Initial commit

skills/appsec/sast-semgrep/assets/semgrep_config.yaml

@@ -0,0 +1,80 @@
+# Recommended Semgrep Configuration
+# Save as .semgrepconfig or semgrep.yml in your project root
+
+# Rules to run
+rules: p/security-audit
+
+# Alternative: Specify multiple rulesets
+# rules:
+#   - p/owasp-top-ten
+#   - p/cwe-top-25
+#   - path/to/custom-rules.yaml
+
+# Paths to exclude from scanning
+exclude:
+  - "*/node_modules/*"
+  - "*/vendor/*"
+  - "*/.venv/*"
+  - "*/venv/*"
+  - "*/dist/*"
+  - "*/build/*"
+  - "*/.git/*"
+  - "*/tests/*"
+  - "*/test/*"
+  - "*_test.go"
+  - "test_*.py"
+  - "*.test.js"
+  - "*.spec.js"
+  - "*.min.js"
+  - "*.bundle.js"
+
+# Paths to include (optional - scans all by default)
+# include:
+#   - "src/"
+#   - "app/"
+#   - "lib/"
+
+# Maximum file size to scan (in bytes)
+max_target_bytes: 1000000  # 1MB
+
+# Timeout for each file (in seconds)
+timeout: 30
+
+# Number of jobs for parallel scanning
+# jobs: 4
+
+# Metrics and telemetry (disable for privacy)
+metrics: off
+
+# Autofix mode (use with caution)
+# autofix: false
+
+# Output format
+# Can be: text, json, sarif, gitlab-sast, junit-xml, emacs, vim
+# Set via CLI: semgrep --config=<this-file> --json
+# output_format: text
+
+# Severity thresholds
+# Only report findings at or above this severity
+# Can be: ERROR, WARNING, INFO
+# min_severity: WARNING
+
+# Scan statistics
+# Show timing and performance stats
+# time: false
+# Show stats after scanning
+# verbose: false
+
+# CI/CD specific settings
+# These are typically set via CLI or CI environment
+
+# Fail on findings
+# Set exit code 1 if findings are detected
+# error: true
+
+# Baseline commit for diff scanning
+# baseline_commit: origin/main
+
+# SARIF output settings (for GitHub Security, etc.)
+# sarif:
+#   output: semgrep-results.sarif