Does it support custom security rule creation?

Absolutely. It includes specific guidance and templates for developing custom rules that target unique security requirements or proprietary code patterns.

How does this skill help with false positives?

It provides strategies for rule tuning, pattern optimization, and exclusion management to ensure developers only spend time on actionable security findings.

Can I use this for CI/CD integration?

Yes, it includes templates and examples for integrating security scans into various platforms like GitHub Actions, GitLab CI, and Jenkins.

Which SAST tools does this skill support?

The skill provides comprehensive configuration guidance for Semgrep, SonarQube, and CodeQL, covering a wide range of programming languages and frameworks.

SAST Configuration & Security Scanning

Name: SAST Configuration & Security Scanning
Author: HermeticOrmus

byHermeticOrmus

Security & Testing

Configures and optimizes Static Application Security Testing (SAST) tools to automate vulnerability detection within your codebase.

About

This skill streamlines the implementation of DevSecOps by providing expert guidance on setting up and fine-tuning industry-leading SAST tools like Semgrep, SonarQube, and CodeQL. It assists developers in creating custom security rules, establishing quality gates, and integrating automated scanning into CI/CD pipelines. Whether you are aiming for regulatory compliance or simply reducing technical debt, this skill helps minimize false positives and ensures a robust security posture across multiple programming languages and frameworks.

Key Features

Custom security rule and pattern matching creation
Compliance-focused policy enforcement for PCI-DSS and SOC 2
Multi-tool setup for Semgrep, SonarQube, and CodeQL
CI/CD pipeline integration for automated security gates
0 GitHub stars
False positive reduction and scan performance tuning

Use Cases

Conducting a baseline security audit and remediation roadmap for legacy codebases
Implementing automated security scanning in a new GitHub Actions or GitLab CI pipeline
Creating organization-specific security rules to catch proprietary code vulnerabilities

About

Key Features

Custom security rule and pattern matching creation
Compliance-focused policy enforcement for PCI-DSS and SOC 2
Multi-tool setup for Semgrep, SonarQube, and CodeQL
CI/CD pipeline integration for automated security gates
0 GitHub stars
False positive reduction and scan performance tuning

Use Cases

Conducting a baseline security audit and remediation roadmap for legacy codebases
Implementing automated security scanning in a new GitHub Actions or GitLab CI pipeline
Creating organization-specific security rules to catch proprietary code vulnerabilities