How do I install sast-configuration?

Run `npx skills add https://github.com/wshobson/agents --skill sast-configuration` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does sast-configuration support?

sast-configuration works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is sast-configuration free to use?

Yes. sast-configuration is free to install and use. It is available from the open explainx.ai skill registry published by wshobson.

Where can I read ratings and reviews for sast-configuration?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install sast-configuration?

Run `npx skills add https://github.com/wshobson/agents --skill sast-configuration` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does sast-configuration support?

sast-configuration works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is sast-configuration free to use?

Yes. sast-configuration is free to install and use. It is available from the open explainx.ai skill registry published by wshobson.

Where can I read ratings and reviews for sast-configuration?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install sast-configuration?

Run `npx skills add https://github.com/wshobson/agents --skill sast-configuration` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does sast-configuration support?

sast-configuration works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is sast-configuration free to use?

Yes. sast-configuration is free to install and use. It is available from the open explainx.ai skill registry published by wshobson.

Where can I read ratings and reviews for sast-configuration?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install sast-configuration?

Run `npx skills add https://github.com/wshobson/agents --skill sast-configuration` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does sast-configuration support?

sast-configuration works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is sast-configuration free to use?

Yes. sast-configuration is free to install and use. It is available from the open explainx.ai skill registry published by wshobson.

Where can I read ratings and reviews for sast-configuration?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install sast-configuration?

Run `npx skills add https://github.com/wshobson/agents --skill sast-configuration` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does sast-configuration support?

sast-configuration works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is sast-configuration free to use?

Yes. sast-configuration is free to install and use. It is available from the open explainx.ai skill registry published by wshobson.

Where can I read ratings and reviews for sast-configuration?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install sast-configuration?

Run `npx skills add https://github.com/wshobson/agents --skill sast-configuration` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does sast-configuration support?

sast-configuration works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is sast-configuration free to use?

Yes. sast-configuration is free to install and use. It is available from the open explainx.ai skill registry published by wshobson.

Where can I read ratings and reviews for sast-configuration?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install sast-configuration?

Run `npx skills add https://github.com/wshobson/agents --skill sast-configuration` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does sast-configuration support?

sast-configuration works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is sast-configuration free to use?

Yes. sast-configuration is free to install and use. It is available from the open explainx.ai skill registry published by wshobson.

Where can I read ratings and reviews for sast-configuration?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install sast-configuration?

Run `npx skills add https://github.com/wshobson/agents --skill sast-configuration` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does sast-configuration support?

sast-configuration works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is sast-configuration free to use?

Yes. sast-configuration is free to install and use. It is available from the open explainx.ai skill registry published by wshobson.

Where can I read ratings and reviews for sast-configuration?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install sast-configuration?

Run `npx skills add https://github.com/wshobson/agents --skill sast-configuration` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does sast-configuration support?

sast-configuration works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is sast-configuration free to use?

Yes. sast-configuration is free to install and use. It is available from the open explainx.ai skill registry published by wshobson.

Where can I read ratings and reviews for sast-configuration?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install sast-configuration?

Run `npx skills add https://github.com/wshobson/agents --skill sast-configuration` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does sast-configuration support?

sast-configuration works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is sast-configuration free to use?

Yes. sast-configuration is free to install and use. It is available from the open explainx.ai skill registry published by wshobson.

Where can I read ratings and reviews for sast-configuration?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install sast-configuration?

Run `npx skills add https://github.com/wshobson/agents --skill sast-configuration` in your terminal. You need to have run `npx skills init` once in your project first.

Productivity

sast-configuration

Configure SAST tools for automated vulnerability detection across multiple languages and CI/CD pipelines.

wshobson/agents|Updated Apr 8, 2026

Works with

Claude CodeCursorClineWindsurfCodexGooseGitHub CopilotZed

total installs

this week

33.1K

GitHub stars

upvotes

Install Skill

Run in your terminal

$npx skills add https://github.com/wshobson/agents --skill sast-configuration

installs

this week

33.1K

stars

View on GitHub

sast configuration

0 commentsJoin discussion →

What it does

Covers three major SAST platforms: Semgrep (custom pattern-based rules), SonarQube (quality gates and code coverage), and CodeQL (GitHub Advanced Security integration)
Includes CI/CD integration patterns for GitHub Actions, GitLab CI, and Jenkins, plus pre-commit hook setup for early detection
Provides production-ready configuration templates, custom rule examples, and performanc

Repository

wshobson/agents

Last updated

Apr 8, 2026

Installation Guide

Select your AI agent

How to use sast-configuration on Cursor

AI-first code editor with Composer

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

›Cursor installed and configured on your machine
›Node.js 16+ with npm — verify with node --version
›Active project directory where you want to add sast-configuration

Run the install command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills add https://github.com/wshobson/agents --skill sast-configuration

Fetches sast-configuration from wshobson/agents and configures it for Cursor.

