2
    sast-configuration

    sast-configuration

    by LocoLoboZ

    Automate the setup and optimization of Semgrep, SonarQube, and CodeQL for high-signal security testing.

    Updated May 2026
    Security scanned
    One-time purchase
    including Claude Code

    $10

    · or 50 credits

    One-time purchase

    30-day refund guarantee

    Secure checkout via Stripe

    Included in download

    • Generate optimized .semgrep.yml rulesets to reduce false positives.
    • Audit codebases for OWASP Top 10 and CWE-mapped vulnerabilities.
    • terminal automation included
    • Ready for including Claude Code
    • Instant install

    See it in action

    A real example of what this skill takes in and produces.

    Sample input

    Configure Semgrep for a Python Django web application. Use OWASP Top 10 and secrets detection rulesets. Integrate with GitHub Actions to block pull requests on any critical or high finding.

    Sample output

    A Semgrep configuration covering OWASP Top 10 and secrets rulesets, a GitHub Actions workflow YAML that runs Semgrep on every pull request and fails the check on critical or high severity findings, a finding triage register template with CWE and OWASP mapping fields, and a SAST findings report structure ready for population after the first scan.

    About This Skill

    What it does

    The SAST Configuration skill automates the setup, tuning, and integration of industry-leading Static Application Security Testing (SAST) tools. It provides expert-level workflows for Semgrep, SonarQube, and CodeQL, transforming them from noisy scanners into high-signal security controllers.

    Why use this skill

    Most developers struggle with "alert fatigue"—hundreds of low-value security warnings that obscure real risks. This skill solves that by providing precision-tuned configuration files and rulesets. It goes beyond simple scanning by generating deployment-ready CI/CD YAML, mapping findings to CWE/OWASP categories, and establishing a formal triage process. Instead of spending hours reading documentation and fighting false positives, you get a production-ready security pipeline in minutes.

    Supported tools

    • Semgrep: Fast, multi-language scanning with custom pattern matching.
    • SonarQube: Enterprise-grade quality gates and security hotspots.
    • CodeQL: Deep data-flow analysis for GitHub-native environments.
    • CI/CD: Native configurations for GitHub Actions, GitLab CI, and Jenkins.

    What the output looks like

    You receive high-quality .yml or .properties configuration files, a structured triage register for security audits, and a comprehensive findings report that prioritizes critical vulnerabilities and provides actionable remediation guidance.

    Reviews

    No reviews yet - be the first to share your experience.

    Only users who have downloaded or purchased this skill can leave a review.

    Security Scanned

    Passed automated security review

    Permissions

    Terminal / Shell

    Allowed Hosts

    docs.github.com
    your-sonarqube-host
    semgrep.dev
    www.sonarsource.com
    codeql.github.com

    File Scopes

    sast-configuration/**

    Tags

    sast
    security
    devsecops
    appsec
    ci-cd

    Works with any agent that supports the Universal SKILL.md Standard, including Claude Code, Codex CLI, Cursor, VS Code Copilot, Gemini CLI, OpenClaw, and 20+ compatible agents.

    Creator

    LocoLoboZ

    I design and publish skills built from real professional practice across three areas: cyber security consulting, business operations, and AI workflow engineering. My cyber security skills draw on active advisory work spanning governance, risk, compliance, assurance, and executive reporting. They are built for practitioners who need structured, defensible outputs - not generic templates. My business operations skills cover the day-to-day work of running a consulting practice: bookkeeping, financial tracking, expense reconciliation, and marketing content - designed to reduce repetitive overhead and keep outputs consistent. My AI platform and workflow skills are built for people who want to get more out of Claude and similar platforms - covering prompt engineering, skill architecture, automation pipelines, and agent enhancement. Every skill I publish has been tested in production use before it reaches the marketplace. If it is here, it works.

    Frequently Asked Questions

    Learn More About AI Agent Skills

    More Premium Skills

    designing-hybrid-context-layers

    Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.

    $1012 installs

    consumer-motivation-analyzer

    Go beyond surface-level feedback to uncover the psychological drivers and hidden motivations behind buyer behavior.

    $199 installs

    Bounty Security Pattern Master Library — 399 Vulnerability Patterns

    A premium library of 399 vulnerability patterns and DeFi attack vectors for AI-driven bug hunting and security audits.

    $756 installs

    keyword-research

    Transform URLs or product lists into SEO keyword research packs with Google Ads data and intent-based clustering.

    $75 installs

    $10