SAST Configuration
Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.
Use this skill when
- •Set up SAST scanning in CI/CD pipelines
- •Create custom security rules for your codebase
- •Configure quality gates and compliance policies
- •Optimize scan performance and reduce false positives
- •Integrate multiple SAST tools for defense-in-depth
Do not use this skill when
- •You only need DAST or manual penetration testing guidance
- •You cannot access source code or CI/CD pipelines
- •You need organizational policy decisions rather than tooling setup
Instructions
- •Identify languages, repos, and compliance requirements.
- •Choose tools and define a baseline policy.
- •Integrate scans into CI/CD with gating thresholds.
- •Tune rules and suppressions based on false positives.
- •Track remediation and verify fixes.
Safety
- •Avoid scanning sensitive repos with third-party services without approval.
- •Prevent leaks of secrets in scan artifacts and logs.
Overview
This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.