M
MCP.directory

sast-configuration

by wshobson
20
0
Source

Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.

Install

mkdir -p .claude/skills/sast-configuration && curl -L -o skill.zip "https://mcp.directory/api/skills/download/1460" && unzip -o skill.zip -d .claude/skills/sast-configuration && rm skill.zip

Installs to .claude/skills/sast-configuration

About this skill

SAST Configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

Overview

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL. Use this skill when you need to:

  • Set up SAST scanning in CI/CD pipelines
  • Create custom security rules for your codebase
  • Configure quality gates and compliance policies
  • Optimize scan performance and reduce false positives
  • Integrate multiple SAST tools for defense-in-depth

Core Capabilities

1. Semgrep Configuration

  • Custom rule creation with pattern matching
  • Language-specific security rules (Python, JavaScript, Go, Java, etc.)
  • CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
  • False positive tuning and rule optimization
  • Organizational policy enforcement

2. SonarQube Setup

  • Quality gate configuration
  • Security hotspot analysis
  • Code coverage and technical debt tracking
  • Custom quality profiles for languages
  • Enterprise integration with LDAP/SAML

3. CodeQL Analysis

  • GitHub Advanced Security integration
  • Custom query development
  • Vulnerability variant analysis
  • Security research workflows
  • SARIF result processing

Quick Start

Initial Assessment

  1. Identify primary programming languages in your codebase
  2. Determine compliance requirements (PCI-DSS, SOC 2, etc.)
  3. Choose SAST tool based on language support and integration needs
  4. Review baseline scan to understand current security posture

Basic Setup

# Semgrep quick start
pip install semgrep
semgrep --config=auto --error

# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python

Reference Documentation

Templates & Assets

Integration Patterns

CI/CD Pipeline Integration

# GitHub Actions example
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: >-
      p/security-audit
      p/owasp-top-ten

Pre-commit Hook

# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.45.0
  hooks:
    - id: semgrep
      args: ['--config=auto', '--error']

Best Practices

  1. Start with Baseline

    • Run initial scan to establish security baseline
    • Prioritize critical and high severity findings
    • Create remediation roadmap

  2. Incremental Adoption

    • Begin with security-focused rules
    • Gradually add code quality rules
    • Implement blocking only for critical issues

  3. False Positive Management

    • Document legitimate suppressions
    • Create allow lists for known safe patterns
    • Regularly review suppressed findings

  4. Performance Optimization

    • Exclude test files and generated code
    • Use incremental scanning for large codebases
    • Cache scan results in CI/CD

  5. Team Enablement

    • Provide security training for developers
    • Create internal documentation for common patterns
    • Establish security champions program

Common Use Cases

New Project Setup

./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

Custom Rule Development

# See references/semgrep-rules.md for detailed examples
rules:
  - id: hardcoded-jwt-secret
    pattern: jwt.encode($DATA, "...", ...)
    message: JWT secret should not be hardcoded
    severity: ERROR

Compliance Scanning

# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json

Troubleshooting

High False Positive Rate

  • Review and tune rule sensitivity
  • Add path filters to exclude test files
  • Use nostmt metadata for noisy patterns
  • Create organization-specific rule exceptions

Performance Issues

  • Enable incremental scanning
  • Parallelize scans across modules
  • Optimize rule patterns for efficiency
  • Cache dependencies and scan results

Integration Failures

  • Verify API tokens and credentials
  • Check network connectivity and proxy settings
  • Review SARIF output format compatibility
  • Validate CI/CD runner permissions

Related Skills

Tool Comparison

ToolBest ForLanguage SupportCostIntegration
SemgrepCustom rules, fast scans30+ languagesFree/EnterpriseExcellent
SonarQubeCode quality + security25+ languagesFree/CommercialGood
CodeQLDeep analysis, research10+ languagesFree (OSS)GitHub native

Next Steps

  1. Complete initial SAST tool setup
  2. Run baseline security scan
  3. Create custom rules for organization-specific patterns
  4. Integrate into CI/CD pipeline
  5. Establish security gate policies
  6. Train development team on findings and remediation

More by wshobson

View all →

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

140168

react-native-architecture

wshobson

Build production React Native apps with Expo, navigation, native modules, offline sync, and cross-platform patterns. Use when developing mobile apps, implementing native integrations, or architecting React Native projects.

5629

api-design-principles

wshobson

Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.

10729

grafana-dashboards

wshobson

Create and manage production Grafana dashboards for real-time visualization of system and application metrics. Use when building monitoring dashboards, visualizing metrics, or creating operational observability interfaces.

9721

stripe-integration

wshobson

Implement Stripe payment processing for robust, PCI-compliant payment flows including checkout, subscriptions, and webhooks. Use when integrating Stripe payments, building subscription systems, or implementing secure checkout flows.

10919

python-testing-patterns

wshobson

Implement comprehensive testing strategies with pytest, fixtures, mocking, and test-driven development. Use when writing Python tests, setting up test suites, or implementing testing best practices.

9717

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

277787

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

204415

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

197279

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

210231

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

168197

rust-coding-skill

UtakataKyosui

Guides Claude in writing idiomatic, efficient, well-structured Rust code using proper data modeling, traits, impl organization, macros, and build-speed best practices.

165173

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.