{"id":"2643b52a-844c-4a6e-a3d5-252afd0379fe","shortId":"y3YKhD","kind":"skill","title":"sast-configuration","tagline":"Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.","description":"# SAST Configuration\n\nStatic Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.\n\n## Use this skill when\n\n- Set up SAST scanning in CI/CD pipelines\n- Create custom security rules for your codebase\n- Configure quality gates and compliance policies\n- Optimize scan performance and reduce false positives\n- Integrate multiple SAST tools for defense-in-depth\n\n## Do not use this skill when\n\n- You only need DAST or manual penetration testing guidance\n- You cannot access source code or CI/CD pipelines\n- You need organizational policy decisions rather than tooling setup\n\n## Instructions\n\n1. Identify languages, repos, and compliance requirements.\n2. Choose tools and define a baseline policy.\n3. Integrate scans into CI/CD with gating thresholds.\n4. Tune rules and suppressions based on false positives.\n5. Track remediation and verify fixes.\n\n## Safety\n\n- Avoid scanning sensitive repos with third-party services without approval.\n- Prevent leaks of secrets in scan artifacts and logs.\n\n## Overview\n\nThis skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.\n\n## Core Capabilities\n\n### 1. Semgrep Configuration\n- Custom rule creation with pattern matching\n- Language-specific security rules (Python, JavaScript, Go, Java, etc.)\n- CI/CD integration (GitHub Actions, GitLab CI, Jenkins)\n- False positive tuning and rule optimization\n- Organizational policy enforcement\n\n### 2. SonarQube Setup\n- Quality gate configuration\n- Security hotspot analysis\n- Code coverage and technical debt tracking\n- Custom quality profiles for languages\n- Enterprise integration with LDAP/SAML\n\n### 3. CodeQL Analysis\n- GitHub Advanced Security integration\n- Custom query development\n- Vulnerability variant analysis\n- Security research workflows\n- SARIF result processing\n\n## Quick Start\n\n### Initial Assessment\n1. Identify primary programming languages in your codebase\n2. Determine compliance requirements (PCI-DSS, SOC 2, etc.)\n3. Choose SAST tool based on language support and integration needs\n4. Review baseline scan to understand current security posture\n\n### Basic Setup\n```bash\n# Semgrep quick start\npip install semgrep\nsemgrep --config=auto --error\n\n# SonarQube with Docker\ndocker run -d --name sonarqube -p 9000:9000 sonarqube:latest\n\n# CodeQL CLI setup\ngh extension install github/gh-codeql\ncodeql database create mydb --language=python\n```\n\n## Reference Documentation\n\n- Semgrep Rule Creation - Pattern-based security rule development\n- SonarQube Configuration - Quality gates and profiles\n- CodeQL Setup Guide - Query development and workflows\n\n## Templates & Assets\n\n- semgrep-config.yml - Production-ready Semgrep configuration\n- sonarqube-settings.xml - SonarQube quality profile template\n- run-sast.sh - Automated SAST execution script\n\n## Integration Patterns\n\n### CI/CD Pipeline Integration\n```yaml\n# GitHub Actions example\n- name: Run Semgrep\n  uses: returntocorp/semgrep-action@v1\n  with:\n    config: >-\n      p/security-audit\n      p/owasp-top-ten\n```\n\n### Pre-commit Hook\n```bash\n# .pre-commit-config.yaml\n- repo: https://github.com/returntocorp/semgrep\n  rev: v1.45.0\n  hooks:\n    - id: semgrep\n      args: ['--config=auto', '--error']\n```\n\n## Best Practices\n\n1. **Start with Baseline**\n   - Run initial scan to establish security baseline\n   - Prioritize critical and high severity findings\n   - Create remediation roadmap\n\n2. **Incremental Adoption**\n   - Begin with security-focused rules\n   - Gradually add code quality rules\n   - Implement blocking only for critical issues\n\n3. **False Positive Management**\n   - Document legitimate suppressions\n   - Create allow lists for known safe patterns\n   - Regularly review suppressed findings\n\n4. **Performance Optimization**\n   - Exclude test files and generated code\n   - Use incremental scanning for large codebases\n   - Cache scan results in CI/CD\n\n5. **Team Enablement**\n   - Provide security training for developers\n   - Create internal documentation for common patterns\n   - Establish security champions program\n\n## Common Use Cases\n\n### New Project Setup\n```bash\n./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube\n```\n\n### Custom Rule Development\n```yaml\n# See references/semgrep-rules.md for detailed examples\nrules:\n  - id: hardcoded-jwt-secret\n    pattern: jwt.encode($DATA, \"...