- Home
- Skills
- Rohunj
- Claude Build Workflow
- Sast Semgrep
sast-semgrep_skill
- Shell
214
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill rohunj/claude-build-workflow --skill sast-semgrep- SKILL.md9.3 KB
Overview
This skill performs static application security testing (SAST) using Semgrep to detect vulnerabilities, guide secure code fixes, and map findings to OWASP Top 10 and CWE. It automates scans across many languages, supports custom rules, and integrates into CI/CD for continuous security gating. Results are prioritized by severity and include remediation guidance to accelerate fixes.
How this skill works
The skill runs Semgrep rulesets (built-in and custom) against a codebase to identify pattern-based vulnerabilities and insecure coding patterns. Findings are classified by severity (CRITICAL, HIGH, MEDIUM, LOW, INFO), mapped to OWASP/CWE categories, and output in formats like JSON or SARIF for dashboards and ticketing. It supports diff scans for PRs, baseline daily scans, and custom rule validation workflows.
When to use it
- Scan a full repository to discover security issues across multiple languages.
- Gate pull requests with targeted scans on changed files to block high-severity issues.
- Integrate SAST into CI/CD pipelines with fail-on-severity thresholds and SARIF exports.
- Create and test custom Semgrep rules for organization-specific patterns.
- Complement dynamic testing and dependency scanning for comprehensive security coverage.
Best practices
- Start with a baseline scan and enforce gates progressively (CRITICAL/HIGH first).
- Use diff scans for fast PR feedback and full scans on schedule or pre-release.
- Tune rules and exclude noisy files or vendor code to reduce false positives.
- Map findings to OWASP and CWE to prioritize risk and guide remediation.
- Keep custom rules and rule libraries versioned and test them against vulnerable samples.
Example use cases
- Daily security baseline that runs comprehensive scans and generates prioritized reports.
- Pull request security gate that scans only changed files and fails the build on HIGH/CRITICAL findings.
- Develop custom Semgrep rules to detect proprietary insecure patterns and deploy them in CI.
- Export SARIF/JSON to a SIEM or vulnerability management system for tracking and remediation.
- Targeted research scans to locate specific vulnerability patterns (e.g., XSS, SQLi) across the codebase.
FAQ
Exclude noisy rules, add .semgrepignore for files, tune severities, and use nosemgrep comments with justification for confirmed false positives.
Can I run scans only on changed files in a PR?
Yes. Use diff-mode scanning to target modified files and configure CI to run lightweight checks on PRs and full scans on merges or schedules.