Configures SAST scanning (Semgrep, SonarQube, CodeQL) in CI/CD pipelines, creates custom rules, and tunes false positives for multi-language codebases.
How this skill is triggered — by the user, by Claude, or both
Slash command
/agentic-awesome-skills:sast-configurationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.
Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.
This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.
# Semgrep quick start
pip install semgrep
semgrep --config=auto --error
# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest
# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python
# GitHub Actions example
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/owasp-top-ten
# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
rev: v1.45.0
hooks:
- id: semgrep
args: ['--config=auto', '--error']
Start with Baseline
Incremental Adoption
False Positive Management
Performance Optimization
Team Enablement
./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube
# See references/semgrep-rules.md for detailed examples
rules:
- id: hardcoded-jwt-secret
pattern: jwt.encode($DATA, "...", ...)
message: JWT secret should not be hardcoded
severity: ERROR
# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json
| Tool | Best For | Language Support | Cost | Integration |
|---|---|---|---|---|
| Semgrep | Custom rules, fast scans | 30+ languages | Free/Enterprise | Excellent |
| SonarQube | Code quality + security | 25+ languages | Free/Commercial | Good |
| CodeQL | Deep analysis, research | 10+ languages | Free (OSS) | GitHub native |
npx claudepluginhub sickn33/agentic-awesome-skills --plugin agentic-awesome-skills136plugins reuse this skill
First indexed Jun 3, 2026
Showing the 6 earliest of 136 plugins
Configures SAST scanning (Semgrep, SonarQube, CodeQL) in CI/CD pipelines, creates custom rules, and tunes false positives for multi-language codebases.
Configures SAST tools (Semgrep, SonarQube, CodeQL) for automated vulnerability detection in CI/CD pipelines. Use when setting up security scanning or implementing DevSecOps practices.
Configures SAST tools (Semgrep, SonarQube, CodeQL) for automated vulnerability detection. Covers custom rules, CI/CD integration, quality gates, and false positive tuning.