\", ...)\n    message: JWT secret should not be hardcoded\n    severity: ERROR\n```\n\n### Compliance Scanning\n```bash\n# PCI-DSS focused scan\nsemgrep --config p/pci-dss --json -o pci-scan-results.json\n```\n\n## Troubleshooting\n\n### High False Positive Rate\n- Review and tune rule sensitivity\n- Add path filters to exclude test files\n- Use nostmt metadata for noisy patterns\n- Create organization-specific rule exceptions\n\n### Performance Issues\n- Enable incremental scanning\n- Parallelize scans across modules\n- Optimize rule patterns for efficiency\n- Cache dependencies and scan results\n\n### Integration Failures\n- Verify API tokens and credentials\n- Check network connectivity and proxy settings\n- Review SARIF output format compatibility\n- Validate CI/CD runner permissions\n\n## Related Skills\n\n- OWASP Top 10 Checklist\n- Container Security\n- Dependency Scanning\n\n## Tool Comparison\n\n| Tool | Best For | Language Support | Cost | Integration |\n|------|----------|------------------|------|-------------|\n| Semgrep | Custom rules, fast scans | 30+ languages | Free/Enterprise | Excellent |\n| SonarQube | Code quality + security | 25+ languages | Free/Commercial | Good |\n| CodeQL | Deep analysis, research | 10+ languages | Free (OSS) | GitHub native |\n\n## Next Steps\n\n1. Complete initial SAST tool setup\n2. Run baseline security scan\n3. Create custom rules for organization-specific patterns\n4. Integrate into CI/CD pipeline\n5. Establish security gate policies\n6. Train development team on findings and remediation\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["sast","configuration","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows"],"capabilities":["skill","source-sickn33","skill-sast-configuration","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/sast-configuration","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34583 github stars · SKILL.md body (6,269 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T18:52:10.449Z","embedding":null,"createdAt":"2026-04-18T21:43:51.788Z","updatedAt":"2026-04-22T18:52:10.449Z","lastSeenAt":"2026-04-22T18:52:10.449Z","tsv":"'/returntocorp/semgrep':427 '/scripts/run-sast.sh':542 '1':119,198,280,439,708 '10':664,700 '2':126,233,288,296,459,714 '25':692 '3':134,257,298,479,719 '30':684 '4':142,309,497,728 '5':151,517,733 '6':738 '9000':340,341 'access':103 'across':20,42,626 'action':220,406 'add':469,600 'adopt':461 'advanc':261 'allow':487 'analysi':241,259,269,698 'api':641 'applic':5,27 'approv':168 'arg':433 'artifact':175 'ask':779 'assess':279 'asset':382 'auto':329,435 'autom':395 'avoid':158 'base':147,302,364 'baselin':132,311,442,449,716 'bash':320,422,541,578 'basic':318 'begin':462 'best':437,673 'block':474 'boundari':787 'cach':512,633 'cannot':102 'capabl':197 'case':537 'champion':533 'check':645 'checklist':665 'choos':127,299 'ci':222 'ci/cd':55,107,138,217,401,516,657,731 'clarif':781 'clear':754 'cli':345 'code':105,242,470,505,689 'codebas':63,287,511 'codeql':195,258,344,351,374,696 'commit':420 'common':529,535 'comparison':671 'compat':655 'complet':709 'complianc':68,124,290,576 'comprehens':17,39,182 'config':328,415,434,585 'configur':3,11,25,33,64,188,200,238,369,388 'connect':647 'contain':666 'core':196 'cost':677 'coverag':243 'creat':57,353,456,486,525,613,720 'creation':15,37,203,361 'credenti':644 'criteria':790 'critic':451,477 'current':315 'custom':13,35,58,201,248,264,549,680,721 'd':336 'dast':95 'data':566 'databas':352 'debt':246 'decis':113 'deep':697 'defens':83 'defense-in-depth':82 'defin':130 'depend':634,668 'depth':85 'describ':758 'detail':556 'determin':289 'develop':266,367,378,524,551,740 'docker':333,334 'document':358,483,527 'dss':294,581 'effici':632 'enabl':519,621 'enforc':232 'enterpris':253 'environ':770 'environment-specif':769 'error':330,436,575 'establish':447,531,734 'etc':216,297 'exampl':407,557 'excel':687 'except':618 'exclud':500,604 'execut':397 'expert':775 'extens':348 'failur':639 'fals':75,149,224,480,592 'fast':682 'file':502,606 'filter':602 'find':455,496,743 'fix':156 'focus':466,582 'format':654 'free':702 'free/commercial':694 'free/enterprise':686 'gate':66,140,237,371,736 'generat':504 'gh':347 'github':219,260,405,704 'github.com':426 'github.com/returntocorp/semgrep':425 'github/gh-codeql':350 'gitlab':221 'go':214 'good':695 'gradual':468 'guid':376 'guidanc':100,183 'hardcod':561,573 'hardcoded-jwt-secret':560 'high':453,591 'hook':421,430 'hotspot':240 'id':431,559 