sast-configuration

SAST Configuration - Static Application Security Testing Configuration Guide

Skills Overview

SAST Configuration provides a complete configuration guide for static code security testing tools, helping you integrate automated vulnerability detection into your CI/CD pipeline. It supports three major tools: Semgrep, SonarQube, and CodeQL.

Use Cases

1. CI/CD Security Scan Integration

When you need to automatically run security checks during code commits or build processes, this skill offers complete integration solutions for GitHub Actions, GitLab CI, and Jenkins. It includes quality gate setup and handling of scan results.

2. Custom Security Rule Development

For specific business scenarios or coding standards, this skill guides you to create custom Semgrep rules and SonarQube quality configurations, enabling security policies that match your team’s needs.

3. Enterprise Compliance Security Enablement

To meet compliance requirements such as PCI-DSS and SOC 2, this skill provides compliant scanning configuration options, including vulnerability tracking, remediation verification, and security report generation.

Core Features

1. Semgrep Configuration and Custom Rules

Semgrep is a fast, flexible static analysis tool that supports 30+ programming languages. This skill includes guidance for custom rule development, pattern-matching tips, CI/CD integration templates, and security rule sets for languages such as Python, JavaScript, Go, and Java.

2. SonarQube Quality Gate Setup

SonarQube combines code quality and security analysis in one platform. This skill covers quality gate configuration, security hotspot management, technical debt tracking, and enterprise-level integration with LDAP/SAML.

3. CodeQL Deep Analysis

Keep: A wrapper? CodeQL provides powerful code semantic analysis capabilities. This skill includes GitHub Advanced Security integration, custom query development, vulnerability variant analysis, and SARIF result processing workflows.

Frequently Asked Questions

Will SAST scanning affect CI/CD performance?

Yes, SAST scanning does consume some build time. However, you can optimize it using incremental scanning, parallel execution, and excluding test files. This skill provides performance optimization best practices, including caching strategies and rule selection recommendations.

Which should I choose: Semgrep, SonarQube, or CodeQL?

Each has its strengths: Semgrep is excellent for fast scanning and custom rules, SonarQube covers both code quality and security, and CodeQL offers deep analysis capabilities. It’s recommended to combine them for layered protection. This skill provides a detailed tool comparison table and selection guidance.

How can I reduce false positives in SAST scanning?

False positives are a common challenge in SAST. This skill provides multiple approaches: add path filters to exclude test code, use nostmt metadata to optimize rules, create organization-level exception lists, and regularly review suppressed findings.

Which programming languages does this skill support?

Semgrep supports 30+ programming languages, SonarQube supports 25+ languages, and CodeQL supports 10+ major mainstream languages. This skill includes configuration examples for commonly used languages such as Python, JavaScript, TypeScript, Go, Java, and C#.

How do I configure security quality gates in CI/CD?

This skill provides complete integration examples for GitHub Actions, GitLab CI, and Jenkins, showing how to set severity thresholds, blocking conditions, and result notifications. It’s recommended to start by blocking only critical issues and gradually tighten the policies.