Back to Details

sast-configuration

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SAST Configuration

SAST 配置

Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.
静态应用安全测试(SAST)工具的设置、配置以及自定义规则创建,可实现跨多种编程语言的全面安全扫描。

Overview

概述

This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL. Use this skill when you need to:
  • Set up SAST scanning in CI/CD pipelines
  • Create custom security rules for your codebase
  • Configure quality gates and compliance policies
  • Optimize scan performance and reduce false positives
  • Integrate multiple SAST tools for defense-in-depth
本技能提供了设置和配置Semgrep、SonarQube和CodeQL等SAST工具的全面指南。当你需要以下操作时可使用本技能:
  • 在CI/CD流水线中设置SAST扫描
  • 为代码库创建自定义安全规则
  • 配置质量门控与合规策略
  • 优化扫描性能并减少误报
  • 集成多款SAST工具实现纵深防御

Core Capabilities

核心能力

1. Semgrep Configuration

1. Semgrep 配置

  • Custom rule creation with pattern matching
  • Language-specific security rules (Python, JavaScript, Go, Java, etc.)
  • CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
  • False positive tuning and rule optimization
  • Organizational policy enforcement
  • 基于模式匹配的自定义规则创建
  • 特定语言的安全规则(Python、JavaScript、Go、Java等)
  • CI/CD集成(GitHub Actions、GitLab CI、Jenkins)
  • 误报调优与规则优化
  • 组织级策略强制执行

2. SonarQube Setup

2. SonarQube 搭建

  • Quality gate configuration
  • Security hotspot analysis
  • Code coverage and technical debt tracking
  • Custom quality profiles for languages
  • Enterprise integration with LDAP/SAML
  • 质量门控配置
  • 安全热点分析
  • 代码覆盖率与技术债务追踪
  • 针对各语言的自定义质量配置文件
  • 与LDAP/SAML的企业级集成

3. CodeQL Analysis

3. CodeQL 分析

  • GitHub Advanced Security integration
  • Custom query development
  • Vulnerability variant analysis
  • Security research workflows
  • SARIF result processing
  • GitHub Advanced Security集成
  • 自定义查询开发
  • 漏洞变体分析
  • 安全研究工作流
  • SARIF结果处理

Quick Start

快速开始

Initial Assessment

初始评估

  1. Identify primary programming languages in your codebase
  2. Determine compliance requirements (PCI-DSS, SOC 2, etc.)
  3. Choose SAST tool based on language support and integration needs
  4. Review baseline scan to understand current security posture
  1. 识别代码库中的主要编程语言
  2. 确定合规要求(PCI-DSS、SOC 2等)
  3. 根据语言支持和集成需求选择SAST工具
  4. 运行基线扫描以了解当前安全状况

Basic Setup

基础设置

bash
undefined
bash
undefined

Semgrep quick start

Semgrep quick start

pip install semgrep semgrep --config=auto --error
pip install semgrep semgrep --config=auto --error

SonarQube with Docker

SonarQube with Docker

docker run -d --name sonarqube -p 9000:9000 sonarqube:latest
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

CodeQL CLI setup

CodeQL CLI setup

gh extension install github/gh-codeql codeql database create mydb --language=python
undefined
gh extension install github/gh-codeql codeql database create mydb --language=python
undefined

Reference Documentation

参考文档

  • Semgrep Rule Creation - Pattern-based security rule development
  • SonarQube Configuration - Quality gates and profiles
  • CodeQL Setup Guide - Query development and workflows
  • Semgrep 规则创建 - 基于模式的安全规则开发
  • SonarQube 配置 - 质量门控与配置文件
  • CodeQL 搭建指南 - 查询开发与工作流

Templates & Assets

模板与资源

  • semgrep-config.yml - Production-ready Semgrep configuration
  • sonarqube-settings.xml - SonarQube quality profile template
  • run-sast.sh - Automated SAST execution script
  • semgrep-config.yml - 生产就绪的Semgrep配置
  • sonarqube-settings.xml - SonarQube质量配置文件模板
  • run-sast.sh - 自动化SAST执行脚本

Integration Patterns

集成模式

CI/CD Pipeline Integration

CI/CD流水线集成

yaml
undefined
yaml
undefined

GitHub Actions example

GitHub Actions example

  • name: Run Semgrep uses: returntocorp/semgrep-action@v1 with: config: >- p/security-audit p/owasp-top-ten
undefined
  • name: Run Semgrep uses: returntocorp/semgrep-action@v1 with: config: >- p/security-audit p/owasp-top-ten
undefined