'identifi':120,281 'implement':473 'includ':191 'increment':460,507,622 'initi':278,444,710 'input':784 'instal':325,349 'instruct':118 'integr':77,135,218,254,263,307,399,403,638,678,729 'intern':526 'issu':478,620 'java':215 'javascript':213 'jenkin':223 'json':587 'jwt':562,568 'jwt.encode':565 'known':490 'languag':23,45,121,208,252,284,304,355,544,675,685,693,701 'language-specif':207 'larg':510 'latest':343 'ldap/saml':256 'leak':170 'legitim':484 'limit':746 'list':488 'log':177 'manag':482 'manual':97 'match':206,755 'messag':567 'metadata':609 'miss':792 'modul':627 'multipl':21,43,78 'mydb':354 'name':337,408 'nativ':705 'need':94,110,308 'network':646 'new':538 'next':706 'noisi':611 'nostmt':608 'o':588 'optim':70,229,499,628 'organ':615,725 'organiz':111,230 'organization-specif':614,724 'oss':703 'output':653,764 'overview':178 'owasp':662 'p':339 'p/owasp-top-ten':417 'p/pci-dss':586 'p/security-audit':416 'parallel':624 'parti':165 'path':601 'pattern':205,363,400,492,530,564,612,630,727 'pattern-bas':362 'pci':293,580 'pci-dss':292,579 'pci-scan-results.json':589 'penetr':98 'perform':72,498,619 'permiss':659,785 'pip':324 'pipelin':56,108,402,732 'polici':69,112,133,231,737 'posit':76,150,225,481,593 'postur':317 'practic':438 'pre':419 'pre-commit':418 'pre-commit-config.yaml':423 'prevent':169 'primari':282 'priorit':450 'process':275 'product':385 'production-readi':384 'profil':250,373,392 'program':22,44,283,534 'project':539 'provid':181,520 'proxi':649 'python':212,356,545 'qualiti':65,236,249,370,391,471,690 'queri':265,377 'quick':276,322 'rate':594 'rather':114 'readi':386 'reduc':74 'refer':357 'references/semgrep-rules.md':554 'regular':493 'relat':660 'remedi':153,457,745 'repo':122,161,424 'requir':125,291,783 'research':271,699 'result':274,514,637 'returntocorp/semgrep-action':412 'rev':428 'review':310,494,595,651,776 'roadmap':458 'rule':14,36,60,144,202,211,228,360,366,467,472,550,558,598,617,629,681,722 'run':335,409,443,715 'run-sast.sh':394 'runner':658 'safe':491 'safeti':157,786 'sarif':273,652 'sast':2,8,24,30,52,79,189,300,396,711 'sast-configur':1 'scan':19,41,53,71,136,159,174,312,445,508,513,577,583,623,625,636,669,683,718 'scope':757 'script':398 'secret':172,563,569 'secur':6,18,28,40,59,210,239,262,270,316,365,448,465,521,532,667,691,717,735 'security-focus':464 'see':553 'semgrep':192,199,321,326,327,359,387,410,432,547,584,679 'semgrep-config.yml':383 'sensit':160,599 'servic':166 'set':50,185,650 'setup':10,32,117,235,319,346,375,540,543,713 'sever':454,574 'skill':48,90,180,661,749 'skill-sast-configuration' 'soc':295 'sonarqub':193,234,331,338,342,368,390,548,688 'sonarqube-settings.xml':389 'sourc':104 'source-sickn33' 'specif':209,616,726,771 'start':277,323,440 'static':4,26 'step':707 'stop':777 'substitut':767 'success':789 'support':305,676 'suppress':146,485,495 'task':753 'team':518,741 'technic':245 'templat':381,393 'test':7,29,99,501,605,773 'third':164 'third-parti':163 'threshold':141 'token':642 'tool':9,31,80,116,128,190,301,546,670,672,712 'top':663 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'track':152,247 'train':522,739 'treat':762 'troubleshoot':590 'tune':143,226,597 'understand':314 'use':46,88,411,506,536,607,747 'v1':413 'v1.45.0':429 'valid':656,772 'variant':268 'verifi':155,640 'vulner':267 'without':167 'workflow':272,380 'yaml':404,552","prices":[{"id":"d2390f5c-5720-4cf4-97c2-b1e2bd441722","listingId":"2643b52a-844c-4a6e-a3d5-252afd0379fe","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:43:51.788Z"}],"sources":[{"listingId":"2643b52a-844c-4a6e-a3d5-252afd0379fe","source":"github","sourceId":"sickn33/antigravity-awesome-skills/sast-configuration","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/sast-configuration","isPrimary":false,"firstSeenAt":"2026-04-18T21:43:51.788Z","lastSeenAt":"2026-04-22T18:52:10.449Z"}],"details":{"listingId":"2643b52a-844c-4a6e-a3d5-252afd0379fe","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"sast-configuration","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34583,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-22T06:40:00Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"d15955e2745cae13787c8a18aecaee36e43178dc","skill_md_path":"skills/sast-configuration/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/sast-configuration"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"sast-configuration","description":"Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/sast-configuration"},"updatedAt":"2026-04-22T18:52:10.449Z"}}