Sast Configuration

Safety

• Avoid scanning sensitive repos with third-party services without approval.
• Prevent leaks of secrets in scan artifacts and logs.

Overview

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.

Core Capabilities

1. Semgrep Configuration

• Custom rule creation with pattern matching
• Language-specific security rules (Python, JavaScript, Go, Java, etc.)
• CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
• False positive tuning and rule optimization
• Organizational policy enforcement

2. SonarQube Setup

• Quality gate configuration
• Security hotspot analysis
• Code coverage and technical debt tracking
• Custom quality profiles for languages
• Enterprise integration with LDAP/SAML

3. CodeQL Analysis

• GitHub Advanced Security integration
• Custom query development
• Vulnerability variant analysis
• Security research workflows
• SARIF result processing

Quick Start

Initial Assessment

1. Identify primary programming languages in your codebase
2. Determine compliance requirements (PCI-DSS, SOC 2, etc.)
3. Choose SAST tool based on language support and integration needs
4. Review baseline scan to understand current security posture

Basic Setup

# Semgrep quick start
pip install semgrep
semgrep --config=auto --error

# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python

Reference Documentation

• Semgrep Rule Creation - Pattern-based security rule development
• SonarQube Configuration - Quality gates and profiles
• CodeQL Setup Guide - Query development and workflows

Templates & Assets

• semgrep-config.yml - Production-ready Semgrep configuration
• sonarqube-settings.xml - SonarQube quality profile template
• run-sast.sh - Automated SAST execution script

Integration Patterns

CI/CD Pipeline Integration

# GitHub Actions example
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: >-
      p/security-audit
      p/owasp-top-ten

Pre-commit Hook

# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.45.0
  hooks:
    - id: semgrep
      args: ['--config=auto', '--error']

Best Practices

1. Start with Baseline

   • Run initial scan to establish security baseline
   • Prioritize critical and high severity findings
   • Create remediation roadmap

2. Incremental Adoption

   • Begin with security-focused rules
   • Gradually add code quality rules
   • Implement blocking only for critical issues

3. False Positive Management

   • Document legitimate suppressions
   • Create allow lists for known safe patterns
   • Regularly review suppressed findings

4. Performance Optimization

   • Exclude test files and generated code
   • Use incremental scanning for large codebases
   • Cache scan results in CI/CD

5. Team Enablement

   • Provide security training for developers
   • Create internal documentation for common patterns
   • Establish security champions program

Common Use Cases

New Project Setup

./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

Custom Rule Development

# See references/semgrep-rules.md for detailed examples