How Sast Configuration fits into a Paperclip company.

Sast Configuration drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.

SaaS FactoryPaired

Pre-configured AI company — 18 agents, 18 skills, one-time purchase.

$27$59

Explore pack

Source file

SKILL.md204 linesmarkdown

Expand

1---2name: sast-configuration3description: Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.4---5 6# SAST Configuration7 8Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.9 10## Overview11 12This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL. Use this skill when you need to:13 14- Set up SAST scanning in CI/CD pipelines15- Create custom security rules for your codebase16- Configure quality gates and compliance policies17- Optimize scan performance and reduce false positives18- Integrate multiple SAST tools for defense-in-depth19 20## Core Capabilities21 22### 1. Semgrep Configuration23 24- Custom rule creation with pattern matching25- Language-specific security rules (Python, JavaScript, Go, Java, etc.)26- CI/CD integration (GitHub Actions, GitLab CI, Jenkins)27- False positive tuning and rule optimization28- Organizational policy enforcement29 30### 2. SonarQube Setup31 32- Quality gate configuration33- Security hotspot analysis34- Code coverage and technical debt tracking35- Custom quality profiles for languages36- Enterprise integration with LDAP/SAML37 38### 3. CodeQL Analysis39 40- GitHub Advanced Security integration41- Custom query development42- Vulnerability variant analysis43- Security research workflows44- SARIF result processing45 46## Quick Start47 48### Initial Assessment49 501. Identify primary programming languages in your codebase512. Determine compliance requirements (PCI-DSS, SOC 2, etc.)523. Choose SAST tool based on language support and integration needs534. Review baseline scan to understand current security posture54 55### Basic Setup56 57```bash58# Semgrep quick start59pip install semgrep60semgrep --config=auto --error61 62# SonarQube with Docker63docker run -d --name sonarqube -p 9000:9000 sonarqube:latest64 65# CodeQL CLI setup66gh extension install github/gh-codeql67codeql database create mydb --language=python68```69 70## Reference Documentation71 72- [Semgrep Rule Creation](references/semgrep-rules.md) - Pattern-based security rule development73- [SonarQube Configuration](references/sonarqube-config.md) - Quality gates and profiles74- [CodeQL Setup Guide](references/codeql-setup.md) - Query development and workflows75 76## Templates & Assets77 78- [semgrep-config.yml](assets/semgrep-config.yml) - Production-ready Semgrep configuration79- [sonarqube-settings.xml](assets/sonarqube-settings.xml) - SonarQube quality profile template80- [run-sast.sh](scripts/run-sast.sh) - Automated SAST execution script81 82## Integration Patterns83 84### CI/CD Pipeline Integration85 86```yaml87# GitHub Actions example88- name: Run Semgrep89  uses: returntocorp/semgrep-action@v190  with:91    config: >-92      p/security-audit93      p/owasp-top-ten94```95 96### Pre-commit Hook97 98```bash99# .pre-commit-config.yaml100- repo: https://github.com/returntocorp/semgrep101  rev: v1.45.0102  hooks:103    - id: semgrep104      args: ['--config=auto', '--error']105```106 107## Best Practices108 1091. **Start with Baseline**110   - Run initial scan to establish security baseline111   - Prioritize critical and high severity findings112   - Create remediation roadmap113 1142. **Incremental Adoption**115   - Begin with security-focused rules116   - Gradually add code quality rules117   - Implement blocking only for critical issues118 1193. **False Positive Management**120   - Document legitimate suppressions121   - Create allow lists for known safe patterns122   - Regularly review suppressed findings123 1244. **Performance Optimization**125   - Exclude test files and generated code126   - Use incremental scanning for large codebases127   - Cache scan results in CI/CD128 1295. **Team Enablement**130   - Provide security training for developers131   - Create internal documentation for common patterns132   - Establish security champions program133 134## Common Use Cases135 136### New Project Setup137 138```bash139./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube140```141 142### Custom Rule Development143 144```yaml145# See references/semgrep-rules.md for detailed examples146rules:147  - id: hardcoded-jwt-secret148    pattern: jwt.encode($DATA, "...", ...)149    message: JWT secret should not be hardcoded150    severity: ERROR151```152 153### Compliance Scanning154 155```bash156# PCI-DSS focused scan157semgrep --config p/pci-dss --json -o pci-scan-results.json158```159 160## Troubleshooting161 162### High False Positive Rate163 164- Review and tune rule sensitivity165- Add path filters to exclude test files166- Use nostmt metadata for noisy patterns167- Create organization-specific rule exceptions168 169### Performance Issues170 171- Enable incremental scanning172- Parallelize scans across modules173- Optimize rule patterns for efficiency174- Cache dependencies and scan results175 176### Integration Failures177 178- Verify API tokens and credentials179- Check network connectivity and proxy settings180- Review SARIF output format compatibility181- Validate CI/CD runner permissions182 183## Related Skills184 185- [OWASP Top 10 Checklist](../owasp-top10-checklist/SKILL.md)186- [Container Security](../container-security/SKILL.md)187- [Dependency Scanning](../dependency-scanning/SKILL.md)188 189## Tool Comparison190 191| Tool      | Best For                 | Language Support | Cost            | Integration   |192| --------- | ------------------------ | ---------------- | --------------- | ------------- |193| Semgrep   | Custom rules, fast scans | 30+ languages    | Free/Enterprise | Excellent     |194| SonarQube | Code quality + security  | 25+ languages    | Free/Commercial | Good          |195| CodeQL    | Deep analysis, research  | 10+ languages    | Free (OSS)      | GitHub native |196 197## Next Steps198 1991. Complete initial SAST tool setup2002. Run baseline security scan2013. Create custom rules for organization-specific patterns2024. Integrate into CI/CD pipeline2035. Establish security gate policies2046. Train development team on findings and remediation

Related skills

Accessibility Compliance

This walks you through implementing proper WCAG 2.2 compliance with real code patterns for screen readers, keyboard navigation, and mobile accessibility. It cov

Airflow Dag Patterns

If you're building data pipelines with Airflow, this skill gives you production-ready DAG patterns that actually work in the real world. It covers TaskFlow API

Angular Migration

Migrating from AngularJS to Angular is notoriously painful, and this skill tackles the practical stuff that makes or breaks these projects. It covers hybrid app