Is this skill specific to a certain programming language?

No, it covers a wide range of environments including Python, JavaScript, Go, and Java, with language-specific security profiles for each.

Does it support custom security rules?

Absolutely. It provides detailed guidance and templates for creating custom security patterns and rules tailored to your project's specific security needs.

How does it handle false positives?

The skill offers strategies for tuning rule sensitivity, excluding specific paths like test files, and implementing organization-specific exceptions to reduce noise.

Can I use this for CI/CD integration?

Yes, the skill includes templates and patterns for integrating security scans into GitHub Actions, GitLab CI, Jenkins, and pre-commit hooks.

What tools does this skill support?

It provides comprehensive configuration guidance for major SAST tools including Semgrep, SonarQube, and CodeQL across various programming languages.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: HermeticOrmus

byHermeticOrmus

0•

Security & Testing

Configures and optimizes Static Application Security Testing (SAST) tools to automate code vulnerability detection and enforce DevSecOps best practices.

This skill provides specialized guidance for implementing comprehensive Static Application Security Testing (SAST) across modern software projects. It streamlines the setup of industry-standard tools like Semgrep, SonarQube, and CodeQL, enabling developers to automate vulnerability detection, create custom security rules, and integrate security checkpoints directly into CI/CD pipelines. It is particularly useful for teams looking to 'shift security left,' reduce technical debt, and ensure compliance with security standards like PCI-DSS or SOC 2 through automated, high-performance code analysis.

Key Features

01Performance optimization and false-positive reduction strategies

02Language-specific security profiling and compliance mapping

03CI/CD pipeline integration and quality gate enforcement

04Custom security rule creation and pattern matching

05Multi-tool setup for Semgrep, SonarQube, and CodeQL

060 GitHub stars

Use Cases

01Setting up automated security scanning in GitHub Actions or GitLab CI pipelines

02Implementing blocking quality gates to prevent insecure code from reaching production

03Creating custom security rules to catch organization-specific code vulnerabilities

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add hermeticormus/hermetic-line sast-configuration

For use in Claude.ai and ChatGPT

Download Skill