static-application-security-testing
Static Application Security Testing
This skill enables the agent to perform Static Application Security Testing (SAST) on source code repositories to detect security vulnerabilities without executing the application. The agent selects appropriate analysis tools based on the project's language, runs scans with relevant rule sets, triages findings to separate true positives from false positives, and integrates results into CI/CD pipelines. SAST catches issues such as SQL injection, cross-site scripting, hardcoded secrets, insecure deserialization, and cryptographic misuse early in the development lifecycle.
Workflow
-
Detect Languages and Frameworks — Analyze the repository to determine primary languages (Python, JavaScript, Java, Go, C#, etc.) and frameworks in use. This determines which SAST tools and rule sets are applicable. Check for existing tool configurations like
.semgrep.yml,codeqlquery packs, or.banditconfig files. -
Select and Configure SAST Tools — Choose the appropriate tools for the detected stack. Use Semgrep for multi-language pattern matching, CodeQL for deep semantic analysis, Bandit for Python-specific checks, and ESLint security plugins for JavaScript/TypeScript. Load built-in security rule sets and any project-specific custom rules.
-
Execute Static Analysis — Run the selected tools against the codebase. Capture all findings including the vulnerability type, affected file and line number, severity level, CWE identifier, and a description of the issue. For large codebases, parallelize scans across multiple tools simultaneously.
-
Triage and Deduplicate Findings — Merge results from multiple tools, remove duplicate detections of the same issue, and classify findings as true positive, false positive, or needs-review. Use contextual analysis such as checking whether a flagged SQL string actually reaches a database driver to reduce noise.
-
Generate Report with Fix Suggestions — Produce a structured findings report grouped by severity and category. Include the vulnerable code snippet, an explanation of the risk, a suggested fix with corrected code, and references to relevant CWE entries and OWASP categories.
-
Integrate into CI Pipeline — Configure the scan to run on every pull request or push to protected branches. Set quality gates that block merges when critical or high-severity findings are introduced. Output results in SARIF format for integration with GitHub Code Scanning, GitLab SAST, or SonarQube.
Supported Technologies
More from seb1n/awesome-ai-agent-skills
summarization
Summarize text using extractive, abstractive, hierarchical, and multi-document techniques, producing concise outputs at configurable detail levels.
23proofreading
Proofread and correct text for grammar, spelling, punctuation, style, clarity, and consistency, with support for multiple style guides and readability analysis.
19note-taking
Capture, organize, and retrieve notes efficiently using structured formats, tagging, and file management for meetings, ideas, research, and daily logs.
18knowledge-graph-creation
Build structured knowledge graphs from unstructured text by extracting entities, mapping relationships, generating graph triples, and visualizing the result.
17data-analysis
Analyze datasets to extract insights through statistical methods, trend identification, hypothesis testing, and correlation analysis.
14data-visualization
Create clear, effective charts and dashboards from structured data using matplotlib, seaborn, and plotly.
14