MCP HubMCP Hub
Back to Skills

sast-configuration

camoneart
Updated Today
33 views
2
2
View on GitHub
Testingtestingautomation

About

This skill helps developers configure SAST tools like Semgrep, SonarQube, and CodeQL to automate security scanning within CI/CD pipelines. It provides guidance for setting up scans, creating custom rules, and optimizing performance to reduce false positives. Use it when implementing DevSecOps practices or setting up automated vulnerability detection in your codebase.

Documentation

SAST Configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

Overview

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL. Use this skill when you need to:

  • Set up SAST scanning in CI/CD pipelines
  • Create custom security rules for your codebase
  • Configure quality gates and compliance policies
  • Optimize scan performance and reduce false positives
  • Integrate multiple SAST tools for defense-in-depth

Core Capabilities

1. Semgrep Configuration

  • Custom rule creation with pattern matching
  • Language-specific security rules (Python, JavaScript, Go, Java, etc.)
  • CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
  • False positive tuning and rule optimization
  • Organizational policy enforcement

2. SonarQube Setup

  • Quality gate configuration
  • Security hotspot analysis
  • Code coverage and technical debt tracking
  • Custom quality profiles for languages
  • Enterprise integration with LDAP/SAML

3. CodeQL Analysis

  • GitHub Advanced Security integration
  • Custom query development
  • Vulnerability variant analysis
  • Security research workflows
  • SARIF result processing

Quick Start

Initial Assessment

  1. Identify primary programming languages in your codebase
  2. Determine compliance requirements (PCI-DSS, SOC 2, etc.)
  3. Choose SAST tool based on language support and integration needs
  4. Review baseline scan to understand current security posture

Basic Setup

# Semgrep quick start
pip install semgrep
semgrep --config=auto --error

# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python

Reference Documentation

Templates & Assets

Integration Patterns

CI/CD Pipeline Integration

# GitHub Actions example
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: >-
      p/security-audit
      p/owasp-top-ten

Pre-commit Hook

# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.45.0
  hooks:
    - id: semgrep
      args: ['--config=auto', '--error']

Best Practices

  1. Start with Baseline

    • Run initial scan to establish security baseline
    • Prioritize critical and high severity findings
    • Create remediation roadmap

  2. Incremental Adoption

    • Begin with security-focused rules
    • Gradually add code quality rules
    • Implement blocking only for critical issues

  3. False Positive Management

    • Document legitimate suppressions
    • Create allow lists for known safe patterns
    • Regularly review suppressed findings

  4. Performance Optimization

    • Exclude test files and generated code
    • Use incremental scanning for large codebases
    • Cache scan results in CI/CD

  5. Team Enablement

    • Provide security training for developers
    • Create internal documentation for common patterns
    • Establish security champions program

Common Use Cases

New Project Setup

./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

Custom Rule Development

# See references/semgrep-rules.md for detailed examples
rules:
  - id: hardcoded-jwt-secret
    pattern: jwt.encode($DATA, "...", ...)
    message: JWT secret should not be hardcoded
    severity: ERROR

Compliance Scanning

# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json

Troubleshooting

High False Positive Rate

  • Review and tune rule sensitivity
  • Add path filters to exclude test files
  • Use nostmt metadata for noisy patterns
  • Create organization-specific rule exceptions

Performance Issues

  • Enable incremental scanning
  • Parallelize scans across modules
  • Optimize rule patterns for efficiency
  • Cache dependencies and scan results

Integration Failures

  • Verify API tokens and credentials
  • Check network connectivity and proxy settings
  • Review SARIF output format compatibility
  • Validate CI/CD runner permissions

Related Skills

Tool Comparison

ToolBest ForLanguage SupportCostIntegration
SemgrepCustom rules, fast scans30+ languagesFree/EnterpriseExcellent
SonarQubeCode quality + security25+ languagesFree/CommercialGood
CodeQLDeep analysis, research10+ languagesFree (OSS)GitHub native

Next Steps

  1. Complete initial SAST tool setup
  2. Run baseline security scan
  3. Create custom rules for organization-specific patterns
  4. Integrate into CI/CD pipeline
  5. Establish security gate policies
  6. Train development team on findings and remediation

Quick Install

/plugin add https://github.com/camoneart/claude-code/tree/main/sast-configuration

Copy and paste this command in Claude Code to install this skill

GitHub 仓库

camoneart/claude-code
Path: skills/sast-configuration

Related Skills

sglang

Meta

SGLang is a high-performance LLM serving framework that specializes in fast, structured generation for JSON, regex, and agentic workflows using its RadixAttention prefix caching. It delivers significantly faster inference, especially for tasks with repeated prefixes, making it ideal for complex, structured outputs and multi-turn conversations. Choose SGLang over alternatives like vLLM when you need constrained decoding or are building applications with extensive prefix sharing.

View skill

evaluating-llms-harness

Testing

This Claude Skill runs the lm-evaluation-harness to benchmark LLMs across 60+ standardized academic tasks like MMLU and GSM8K. It's designed for developers to compare model quality, track training progress, or report academic results. The tool supports various backends including HuggingFace and vLLM models.

View skill

webapp-testing

Testing

This Claude Skill provides a Playwright-based toolkit for testing local web applications through Python scripts. It enables frontend verification, UI debugging, screenshot capture, and log viewing while managing server lifecycles. Use it for browser automation tasks but run scripts directly rather than reading their source code to avoid context pollution.

View skill

business-rule-documentation

Meta

This skill provides standardized templates for systematically documenting business logic and domain knowledge following Domain-Driven Design principles. It helps developers capture business rules, process flows, decision trees, and terminology glossaries to maintain consistency between requirements and implementation. Use it when documenting domain models, creating business rule repositories, or bridging communication between business and technical teams.

View skill