sast-configuration

• Set up SAST scanning in CI/CD pipelines
• Create custom security rules for your codebase
• Configure quality gates and compliance policies
• Optimize scan performance and reduce false positives
• Integrate multiple SAST tools for defense-in-depth

• You only need DAST or manual penetration testing guidance
• You cannot access source code or CI/CD pipelines
• You need organizational policy decisions rather than tooling setup

1. Identify languages, repos, and compliance requirements.
2. Choose tools and define a baseline policy.
3. Integrate scans into CI/CD with gating thresholds.
4. Tune rules and suppressions based on false positives.
5. Track remediation and verify fixes.

• Avoid scanning sensitive repos with third-party services without approval.
• Prevent leaks of secrets in scan artifacts and logs.

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL.

1. Semgrep Configuration

• Custom rule creation with pattern matching
• Language-specific security rules (Python, JavaScript, Go, Java, etc.)
• CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
• False positive tuning and rule optimization
• Organizational policy enforcement

2. SonarQube Setup

• Quality gate configuration
• Security hotspot analysis
• Code coverage and technical debt tracking
• Custom quality profiles for languages
• Enterprise integration with LDAP/SAML

3. CodeQL Analysis

• GitHub Advanced Security integration
• Custom query development
• Vulnerability variant analysis
• Security research workflows
• SARIF result processing

Initial Assessment

1. Identify primary programming languages in your codebase
2. Determine compliance requirements (PCI-DSS, SOC 2, etc.)
3. Choose SAST tool based on language support and integration needs
4. Review baseline scan to understand current security posture

Basic Setup

```bash

# Semgrep quick start

pip install semgrep

semgrep --config=auto --error

# SonarQube with Docker

docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

# CodeQL CLI setup

gh extension install github/gh-codeql

codeql database create mydb --language=python

```

• [Semgrep Rule Creation](references/semgrep-rules.md) - Pattern-based security rule development
• [SonarQube Configuration](references/sonarqube-config.md) - Quality gates and profiles
• [CodeQL Setup Guide](references/codeql-setup.md) - Query development and workflows

• [semgrep-config.yml](assets/semgrep-config.yml) - Production-ready Semgrep configuration
• [sonarqube-settings.xml](assets/sonarqube-settings.xml) - SonarQube quality profile template
• [run-sast.sh](scripts/run-sast.sh) - Automated SAST execution script

CI/CD Pipeline Integration

```yaml

# GitHub Actions example

• name: Run Semgrep

uses: returntocorp/semgrep-action@v1

with:

config: >-

p/security-audit

p/owasp-top-ten

```

Pre-commit Hook

```bash

# .pre-commit-config.yaml

• repo: https://github.com/returntocorp/semgrep

rev: v1.45.0

hooks:

- id: semgrep

args: ['--config=auto', '--error']

```

1. Start with Baseline

- Run initial scan to establish security baseline

- Prioritize critical and high severity findings

- Create remediation roadmap

1. Incremental Adoption

- Begin with security-focused rules

- Gradually add code quality rules

- Implement blocking only for critical issues

1. False Positive Management

- Document legitimate suppressions

- Create allow lists for known safe patterns

- Regularly review suppressed findings

1. Performance Optimization

- Exclude test files and generated code

- Use incremental scanning for large codebases

- Cache scan results in CI/CD

1. Team Enablement

- Provide security training for developers

- Create internal documentation for common patterns

- Establish security champions program

New Project Setup

```bash

./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

```

Custom Rule Development

```yaml

# See references/semgrep-rules.md for detailed examples

rules:

- id: hardcoded-jwt-secret

pattern: jwt.encode($DATA, "...", ...)

message: JWT secret should not be hardcoded

severity: ERROR

```

Compliance Scanning

```bash

# PCI-DSS focused scan

semgrep --config p/pci-dss --json -o pci-scan-results.json

```

High False Positive Rate

• Review and tune rule sensitivity
• Add path filters to exclude test files
• Use nostmt metadata for noisy patterns
• Create organization-specific rule exceptions

Performance Issues

• Enable incremental scanning
• Parallelize scans across modules
• Optimize rule patterns for efficiency
• Cache dependencies and scan results

Integration Failures

• Verify API tokens and credentials
• Check network connectivity and proxy settings
• Review SARIF output format compatibility
• Validate CI/CD runner permissions

• [OWASP Top 10 Checklist](../owasp-top10-checklist/SKILL.md)
• [Container Security](../container-security/SKILL.md)
• [Dependency Scanning](../dependency-scanning/SKILL.md)

| Tool | Best For | Language Support | Cost | Integration |

|------|----------|------------------|------|-------------|

| Semgrep | Custom rules, fast scans | 30+ languages | Free/Enterprise | Excellent |

| SonarQube | Code quality + security | 25+ languages | Free/Commercial | Good |

| CodeQL | Deep analysis, research | 10+ languages | Free (OSS) | GitHub native |

1. Complete initial SAST tool setup
2. Run baseline security scan
3. Create custom rules for organization-specific patterns
4. Integrate into CI/CD pipeline
5. Establish security gate policies
6. Train development team on findings and remediation