What is SAST and why use multiple tools?

SAST analyzes source code for vulnerabilities during development; using Semgrep, SonarQube, and CodeQL provides broad language coverage and defense-in-depth.

How do I reduce false positives?

Start with a baseline, tune and customize rules, document legitimate suppressions, and use allow lists while adopting incremental improvements.

How do I integrate SAST into CI/CD?

Leverage CI/CD integrations such as GitHub Actions, GitLab CI, or Jenkins, use provided YAML or action steps, and process SARIF results to triage findings efficiently.

sast-configuration

npx machina-cli add skill wshobson/agents/sast-configuration --openclaw

Files (1)

SKILL.md

5.9 KB

SAST Configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

Overview

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL. Use this skill when you need to:

Set up SAST scanning in CI/CD pipelines
Create custom security rules for your codebase
Configure quality gates and compliance policies
Optimize scan performance and reduce false positives
Integrate multiple SAST tools for defense-in-depth

Core Capabilities

1. Semgrep Configuration

Custom rule creation with pattern matching
Language-specific security rules (Python, JavaScript, Go, Java, etc.)
CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
False positive tuning and rule optimization
Organizational policy enforcement

2. SonarQube Setup

Quality gate configuration
Security hotspot analysis
Code coverage and technical debt tracking
Custom quality profiles for languages
Enterprise integration with LDAP/SAML

3. CodeQL Analysis

GitHub Advanced Security integration
Custom query development
Vulnerability variant analysis
Security research workflows
SARIF result processing

Quick Start

Initial Assessment

Identify primary programming languages in your codebase
Determine compliance requirements (PCI-DSS, SOC 2, etc.)
Choose SAST tool based on language support and integration needs
Review baseline scan to understand current security posture

Basic Setup

# Semgrep quick start
pip install semgrep
semgrep --config=auto --error

# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python

Reference Documentation

Semgrep Rule Creation - Pattern-based security rule development
SonarQube Configuration - Quality gates and profiles
CodeQL Setup Guide - Query development and workflows

Templates & Assets

semgrep-config.yml - Production-ready Semgrep configuration
sonarqube-settings.xml - SonarQube quality profile template
run-sast.sh - Automated SAST execution script

Integration Patterns

CI/CD Pipeline Integration

# GitHub Actions example
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: >-
      p/security-audit
      p/owasp-top-ten

Pre-commit Hook

# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.45.0
  hooks:
    - id: semgrep
      args: ['--config=auto', '--error']

Best Practices

Start with Baseline
- Run initial scan to establish security baseline
- Prioritize critical and high severity findings
- Create remediation roadmap
Incremental Adoption
- Begin with security-focused rules
- Gradually add code quality rules
- Implement blocking only for critical issues
False Positive Management
- Document legitimate suppressions
- Create allow lists for known safe patterns
- Regularly review suppressed findings
Performance Optimization
- Exclude test files and generated code
- Use incremental scanning for large codebases
- Cache scan results in CI/CD
Team Enablement
- Provide security training for developers
- Create internal documentation for common patterns
- Establish security champions program

Common Use Cases

New Project Setup

./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

Custom Rule Development

# See references/semgrep-rules.md for detailed examples
rules:
  - id: hardcoded-jwt-secret
    pattern: jwt.encode($DATA, "...", ...)
    message: JWT secret should not be hardcoded
    severity: ERROR

Compliance Scanning

# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json

Troubleshooting

High False Positive Rate

Review and tune rule sensitivity
Add path filters to exclude test files
Use nostmt metadata for noisy patterns
Create organization-specific rule exceptions

Performance Issues

Enable incremental scanning
Parallelize scans across modules
Optimize rule patterns for efficiency
Cache dependencies and scan results

Integration Failures

Verify API tokens and credentials
Check network connectivity and proxy settings
Review SARIF output format compatibility
Validate CI/CD runner permissions

Related Skills

Tool Comparison

Tool	Best For	Language Support	Cost	Integration
Semgrep	Custom rules, fast scans	30+ languages	Free/Enterprise	Excellent
SonarQube	Code quality + security	25+ languages	Free/Commercial	Good
CodeQL	Deep analysis, research	10+ languages	Free (OSS)	GitHub native

Next Steps

Complete initial SAST tool setup
Run baseline security scan
Create custom rules for organization-specific patterns
Integrate into CI/CD pipeline
Establish security gate policies
Train development team on findings and remediation

Source

git clone https://github.com/wshobson/agents/blob/main/plugins/security-scanning/skills/sast-configuration/SKILL.mdView on GitHub

Overview

This skill guides configuring SAST tools (Semgrep, SonarQube, CodeQL) for automated vulnerability detection across languages. It covers setting up in CI/CD pipelines, creating custom rules, and enforcing compliance with quality gates and policies to support DevSecOps and reduce vulnerabilities.

How This Skill Works

You select the right SAST tool for each language, install and configure it, and define custom rules and policies. The setup integrates with CI/CD (GitHub Actions, GitLab CI, Jenkins), runs scans, and surfaces findings via SARIF or quality gates, with tuning to minimize false positives.

When to Use It

Set up SAST scanning in CI/CD pipelines
Create custom security rules for your codebase
Configure quality gates and compliance policies
Optimize scan performance and reduce false positives
Integrate multiple SAST tools for defense-in-depth

Quick Start

Step 1: Identify primary programming languages in your codebase and select SAST tool compatibility
Step 2: Install and configure the chosen tools (e.g., Semgrep, SonarQube, CodeQL) and wire into CI/CD
Step 3: Run an initial baseline scan, review findings, and tune rules to reduce false positives

Best Practices

Start with Baseline: Run initial scan to establish security baseline, prioritize critical findings, and chart a remediation roadmap
Incremental Adoption: Focus on security rules first, then add code quality rules, enabling blocking only for critical issues
False Positive Management: Document suppressions and use allow lists; regularly review suppressed findings
Performance Optimization: Exclude test/generated files, use incremental scans, and cache results in CI/CD
Team Enablement: Train developers, provide internal docs, and establish security champions

Example Use Cases

Integrate Semgrep rules in GitHub Actions to catch OWASP Top Ten patterns in a Python project
Configure SonarQube quality gates and language-specific profiles for a Java/JavaScript codebase
Use CodeQL analysis with GitHub Advanced Security to detect vulnerabilities in a Node.js repository
Set up a pre-commit hook using Semgrep to catch issues before commits
Run Dockerized SonarQube alongside CodeQL workflows in CI for enterprise-grade scanning

Frequently Asked Questions

Add this skill to your agents