AgentSkillsCN

sast-configuration

精通企业级Scala开发,善于运用函数式编程、分布式系统,以及大数据处理技术。在Apache Pekko、Akka、Spark、ZIO/Cats Effect,以及响应式架构领域拥有深厚造诣。在Scala系统设计、性能优化,或企业级集成方面,可主动选用此技能。

SKILL.md
--- frontmatter
version: 4.1.0-fractal
name: sast-configuration
description: Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.

SAST Configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

Use this skill when

  • Set up SAST scanning in CI/CD pipelines
  • Create custom security rules for your codebase
  • Configure quality gates and compliance policies
  • Optimize scan performance and reduce false positives
  • Integrate multiple SAST tools for defense-in-depth

Do not use this skill when

  • You only need DAST or manual penetration testing guidance
  • You cannot access source code or CI/CD pipelines
  • You need organizational policy decisions rather than tooling setup

Instructions

  1. Identify languages, repos, and compliance requirements.
  2. Choose tools and define a baseline policy.
  3. Integrate scans into CI/CD with gating thresholds.
  4. Tune rules and suppressions based on false positives.
  5. Track remediation and verify fixes.

Safety

  • Avoid scanning sensitive repos with third-party services without approval.
  • Prevent leaks of secrets in scan artifacts and logs.

Overview

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.

Core Capabilities

🧠 Knowledge Modules (Fractal Skills)

1. 1. Semgrep Configuration

2. 2. SonarQube Setup

3. 3. CodeQL Analysis

4. Initial Assessment

5. Basic Setup

6. CI/CD Pipeline Integration

7. Pre-commit Hook

8. New Project Setup

9. Custom Rule Development

10. Compliance Scanning

11. High False Positive Rate

12. Performance Issues

13. Integration Failures