Select Cursor when prompted

The CLI shows a list of agents. Use arrow keys and space to select Cursor:

◆ Which agents do you want to install to?

│

│ ── Universal (.agents/skills) ────────────────

│ · Cline · Codex · Goose · Windsurf

│ ●Cursor(selected)

│ · Cursor · Aider · Continue

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/sast-configuration

Restart Cursor to activate sast-configuration. Access via /sast-configuration in your agent's command palette.

⚠

Security Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.

›View source on GitHub ›Skills CLI docs ›About Cursor ›What are agent skills?

Documentation

SAST Configuration

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.

Overview

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL. Use this skill when you need to:

Set up SAST scanning in CI/CD pipelines
Create custom security rules for your codebase
Configure quality gates and compliance policies
Optimize scan performance and reduce false positives
Integrate multiple SAST tools for defense-in-depth

Core Capabilities

1. Semgrep Configuration

Custom rule creation with pattern matching
Language-specific security rules (Python, JavaScript, Go, Java, etc.)
CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
False positive tuning and rule optimization
Organizational policy enforcement

2. SonarQube Setup

Quality gate configuration
Security hotspot analysis
Code coverage and technical debt tracking
Custom quality profiles for languages
Enterprise integration with LDAP/SAML

3. CodeQL Analysis

GitHub Advanced Security integration
Custom query development
Vulnerability variant analysis
Security research workflows
SARIF result processing

Quick Start

Initial Assessment

Identify primary programming languages in your codebase
Determine compliance requirements (PCI-DSS, SOC 2, etc.)
Choose SAST tool based on language support and integration needs
Review baseline scan to understand current security posture

Basic Setup

# Semgrep quick start
pip install semgrep
semgrep --config=auto --error

# SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

# CodeQL CLI setup
gh extension install github/gh-codeql
codeql database create mydb --language=python

Reference Documentation

Semgrep Rule Creation - Pattern-based security rule development
SonarQube Configuration - Quality gates and profiles
CodeQL Setup Guide - Query development and workflows

Templates & Assets

semgrep-config.yml - Production-ready Semgrep configuration
sonarqube-settings.xml - SonarQube quality profile template
run-sast.sh - Automated SAST execution script

Integration Patterns

CI/CD Pipeline Integration

# GitHub Actions example
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: >-
      p/security-audit
      p/owasp-top-ten

Pre-commit Hook

# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
  rev: v1.45.0
  hooks:
    - id: semgrep
      args: ['--config=auto', '--error']

Best Practices

Start with Baseline
- Run initial scan to establish security baseline
- Prioritize critical and high severity findings
- Create remediation roadmap
Incremental Adoption
- Begin with security-focused rules
- Gradually add code quality rules
- Implement blocking only for critical issues
False Positive Management
- Document legitimate suppressions
- Create allow lists for known safe patterns
- Regularly review suppressed findings
Performance Optimization
- Exclude test files and generated code
- Use incremental scanning for large codebases
- Cache scan results in CI/CD
Team Enablement
- Provide security training for developers
- Create internal documentation for common patterns
- Establish security champions program

Common Use Cases

New Project Setup

./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

Custom Rule Development

# See references/semgrep-rules.md for detailed examples
rules:
  - id: hardcoded-jwt-secret
    pattern: jwt.encode($DATA, "...", ...)
    message: JWT secret should not be hardcoded
    severity: ERROR

Compliance Scanning

# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json

Troubleshooting

High False Positive Rate

Review and tune rule sensitivity
Add path filters to exclude test files
Use nostmt metadata for noisy patterns
Create organization-specific rule exceptions

Performance Issues

Enable incremental scanning
Parallelize scans across modules
Optimize rule patterns for efficiency
Cache dependencies and scan results

Integration Failures

Verify API tokens and credentials
Check network connectivity and proxy settings
Review SARIF output format compatibility
Validate CI/CD runner permissions

Related Skills

Tool Comparison

Tool	Best For	Language Support	Cost	Integration
Semgrep	Custom rules, fast scans	30+ languages	Free/Enterprise	Excellent
SonarQube	Code quality + security	25+ languages	Free/Commercial	Good
CodeQL	Deep analysis, research	10+ languages	Free (OSS)	GitHub native

Next Steps

Complete initial SAST tool setup
Run baseline security scan
Create custom rules for organization-specific patterns
Integrate into CI/CD pipeline
Establish security gate policies
Train development team on findings and remediation