Pre-commit Hook

提交前钩子

bash
undefined
bash
undefined

.pre-commit-config.yaml

.pre-commit-config.yaml

undefined
undefined

Best Practices

最佳实践

  1. Start with Baseline
    • Run initial scan to establish security baseline
    • Prioritize critical and high severity findings
    • Create remediation roadmap
  2. Incremental Adoption
    • Begin with security-focused rules
    • Gradually add code quality rules
    • Implement blocking only for critical issues
  3. False Positive Management
    • Document legitimate suppressions
    • Create allow lists for known safe patterns
    • Regularly review suppressed findings
  4. Performance Optimization
    • Exclude test files and generated code
    • Use incremental scanning for large codebases
    • Cache scan results in CI/CD
  5. Team Enablement
    • Provide security training for developers
    • Create internal documentation for common patterns
    • Establish security champions program
  1. 从基线开始
    • 运行初始扫描以建立安全基线
    • 优先处理严重和高危漏洞
    • 创建修复路线图
  2. 渐进式采用
    • 从安全聚焦规则开始
    • 逐步添加代码质量规则
    • 仅对关键问题实施拦截
  3. 误报管理
    • 记录合理的规则抑制
    • 为已知安全模式创建允许列表
    • 定期复查已抑制的检测结果
  4. 性能优化
    • 排除测试文件与自动生成代码
    • 对大型代码库使用增量扫描
    • 在CI/CD中缓存扫描结果
  5. 团队赋能
    • 为开发者提供安全培训
    • 创建常见模式的内部文档
    • 建立安全倡导者计划

Common Use Cases

常见用例

New Project Setup

新项目设置

bash
./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube
bash
./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube

Custom Rule Development

自定义规则开发

yaml
undefined
yaml
undefined

See references/semgrep-rules.md for detailed examples

See references/semgrep-rules.md for detailed examples

rules:
  • id: hardcoded-jwt-secret pattern: jwt.encode($DATA, "...", ...) message: JWT secret should not be hardcoded severity: ERROR
undefined
rules:
  • id: hardcoded-jwt-secret pattern: jwt.encode($DATA, "...", ...) message: JWT secret should not be hardcoded severity: ERROR
undefined

Compliance Scanning

合规扫描

bash
undefined
bash
undefined

PCI-DSS focused scan

PCI-DSS focused scan

semgrep --config p/pci-dss --json -o pci-scan-results.json
undefined
semgrep --config p/pci-dss --json -o pci-scan-results.json
undefined

Troubleshooting

故障排除

High False Positive Rate

高误报率

  • Review and tune rule sensitivity
  • Add path filters to exclude test files
  • Use nostmt metadata for noisy patterns
  • Create organization-specific rule exceptions
  • 复查并调整规则敏感度
  • 添加路径过滤器排除测试文件
  • 对嘈杂模式使用nostmt元数据
  • 创建组织特定的规则例外

Performance Issues

性能问题

  • Enable incremental scanning
  • Parallelize scans across modules
  • Optimize rule patterns for efficiency
  • Cache dependencies and scan results
  • 启用增量扫描
  • 跨模块并行扫描
  • 优化规则模式以提升效率
  • 缓存依赖与扫描结果

Integration Failures

集成失败

  • Verify API tokens and credentials
  • Check network connectivity and proxy settings
  • Review SARIF output format compatibility
  • Validate CI/CD runner permissions
  • 验证API令牌与凭证
  • 检查网络连接与代理设置
  • 复查SARIF输出格式兼容性
  • 验证CI/CD运行器权限

Related Skills

相关技能

  • OWASP Top 10 Checklist
  • Container Security
  • Dependency Scanning
  • OWASP Top 10 检查清单
  • 容器安全
  • 依赖扫描

Tool Comparison

工具对比

ToolBest ForLanguage SupportCostIntegration
SemgrepCustom rules, fast scans30+ languagesFree/EnterpriseExcellent
SonarQubeCode quality + security25+ languagesFree/CommercialGood
CodeQLDeep analysis, research10+ languagesFree (OSS)GitHub native
工具适用场景语言支持成本集成能力
Semgrep自定义规则、快速扫描30+种语言免费/企业版优秀
SonarQube代码质量+安全检测25+种语言免费/商业版良好
CodeQL深度分析、安全研究10+种语言免费(开源)GitHub原生集成

Next Steps

后续步骤

  1. Complete initial SAST tool setup
  2. Run baseline security scan
  3. Create custom rules for organization-specific patterns
  4. Integrate into CI/CD pipeline
  5. Establish security gate policies
  6. Train development team on findings and remediation
  1. 完成SAST工具的初始设置
  2. 运行基线安全扫描
  3. 为组织特定模式创建自定义规则
  4. 集成到CI/CD流水线
  5. 建立安全门控策略
  6. 培训开发团队理解检测结果与修复方法