Initial commit
This commit is contained in:
Zhongwei Li
191
skills/sast-configuration/SKILL.md
Normal file
191
skills/sast-configuration/SKILL.md
Normal file
@@ -0,0 +1,191 @@
|
||||
---
|
||||
name: sast-configuration
|
||||
description: Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.
|
||||
---
|
||||
|
||||
# SAST Configuration
|
||||
|
||||
Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.
|
||||
|
||||
## Overview
|
||||
|
||||
This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL. Use this skill when you need to:
|
||||
|
||||
- Set up SAST scanning in CI/CD pipelines
|
||||
- Create custom security rules for your codebase
|
||||
- Configure quality gates and compliance policies
|
||||
- Optimize scan performance and reduce false positives
|
||||
- Integrate multiple SAST tools for defense-in-depth
|
||||
|
||||
## Core Capabilities
|
||||
|
||||
### 1. Semgrep Configuration
|
||||
- Custom rule creation with pattern matching
|
||||
- Language-specific security rules (Python, JavaScript, Go, Java, etc.)
|
||||
- CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
|
||||
- False positive tuning and rule optimization
|
||||
- Organizational policy enforcement
|
||||
|
||||
### 2. SonarQube Setup
|
||||
- Quality gate configuration
|
||||
- Security hotspot analysis
|
||||
- Code coverage and technical debt tracking
|
||||
- Custom quality profiles for languages
|
||||
- Enterprise integration with LDAP/SAML
|
||||
|
||||
### 3. CodeQL Analysis
|
||||
- GitHub Advanced Security integration
|
||||
- Custom query development
|
||||
- Vulnerability variant analysis
|
||||
- Security research workflows
|
||||
- SARIF result processing
|
||||
|
||||
## Quick Start
|
||||
|
||||
### Initial Assessment
|
||||
1. Identify primary programming languages in your codebase
|
||||
2. Determine compliance requirements (PCI-DSS, SOC 2, etc.)
|
||||
3. Choose SAST tool based on language support and integration needs
|
||||
4. Review baseline scan to understand current security posture
|
||||
|
||||
### Basic Setup
|
||||
```bash
|
||||
# Semgrep quick start
|
||||
pip install semgrep
|
||||
semgrep --config=auto --error
|
||||
|
||||
# SonarQube with Docker
|
||||
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest
|
||||
|
||||
# CodeQL CLI setup
|
||||
gh extension install github/gh-codeql
|
||||
codeql database create mydb --language=python
|
||||
```
|
||||
|
||||
## Reference Documentation
|
||||
|
||||
- [Semgrep Rule Creation](references/semgrep-rules.md) - Pattern-based security rule development
|
||||
- [SonarQube Configuration](references/sonarqube-config.md) - Quality gates and profiles
|
||||
- [CodeQL Setup Guide](references/codeql-setup.md) - Query development and workflows
|
||||
|
||||
## Templates & Assets
|
||||
|
||||
- [semgrep-config.yml](assets/semgrep-config.yml) - Production-ready Semgrep configuration
|
||||
- [sonarqube-settings.xml](assets/sonarqube-settings.xml) - SonarQube quality profile template
|
||||
- [run-sast.sh](scripts/run-sast.sh) - Automated SAST execution script
|
||||
|
||||
## Integration Patterns
|
||||
|
||||
### CI/CD Pipeline Integration
|
||||
```yaml
|
||||
# GitHub Actions example
|
||||
- name: Run Semgrep
|
||||
uses: returntocorp/semgrep-action@v1
|
||||
with:
|
||||
config: >-
|
||||
p/security-audit
|
||||
p/owasp-top-ten
|
||||
```
|
||||
|
||||
### Pre-commit Hook
|
||||
```bash
|
||||
# .pre-commit-config.yaml
|
||||
- repo: https://github.com/returntocorp/semgrep
|
||||
rev: v1.45.0
|
||||
hooks:
|
||||
- id: semgrep
|
||||
args: ['--config=auto', '--error']
|
||||
```
|
||||
|
||||
## Best Practices
|
||||
|
||||
1. **Start with Baseline**
|
||||
- Run initial scan to establish security baseline
|
||||
- Prioritize critical and high severity findings
|
||||
- Create remediation roadmap
|
||||
|
||||
2. **Incremental Adoption**
|
||||
- Begin with security-focused rules
|
||||
- Gradually add code quality rules
|
||||
- Implement blocking only for critical issues
|
||||
|
||||
3. **False Positive Management**
|
||||
- Document legitimate suppressions
|
||||
- Create allow lists for known safe patterns
|
||||
- Regularly review suppressed findings
|
||||
|
||||
4. **Performance Optimization**
|
||||
- Exclude test files and generated code
|
||||
- Use incremental scanning for large codebases
|
||||
- Cache scan results in CI/CD
|
||||
|
||||
5. **Team Enablement**
|
||||
- Provide security training for developers
|
||||
- Create internal documentation for common patterns
|
||||
- Establish security champions program
|
||||
|
||||
## Common Use Cases
|
||||
|
||||
### New Project Setup
|
||||
```bash
|
||||
./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube
|
||||
```
|
||||
|
||||
### Custom Rule Development
|
||||
```yaml
|
||||
# See references/semgrep-rules.md for detailed examples
|
||||
rules:
|
||||
- id: hardcoded-jwt-secret
|
||||
pattern: jwt.encode($DATA, "...", ...)
|
||||
message: JWT secret should not be hardcoded
|
||||
severity: ERROR
|
||||
```
|
||||
|
||||
### Compliance Scanning
|
||||
```bash
|
||||
# PCI-DSS focused scan
|
||||
semgrep --config p/pci-dss --json -o pci-scan-results.json
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### High False Positive Rate
|
||||
- Review and tune rule sensitivity
|
||||
- Add path filters to exclude test files
|
||||
- Use nostmt metadata for noisy patterns
|
||||
- Create organization-specific rule exceptions
|
||||
|
||||
### Performance Issues
|
||||
- Enable incremental scanning
|
||||
- Parallelize scans across modules
|
||||
- Optimize rule patterns for efficiency
|
||||
- Cache dependencies and scan results
|
||||
|
||||
### Integration Failures
|
||||
- Verify API tokens and credentials
|
||||
- Check network connectivity and proxy settings
|
||||
- Review SARIF output format compatibility
|
||||
- Validate CI/CD runner permissions
|
||||
|
||||
## Related Skills
|
||||
|
||||
- [OWASP Top 10 Checklist](../owasp-top10-checklist/SKILL.md)
|
||||
- [Container Security](../container-security/SKILL.md)
|
||||
- [Dependency Scanning](../dependency-scanning/SKILL.md)
|
||||
|
||||
## Tool Comparison
|
||||
|
||||
| Tool | Best For | Language Support | Cost | Integration |
|
||||
|------|----------|------------------|------|-------------|
|
||||
| Semgrep | Custom rules, fast scans | 30+ languages | Free/Enterprise | Excellent |
|
||||
| SonarQube | Code quality + security | 25+ languages | Free/Commercial | Good |
|
||||
| CodeQL | Deep analysis, research | 10+ languages | Free (OSS) | GitHub native |
|
||||
|
||||
## Next Steps
|
||||
|
||||
1. Complete initial SAST tool setup
|
||||
2. Run baseline security scan
|
||||
3. Create custom rules for organization-specific patterns
|
||||
4. Integrate into CI/CD pipeline
|
||||
5. Establish security gate policies
|
||||
6. Train development team on findings and remediation
|
||||
Reference in New Issue
Block a user