristics help:

Semgrep: best when you need fast adoption, broad language coverage, and custom pattern rules
SonarQube: best when security scanning is part of a larger code quality and governance program
CodeQL: best when you are already deep in GitHub and want strong semantic analysis with GitHub Advanced Security workflows

For many teams, the highest-value outcome is not “use every tool,” but “pick one primary scanner and add a second only where it changes coverage meaningfully.”

How to ask for CI/CD output

If you want usable pipeline guidance, explicitly request:

trigger strategy for pull requests, pushes, and scheduled scans
fail conditions and severity thresholds
artifact or SARIF handling
baseline adoption strategy for legacy findings
scan scope rules for monorepos or generated code
developer feedback path inside the code host

Those details determine whether the setup gets adopted or bypassed.

How to get better custom rule advice

The skill mentions custom rule creation, but custom rules only become useful when you provide examples. Give the agent:

code snippets showing risky internal patterns
framework-specific sinks and sources
naming conventions for unsafe wrappers
examples of previous missed findings
examples of noisy findings you want suppressed

That turns generic rule discussion into targeted rule candidates.

Constraints and tradeoffs to surface early

Before acting on the skill's output, ask it to account for:

scan runtime budgets
developer tolerance for blocking checks
self-hosted versus managed deployment limits
license or enterprise feature dependencies
language gaps in mixed-stack repositories
ownership for triage and rule maintenance

These factors usually block adoption more than scanner syntax does.

sast-configuration skill FAQ

Is sast-configuration good for beginners

Yes, if you already know your repository and CI platform. The skill is approachable because it frames SAST setup by use case, but it is not a substitute for understanding your codebase, branch workflow, and security ownership model. Beginners get the most value by asking for a minimal starter setup, not an enterprise-wide policy design.

What does this skill do better than a normal prompt

A normal prompt often returns generic scanner advice. The sast-configuration skill is more useful when you need structured guidance across Semgrep, SonarQube, and CodeQL, plus help with custom rules, quality gates, and false-positive tuning. It reduces guesswork around tool fit and rollout sequencing.

Is this skill only for GitHub users

No. CodeQL is especially aligned with GitHub ecosystems, but the skill also covers Semgrep and SonarQube, which are commonly used across different CI systems and hosting models. If you are on GitLab or Jenkins, the skill can still help with tool choice and pipeline structure.

When is sast-configuration a poor fit

Skip this skill if you need a fully packaged implementation with ready-made scripts and templates. The repository signals show a documentation-centered skill, not an automation bundle. It is also a weaker fit if your main problem is dynamic testing, cloud posture management, or dependency scanning rather than source-code SAST.

Can it help with false positives

Yes. This is one of the more practical reasons to use sast-configuration. The source content explicitly covers tuning and optimization. Ask for suppression strategy, scope exclusions, severity calibration, and custom rule refinement based on real findings from your repo.

Should I use one tool or multiple tools

Usually start with one. Multi-tool SAST can improve coverage, but it also increases triage cost, duplicate findings, and developer fatigue. Use this skill to justify where defense-in-depth adds real value instead of assuming more scanners always means better security.

How to Improve sast-configuration skill

Give the skill repository-specific context

The fastest way to improve sast-configuration results is to stop asking abstract questions. Include:

language mix
example services or folders
current CI files
security requirements
sample findings or missed bugs
rollout constraints

Specific context leads to actionable configuration decisions instead of generic best practices.

Ask for decision-ready recommendations

Do not just ask what each scanner does. Ask the skill to produce:

a recommendation with reasons
what to implement this week
what to defer
what risks remain uncovered
what signals indicate success after rollout

That framing makes the output usable for implementation and stakeholder approval.

Provide examples of noisy and valuable findings

If your first pass is too noisy, paste a small set of findings and ask the agent to classify them into:

true positives to keep blocking
issues to downgrade
patterns to exclude
cases needing custom rules
cases needing developer education instead of scanner changes

This is one of the highest-leverage ways to improve sast-configuration usage.

Separate startup configuration from mature policy

Many teams fail by trying to enforce strict gates on day one. Ask the skill for two stages:

initial adoption: fast scans, visible results, minimal blocking
mature enforcement: stronger gates, policy checks, custom rules, broader coverage

That phased plan increases the chance developers will keep the scanner enabled.

Request outputs in the format you will implement

If you need something deployable, ask for:

CI YAML skeletons
rule examples
quality gate criteria
repo folder inclusion and exclusion logic
a rollout checklist

The skill is more valuable when you tell it exactly what artifact you need next.

Common failure modes to avoid

Watch for these mistakes when using sast-configuration:

choosing tools before clarifying hosting and budget constraints
enabling blocking checks without baseline handling
scanning generated, vendored, or irrelevant code
asking for custom rules before identifying real gaps
combining multiple scanners without an ownership plan for triage

These problems usually create abandonment, not better security.

How to iterate after the first output

After the first answer, improve it with follow-ups like:

“Rework this for a monorepo with separate PR and nightly scan paths.”
“Prioritize low-maintenance options because we have no dedicated AppSec team.”
“Reduce false positives for internal validation wrappers.”
“Show where Semgrep is enough and where CodeQL adds unique value.”
“Convert this recommendation into a step-by-step rollout plan.”

That iterative prompting is how the sast-configuration skill becomes genuinely implementation-ready rather than just informative.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

azure-ai-contentsafety-ts

by microsoft

azure-ai-contentsafety-ts helps analyze text and images for harmful content with Azure AI Content Safety in TypeScript. Use this skill for moderation workflows, blocklists, and security audit checks for hate, violence, sexual content, and self-harm. It also covers Azure endpoint and auth setup.

Security Audit

Favorites 0GitHub 2.3k

sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Security Audit

Favorites 0GitHub 5k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

building-incident-response-playbook

by mukul975

building-incident-response-playbook helps security teams create reusable incident response playbooks with step-by-step phases, decision trees, escalation criteria, RACI ownership, and SOAR-ready structure. It is designed for incident response procedure documentation, incident triage workflows, and audit-friendly operational response plans.

Incident Triage

Favorites 0GitHub 6.1k

building-patch-tuesday-response-process

by mukul975

building-patch-tuesday-response-process helps teams build a repeatable Microsoft Patch Tuesday process to triage advisories, rank risk, test patches, approve rollout, and track compliance. Useful for security operations, vulnerability management, and building-patch-tuesday-response-process for Project Management.

Project Management

Favorites 0GitHub 6.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k