RAG Failure Diagnostics & Architect
$7View skill
Skill · AI & Development
SAST Configuration Kit
Produces a static-application-security-testing (SAST) configuration for a stack and pipeline you name.
- Category
- AI & Development
- Deliverable
- 1 .skill bundle
- Outputs
- 5
- Last updated
- 19 Jun 2026
$7
One-time · lifetime updates
- Works in Claude Pro, Team, and Enterprise
- Lifetime access to updates
- Refundable for 30 days via the marketplace
Or get a free skill every month.
Subscribers get one curated skill, free, every 1st. Pick yours →
StrategistKit Affiliate. Purchase happens on the marketplace, which handles payment, delivery and refunds.
Overview
What SAST Configuration Kit does.
The SAST Configuration Kit acts as a DevSecOps engineer for your codebase. You describe your stack, CI/CD platform, and whether you are starting fresh or fixing a noisy existing scanner. It selects the right tool from Semgrep, CodeQL, or SonarQube for your situation, produces the actual config files and rulesets, writes the CI wiring ready to commit, and defines a triage workflow with suppression rules that require a stated reason — not a silent ignore.
A typical input: 'Python/Django monorepo, GitHub Actions, no SAST yet, SaaS is fine, we need to satisfy SOC 2. Want Semgrep or CodeQL, not sure which.' The skill identifies the mode as SETUP, recommends Semgrep as primary for PR-speed with CodeQL on a nightly schedule for taint analysis, and produces the full configuration package for that combination.
Sample output excerpt — Tool selection: Semgrep (primary, PR gate) + CodeQL (scheduled, deep taint). Severity gate: block new Critical/High on PR; report Medium/Low. CI snippet: GitHub Actions workflow YAML with semgrep scan step, inline PR annotations enabled, and a baseline snapshot job. Suppression policy: every nosemgrep comment must include a rule ID, a one-line justification, and an owner. Residual risk note: SAST will not cover runtime business-logic flaws or DAST-class issues.
Who it's for
Engineering teams and DevSecOps practitioners who need to add SAST to a CI pipeline without drowning in false positives, and security engineers inheriting a scanner setup the team has already started ignoring because it blocks or spams too much.
What you get
One skill. 5 outputs.
One .skill bundle. Run it on your material and it returns:
01
SAST tool + ruleset selection
02
Severity gating policy
03
CI/CD wiring config
04
Findings triage workflow
05
Baseline + suppression strategy
How it works
Three steps. About two minutes.
Install
Add the .skill file to your Claude app. ~10 seconds.
Run it on your work
Invoke the skill and paste in your material.
Apply the output
Review, keep what works, and use it.
In depth
Why a Claude skill beats a prompt template.
A copy-paste prompt runs one static pass and stops. A skill is a bundled program — instructions, examples, and a workflow Claude runs as a unit: it asks for the right input, applies the same pattern every time, and returns the structured outputs above.
FAQ
Common questions.
What file formats does the skill actually produce?
It produces the config files you would commit: Semgrep YAML rules and .semgrepignore, CodeQL workflow YAML or qlpack config, SonarQube sonar-project.properties, and CI workflow YAML for whichever platform you name. These are ready-to-use, not pseudocode.
What do I need to provide to get useful output?
At minimum: the languages and frameworks in the codebase, your CI/CD platform, whether a scanner is already in place, and any hard constraints such as no SaaS tools or a specific compliance requirement. The skill states its defaults and asks only for what it cannot reasonably assume.
Can it fix an existing Semgrep or SonarQube setup that the team ignores rather than build one from scratch?
Yes. TUNE mode takes an existing configuration and returns a prioritised remediation table identifying the root causes — all-rules-on noise, missing baseline on a legacy repo, blocking on low severity, blanket suppressions — ranked by impact relative to effort, with the single highest-leverage fix called out first.
Does it write custom detection rules or only configure built-in ones?
Both. It selects from curated security rule packs aligned to your stack, and where you have a known internal footgun — a banned API call, a required auth wrapper — it writes a custom Semgrep rule and explains the pattern so your team can extend it.
Will it recommend running all three tools at once?
No. It picks one as primary based on your stack and constraints, and only adds a second where the combination is clearly justified — for example, a fast Semgrep PR gate layered with a nightly CodeQL deep scan on security-critical code. Running all three without justification is explicitly avoided.
More in AI & Development
Skills used with this one.
API Contract Tester
$5View skill
AI Automation QA & UAT Pack
$5View skill
Verification-Before-Done
$8.99View skill