Skill

sast-configuration

Configure and deploy Static Application Security Testing (SAST) tools to find vulnerabilities in source code during development.

From application-security

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-application-security

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.7k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.7k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Domain Context

SAST Tools: SonarQube, Checkmarx, Semgrep, Fortify, Veracode (commercial), Snyk Code (SaaS), GitHub CodeQL

Vulnerability Categories: Injection flaws, buffer overflows, weak crypto, hardcoded secrets, authentication/authorization bugs

Integration Points: IDE plugins for developers, CI/CD pipeline for automated scanning, artifact repository scanning

Tuning: False positive rates, scan performance, custom rules for organizational patterns

Instructions

Select SAST Tool:

Open Source: Semgrep (flexible, extensible), SonarQube (popular, community edition free)
Commercial: Checkmarx, Fortify, Veracode (higher accuracy, cost)
Cloud/SaaS: Snyk Code, GitHub Advanced Security, GitLab SAST
Consider: supported languages, integration with your CI/CD, customization needs

Configure Tool:

Install and configure for your tech stack (Java, Python, Go, JavaScript, C++, etc.)
Set up custom rules for organizational patterns
Define vulnerability severity thresholds
Configure to fail builds on Critical/High findings

Integrate into Development:

IDE Integration: Developer scanning before commit (Semgrep in IDE, SonarLint)
CI/CD: Scan on every commit; fail pipeline on security issues
Code Review: Surface SAST results in pull request/code review tools
Artifact Registry: Scan dependencies when pulled

Tune for Your Codebase:

Run baseline scan; identify false positives
Create custom rules for organizational coding patterns
Adjust severity thresholds to balance security/developer friction
Establish remediation SLA (Critical: 24 hours, High: 1 week, Medium: sprint)

Measure & Improve:

Track vulnerability trends (are we finding more or fewer vulnerabilities?)
Measure remediation rate (what % of findings are fixed?)
Collect false positive rate and iterate on rules
Annually review tool coverage vs. threat landscape

Anti-Patterns

Enabling all SAST rules out-of-the-box; high false positive rates cause developers to ignore results; start conservative and add rules gradually

Running SAST only on main branch; scan every pull request so developers see issues immediately

Treating SAST results as gospel; SAST finds many false positives; review and categorize findings, don't auto-remediate

Not integrating with IDE/CI; if developers don't see results in their workflow, they won't act on them

Never updating rules; new vulnerability patterns emerge; update rules quarterly based on threat landscape

Domain Context

SAST Tools: SonarQube, Checkmarx, Semgrep, Fortify, Veracode (commercial), Snyk Code (SaaS), GitHub CodeQL

Vulnerability Categories: Injection flaws, buffer overflows, weak crypto, hardcoded secrets, authentication/authorization bugs

Integration Points: IDE plugins for developers, CI/CD pipeline for automated scanning, artifact repository scanning

Tuning: False positive rates, scan performance, custom rules for organizational patterns

Instructions

Select SAST Tool:

Open Source: Semgrep (flexible, extensible), SonarQube (popular, community edition free)
Commercial: Checkmarx, Fortify, Veracode (higher accuracy, cost)
Cloud/SaaS: Snyk Code, GitHub Advanced Security, GitLab SAST
Consider: supported languages, integration with your CI/CD, customization needs

Configure Tool:

Install and configure for your tech stack (Java, Python, Go, JavaScript, C++, etc.)
Set up custom rules for organizational patterns
Define vulnerability severity thresholds
Configure to fail builds on Critical/High findings

Integrate into Development:

IDE Integration: Developer scanning before commit (Semgrep in IDE, SonarLint)
CI/CD: Scan on every commit; fail pipeline on security issues
Code Review: Surface SAST results in pull request/code review tools
Artifact Registry: Scan dependencies when pulled

Tune for Your Codebase:

Run baseline scan; identify false positives
Create custom rules for organizational coding patterns
Adjust severity thresholds to balance security/developer friction
Establish remediation SLA (Critical: 24 hours, High: 1 week, Medium: sprint)

Measure & Improve:

Track vulnerability trends (are we finding more or fewer vulnerabilities?)
Measure remediation rate (what % of findings are fixed?)
Collect false positive rate and iterate on rules
Annually review tool coverage vs. threat landscape

Anti-Patterns

Enabling all SAST rules out-of-the-box; high false positive rates cause developers to ignore results; start conservative and add rules gradually

Running SAST only on main branch; scan every pull request so developers see issues immediately

Treating SAST results as gospel; SAST finds many false positives; review and categorize findings, don't auto-remediate

Not integrating with IDE/CI; if developers don't see results in their workflow, they won't act on them

Never updating rules; new vulnerability patterns emerge; update rules quarterly based on threat landscape

sast-configuration

sast-configuration

SAST Configuration

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

SAST Configuration

Context

Domain Context

Instructions

Anti-Patterns

Further Reading