Skip to main content Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.
npx skills add sickn33/antigravity-awesome-skills --skill sast-configuration agentic-skills ai-agents antigravity claude-code mcp ai-workflows
SAST Configuration
Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.
Use this skill when
Set up SAST scanning in CI/CD pipelines
Create custom security rules for your codebase
Configure quality gates and compliance policies
Optimize scan performance and reduce false positives
Integrate multiple SAST tools for defense-in-depth
Do not use this skill when
You only need DAST or manual penetration testing guidance
You cannot access source code or CI/CD pipelines
You need organizational policy decisions rather than tooling setup
Instructions
Identify languages, repos, and compliance requirements.
Choose tools and define a baseline policy.
Integrate scans into CI/CD with gating thresholds.
Tune rules and suppressions based on false positives.
Track remediation and verify fixes.
Safety
Avoid scanning sensitive repos with third-party services without approval.
Prevent leaks of secrets in scan artifacts and logs.
Overview
This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.
Core Capabilities
1. Semgrep Configuration
Custom rule creation with pattern matching
Language-specific security rules (Python, JavaScript, Go, Java, etc.)
CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
False positive tuning and rule optimization
Organizational policy enforcement
2. SonarQube Setup
Quality gate configuration
Security hotspot analysis
Code coverage and technical debt tracking
Custom quality profiles for languages
Enterprise integration with LDAP/SAML
3. CodeQL Analysis
GitHub Advanced Security integration
Custom query development
Vulnerability variant analysis
Security research workflows
SARIF result processing
Quick Start
Initial Assessment
Identify primary programming languages in your codebase
Determine compliance requirements (PCI-DSS, SOC 2, etc.)
Choose SAST tool based on language support and integration needs
Review baseline scan to understand current security posture
Basic Setup # Semgrep quick start
pip install semgrep
semgrep --config=auto --error
# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest
# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python
Reference Documentation
Semgrep Rule Creation - Pattern-based security rule development
SonarQube Configuration - Quality gates and profiles
CodeQL Setup Guide - Query development and workflows
Templates & Assets
semgrep-config.yml - Production-ready Semgrep configuration
sonarqube-settings.xml - SonarQube quality profile template
run-sast.sh - Automated SAST execution script
Integration Patterns
CI/CD Pipeline Integration # GitHub Actions example
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/owasp-top-ten
Pre-commit Hook # .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
rev: v1.45.0
hooks:
- id: semgrep
args: ['--config=auto', '--error']
Best Practices
Start with Baseline
Run initial scan to establish security baseline
Prioritize critical and high severity findings
Create remediation roadmap
Incremental Adoption
Begin with security-focused rules
Gradually add code quality rules
Implement blocking only for critical issues
False Positive Management
Document legitimate suppressions
Create allow lists for known safe patterns
Regularly review suppressed findings
Performance Optimization
Exclude test files and generated code
Use incremental scanning for large codebases
Cache scan results in CI/CD
Team Enablement
Provide security training for developers
Create internal documentation for common patterns
Establish security champions program
Common Use Cases
New Project Setup ./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube
Custom Rule Development # See references/semgrep-rules.md for detailed examples
rules:
- id: hardcoded-jwt-secret
pattern: jwt.encode($DATA, "...", ...)
message: JWT secret should not be hardcoded
severity: ERROR
Compliance Scanning # PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json
Troubleshooting
High False Positive Rate
Review and tune rule sensitivity
Add path filters to exclude test files
Use nostmt metadata for noisy patterns
Create organization-specific rule exceptions
Performance Issues
Enable incremental scanning
Parallelize scans across modules
Optimize rule patterns for efficiency
Cache dependencies and scan results
Integration Failures
Verify API tokens and credentials
Check network connectivity and proxy settings
Review SARIF output format compatibility
Validate CI/CD runner permissions
Related Skills
OWASP Top 10 Checklist
Container Security
Dependency Scanning
Tool Comparison Tool Best For Language Support Cost Integration Semgrep Custom rules, fast scans 30+ languages Free/Enterprise Excellent SonarQube Code quality + security 25+ languages Free/Commercial Good CodeQL Deep analysis, research 10+ languages Free (OSS) GitHub native
Next Steps
Complete initial SAST tool setup
Run baseline security scan
Create custom rules for organization-specific patterns
Integrate into CI/CD pipeline
Establish security gate policies
Train development team on findings and remediation
Limitations
Use this skill only when the task clearly matches the scope described above.
Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).