List & Monetize Your Skill

Submit your Claude Code skill and start earning

Get started →

Use Cases

User Story & Requirements Generation

Create detailed user stories, acceptance criteria, and feature specs

Example

Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios

✓

Reduce spec writing time by 50%, ensure comprehensive coverage

Competitive Analysis

Research competitors, compare features, identify gaps

Example

Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities

✓

Complete competitive research in 2 hours instead of 2 days

Roadmap Prioritization

Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs

Example

Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale

✓

Make data-driven prioritization decisions faster

Stakeholder Communication

Draft PRDs, status updates, and stakeholder presentations

Example

Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement

✓

Save 3-5 hours/week on communication overhead

Implementation Guide

Prerequisites

›Claude Desktop or compatible AI client
›Access to product documentation and roadmap tools (Jira, Notion, etc.)
›Understanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
›Stakeholder contact information and communication channels

Time Estimate

30-60 minutes to see productivity improvements

Steps

1Install product management skill
2Start with user story generation for known feature
3Progress to competitive analysis: research 2-3 competitors
4Use for roadmap prioritization: apply RICE/ICE scoring
5Draft stakeholder communications and refine based on feedback
6Build template library for recurring PM tasks
7Share effective prompts with product team

Common Pitfalls

⚠Not validating competitive research—verify facts before sharing
⚠Accepting user stories without involving engineering team
⚠Over-relying on frameworks without qualitative judgment
⚠Not customizing outputs to company culture and communication style
⚠Skipping stakeholder validation of generated requirements

Best Practices

✓ Do

+Validate research and competitive analysis with real data
+Collaborate with engineering when generating technical requirements
+Customize frameworks and templates to your company context
+Use skill for first drafts, refine with stakeholder input
+Document successful prompt patterns for PM tasks
+Combine AI efficiency with human judgment and intuition

✗ Don't

−Don't publish competitive analysis without fact-checking
−Don't finalize user stories without engineering review
−Don't make prioritization decisions solely on AI scoring
−Don't skip customer validation of generated requirements
−Don't ignore company-specific context and culture

💡 Pro Tips

★Provide context: company goals, constraints, customer feedback
★Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
★Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
★Use skill for 70% generation + 30% customization to company needs

When to Use This

✓ Use when

Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.

✗ Avoid when

Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.

Learning Path

1Basic: user stories, feature specs, status updates
2Intermediate: competitive analysis, prioritization frameworks, PRDs
3Advanced: product strategy, go-to-market planning, OKR setting
4Expert: product vision, market positioning, business model innovation

Related Skills

grill-me

388

mattpocock/skills

Productivitysame category

premortem

197

parcadei/continuous-claude-v3

Productivitysame category

deslop

118

cursor/plugins

Productivitysame category

framer-motion

pproenca/dot-skills

Productivitysame category

write-a-prd

mattpocock/skills

Productivitysame category

travel-planner

ailabs-393/ai-labs-claude-skills

Productivitysame category

Reviews

4.5★★★★★65 reviews

W
William Chen★★★★★Dec 24, 2024
Useful defaults in sast-configuration — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
H
Henry Garcia★★★★★Dec 12, 2024
sast-configuration has been reliable in day-to-day use. Documentation quality is above average for community skills.
H
Harper Sethi★★★★★Dec 4, 2024
Keeps context tight: sast-configuration is the kind of skill you can hand to a new teammate without a long onboarding doc.
D
Diya Abebe★★★★★Nov 23, 2024
Registry listing for sast-configuration matched our evaluation — installs cleanly and behaves as described in the markdown.
H
Hiroshi Khan★★★★★Nov 15, 2024
sast-configuration has been reliable in day-to-day use. Documentation quality is above average for community skills.
V
Valentina Smith★★★★★Nov 7, 2024
sast-configuration fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
H
Henry Johnson★★★★★Nov 3, 2024
Useful defaults in sast-configuration — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
V
Valentina Torres★★★★★Oct 26, 2024
We added sast-configuration from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
A
Alexander White★★★★★Oct 22, 2024
I recommend sast-configuration for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
M
Mei Diallo★★★★★Oct 14, 2024
sast-configuration reduced setup friction for our internal harness; good balance of opinion and flexibility.

sast-configuration

Install Skill

What it does

Category

Repository

Last updated

Installation Guide

How to use sast-configuration on Cursor

Prerequisites

Run the install command

Select Cursor when prompted

Verify installation

Security Notice

Documentation

SAST Configuration

Overview

Core Capabilities

1. Semgrep Configuration

2. SonarQube Setup

3. CodeQL Analysis

Quick Start

Initial Assessment

Basic Setup

Reference Documentation

Templates & Assets

Integration Patterns

CI/CD Pipeline Integration

Pre-commit Hook

Best Practices

Common Use Cases

New Project Setup

Custom Rule Development

Compliance Scanning

Troubleshooting

High False Positive Rate

Performance Issues

Integration Failures

Related Skills

Tool Comparison

Next Steps

List & Monetize Your Skill

Use Cases

User Story & Requirements Generation

Competitive Analysis

Roadmap Prioritization

Stakeholder Communication

Implementation Guide

Best Practices

When to Use This

Learning Path

Related Skills

grill-me

premortem

deslop

framer-motion

write-a-prd

travel-planner

Reviews

Discussion