[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-09a102c9-3ec7-4f58-afa3-dcce2618ef33":3,"$ft1_gnM58vA7fF2gWwInPSmgDLY7vKh7xGzgxkWIeI10":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"09a102c9-3ec7-4f58-afa3-dcce2618ef33","sast-configuration","静态应用安全测试（SAST）工具的设置、配置和自定义规则创建，以实现跨多种编程语言的全面安全扫描。","cat_life_career","mod_other","sickn33,other","---\nname: sast-configuration\ndescription: \"Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.\"\nrisk: unknown\nsource: community\ndate_added: \"2026-02-27\"\n---\n\n# SAST Configuration\n\nStatic Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.\n\n## Use this skill when\n\n- Set up SAST scanning in CI\u002FCD pipelines\n- Create custom security rules for your codebase\n- Configure quality gates and compliance policies\n- Optimize scan performance and reduce false positives\n- Integrate multiple SAST tools for defense-in-depth\n\n## Do not use this skill when\n\n- You only need DAST or manual penetration testing guidance\n- You cannot access source code or CI\u002FCD pipelines\n- You need organizational policy decisions rather than tooling setup\n\n## Instructions\n\n1. Identify languages, repos, and compliance requirements.\n2. Choose tools and define a baseline policy.\n3. Integrate scans into CI\u002FCD with gating thresholds.\n4. Tune rules and suppressions based on false positives.\n5. Track remediation and verify fixes.\n\n## Safety\n\n- Avoid scanning sensitive repos with third-party services without approval.\n- Prevent leaks of secrets in scan artifacts and logs.\n\n## Overview\n\nThis skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.\n\n## Core Capabilities\n\n### 1. Semgrep Configuration\n- Custom rule creation with pattern matching\n- Language-specific security rules (Python, JavaScript, Go, Java, etc.)\n- CI\u002FCD integration (GitHub Actions, GitLab CI, Jenkins)\n- False positive tuning and rule optimization\n- Organizational policy enforcement\n\n### 2. SonarQube Setup\n- Quality gate configuration\n- Security hotspot analysis\n- Code coverage and technical debt tracking\n- Custom quality profiles for languages\n- Enterprise integration with LDAP\u002FSAML\n\n### 3. CodeQL Analysis\n- GitHub Advanced Security integration\n- Custom query development\n- Vulnerability variant analysis\n- Security research workflows\n- SARIF result processing\n\n## Quick Start\n\n### Initial Assessment\n1. Identify primary programming languages in your codebase\n2. Determine compliance requirements (PCI-DSS, SOC 2, etc.)\n3. Choose SAST tool based on language support and integration needs\n4. Review baseline scan to understand current security posture\n\n### Basic Setup\n```bash\n# Semgrep quick start\npip install semgrep\nsemgrep --config=auto --error\n\n# SonarQube with Docker\ndocker run -d --name sonarqube -p 9000:9000 sonarqube:latest\n\n# CodeQL CLI setup\ngh extension install github\u002Fgh-codeql\ncodeql database create mydb --language=python\n```\n\n## Reference Documentation\n\n- Semgrep Rule Creation - Pattern-based security rule development\n- SonarQube Configuration - Quality gates and profiles\n- CodeQL Setup Guide - Query development and workflows\n\n## Templates & Assets\n\n- semgrep-config.yml - Production-ready Semgrep configuration\n- sonarqube-settings.xml - SonarQube quality profile template\n- run-sast.sh - Automated SAST execution script\n\n## Integration Patterns\n\n### CI\u002FCD Pipeline Integration\n```yaml\n# GitHub Actions example\n- name: Run Semgrep\n  uses: returntocorp\u002Fsemgrep-action@v1\n  with:\n    config: >-\n      p\u002Fsecurity-audit\n      p\u002Fowasp-top-ten\n```\n\n### Pre-commit Hook\n```bash\n# .pre-commit-config.yaml\n- repo: https:\u002F\u002Fgithub.com\u002Freturntocorp\u002Fsemgrep\n  rev: v1.45.0\n  hooks:\n    - id: semgrep\n      args: ['--config=auto', '--error']\n```\n\n## Best Practices\n\n1. **Start with Baseline**\n   - Run initial scan to establish security baseline\n   - Prioritize critical and high severity findings\n   - Create remediation roadmap\n\n2. **Incremental Adoption**\n   - Begin with security-focused rules\n   - Gradually add code quality rules\n   - Implement blocking only for critical issues\n\n3. **False Positive Management**\n   - Document legitimate suppressions\n   - Create allow lists for known safe patterns\n   - Regularly review suppressed findings\n\n4. **Performance Optimization**\n   - Exclude test files and generated code\n   - Use incremental scanning for large codebases\n   - Cache scan results in CI\u002FCD\n\n5. **Team Enablement**\n   - Provide security training for developers\n   - Create internal documentation for common patterns\n   - Establish security champions program\n\n## Common Use Cases\n\n### New Project Setup\n```bash\n.\u002Fscripts\u002Frun-sast.sh --setup --language python --tools semgrep,sonarqube\n```\n\n### Custom Rule Development\n```yaml\n# See references\u002Fsemgrep-rules.md for detailed examples\nrules:\n  - id: hardcoded-jwt-secret\n    pattern: jwt.encode($DATA, \"...\", ...)\n    message: JWT secret should not be hardcoded\n    severity: ERROR\n```\n\n### Compliance Scanning\n```bash\n# PCI-DSS focused scan\nsemgrep --config p\u002Fpci-dss --json -o pci-scan-results.json\n```\n\n## Troubleshooting\n\n### High False Positive Rate\n- Review and tune rule sensitivity\n- Add path filters to exclude test files\n- Use nostmt metadata for noisy patterns\n- Create organization-specific rule exceptions\n\n### Performance Issues\n- Enable incremental scanning\n- Parallelize scans across modules\n- Optimize rule patterns for efficiency\n- Cache dependencies and scan results\n\n### Integration Failures\n- Verify API tokens and credentials\n- Check network connectivity and proxy settings\n- Review SARIF output format compatibility\n- Validate CI\u002FCD runner permissions\n\n## Related Skills\n\n- OWASP Top 10 Checklist\n- Container Security\n- Dependency Scanning\n\n## Tool Comparison\n\n| Tool | Best For | Language Support | Cost | Integration |\n|------|----------|------------------|------|-------------|\n| Semgrep | Custom rules, fast scans | 30+ languages | Free\u002FEnterprise | Excellent |\n| SonarQube | Code quality + security | 25+ languages | Free\u002FCommercial | Good |\n| CodeQL | Deep analysis, research | 10+ languages | Free (OSS) | GitHub native |\n\n## Next Steps\n\n1. Complete initial SAST tool setup\n2. Run baseline security scan\n3. Create custom rules for organization-specific patterns\n4. Integrate into CI\u002FCD pipeline\n5. Establish security gate policies\n6. Train development team on findings and remediation\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,132,169,"2026-05-16 13:37:42",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"15009286-cee1-4615-91f3-15cb57f11d35","1.0.0","sast-configuration.zip",2935,"uploads\u002Fskills\u002F09a102c9-3ec7-4f58-afa3-dcce2618ef33\u002Fsast-configuration.zip","d7533012a9a3171113f594a75ca3b9aa585e3d72257648350929706820947962","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":6546}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]