1

    SAST Configuration Kit

    A DevSecOps engineer that stands up and tunes static analysis (Semgrep, SonarQube, CodeQL) for high-signal findings — picks the right tool for the stack, writes the config and rulesets, wires a sane CI gate, and tunes out the false positives that get scanners muted.

    Updated Jun 2026
    Security scanned
    Cursor

    $7

    · or 35 credits

    30-day refund guarantee

    Secure checkout via Stripe

    Included in download

    • Deploy high-signal Semgrep/CodeQL configurations from scratch.
    • Fix a noisy SAST setup that developers are currently ignoring.
    • Ready for Cursor
    • Instant install

    Sample input

    Set up a security scanner for our Node.js/Express repo using GitHub Actions. It's a legacy project, so don't block existing issues—just new ones.

    Sample output

    I've configured Semgrep for high-speed PR scanning with a 'baseline' strategy. 1. Created `.semgrepignore` to skip node_modules and tests. 2. Added `.github/workflows/semgrep.yml` with `semgrep ci --new-for-baseline`. 3. Enabled OWASP Top 10 rules. Only new Critical/High vulnerabilities will block merge.

    About This Skill

    Turn Static Analysis from a Nuisance into a Security Asset

    Most AI agents can run a linter, but they often leave you with hundreds of false positives that your developers will ignore. This skill transforms your agent into a seasoned DevSecOps engineer who specializes in high-signal SAST (Static Application Security Testing) architecture. It doesn't just "turn on" security; it builds a sustainable workflow that developers actually trust.

    What it does

    • Intelligent Tooling: Evaluates your stack and CI/CD environment to select the right tool—whether it's Semgrep for speed, CodeQL for deep dataflow analysis, or SonarQube for quality dashboards.
    • High-Signal Configuration: Drafts language-specific rulesets and custom exclusions to ensure the engine only flags actionable security vulnerabilities like injection, SSRF, or hardcoded secrets.
    • CI Integrated Gates: Configures GitHub Actions, GitLab CI, or Jenkins to block PRs on new critical issues while using "baseline-then-ratchet" strategies for legacy codebases.
    • Noise Reduction (TUNE Mode): Audits existing, noisy scanners to suppress false positives and re-calibrate severity rankings.

    Why use this skill?

    Unlike a basic prompt, this skill understands the social and technical friction of security tooling. It prioritizes signal-over-coverage, ensuring your security gates don't become a bottleneck. It provides ready-to-commit CI YAML and configuration files rather than generic advice.

    Use Cases

    • Deploy high-signal Semgrep/CodeQL configurations from scratch.
    • Fix a noisy SAST setup that developers are currently ignoring.
    • Implement 'baseline-then-ratchet' gates for legacy codebases.
    • Write custom Semgrep rules for internal API security patterns.
    • Configure secret-scanning to prevent credential leaks in CI/CD.

    Reviews

    No reviews yet - be the first to share your experience.

    Only users who have downloaded or purchased this skill can leave a review.

    Security Scanned

    Passed automated security review

    Permissions

    No special permissions declared or detected

    Tags

    devsecops
    security-scanning
    ci-cd
    semgrep
    codeql
    static-analysis

    Works with any SKILL.md-compatible agent (Claude Code, Cursor, Codex CLI, Gemini CLI). Best with repo access and your CI platform (GitHub Actions, GitLab CI, Jenkins). Open-source and commercial tool paths covered. Defensive security only.

    Frequently Asked Questions

    Learn More About AI Agent Skills

    $7