SAST Triage Skill
Systematically triage static application security testing (SAST) results to separate real vulnerabilities from false positives and prioritize remediation.
Trigger Conditions
- •CI security scan produces findings
- •
gosec,golangci-lint, orgovulncheckrun completes - •Dependency update introduces new vulnerabilities
- •User invokes with "triage security findings" or "sast-triage"
Input Contract
- •Required: SAST tool output (gosec JSON, golangci-lint output, govulncheck results)
- •Optional: Previous triage results for delta comparison
Output Contract
- •Classified findings: Critical/High/Medium/Low/FalsePositive
- •CWE/CVE mapping for each finding
- •Remediation priority with estimated effort
- •False positive justifications
Tool Permissions
- •Read: All Go source files, SAST output, go.mod, go.sum
- •Write: Triage report
- •Search: Grep for vulnerable patterns, dependency versions
- •Shell: Run
gosec,govulncheck,golangci-lint
Execution Steps
- •Collect findings: Run or parse SAST tool outputs
- •Deduplicate: Merge findings across tools that point to the same issue
- •Filter false positives: Identify findings that are false positives due to context (e.g., test files, disabled code)
- •Map to CWE/CVE: Link each finding to its CWE or CVE identifier
- •Report: Produce triage report with actions for each finding