sast-analyzer
Static Application Security Testing orchestration and analysis. Execute Semgrep, Bandit, ESLint security plugins, CodeQL, and other SAST tools. Parse, prioritize, and deduplicate findings across multiple tools with remediation guidance.
509 stars
bya5c-ai
Best use case
sast-analyzer is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Static Application Security Testing orchestration and analysis. Execute Semgrep, Bandit, ESLint security plugins, CodeQL, and other SAST tools. Parse, prioritize, and deduplicate findings across multiple tools with remediation guidance.
Teams using sast-analyzer should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/sast-analyzer/SKILL.md --create-dirs "https://raw.githubusercontent.com/a5c-ai/babysitter/main/library/specializations/security-compliance/skills/sast-analyzer/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/sast-analyzer/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How sast-analyzer Compares
| Feature / Agent | sast-analyzer | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Static Application Security Testing orchestration and analysis. Execute Semgrep, Bandit, ESLint security plugins, CodeQL, and other SAST tools. Parse, prioritize, and deduplicate findings across multiple tools with remediation guidance.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
SKILL.md Source
# sast-analyzer
You are **sast-analyzer** - a specialized skill for Static Application Security Testing (SAST) orchestration and analysis. This skill provides comprehensive capabilities for detecting security vulnerabilities in source code through static analysis.
## Overview
This skill enables AI-powered SAST including:
- Semgrep security rule execution and custom rule creation
- Bandit Python security analysis
- ESLint security plugin scanning for JavaScript/TypeScript
- CodeQL advanced semantic analysis
- Multi-tool result aggregation and deduplication
- OWASP and CWE mapping for findings
- Prioritized remediation guidance
## Prerequisites
- Source code repository to scan
- CLI tools installed: semgrep, bandit, eslint, codeql (as needed)
- Node.js/npm for ESLint plugins
- Python for Bandit
## Capabilities
### 1. Semgrep Security Scanning
Execute Semgrep with comprehensive security rulesets:
```bash
# Run with auto config (detects languages)
semgrep scan --config auto --json > semgrep-results.json
# Run OWASP Top 10 rules
semgrep scan --config "p/owasp-top-ten" --json
# Run language-specific security rules
semgrep scan --config "p/python" --config "p/security-audit" .
# Run with custom rules
semgrep scan --config ./custom-rules/ --json
# CI-friendly output with SARIF
semgrep scan --config auto --sarif -o results.sarif
# Scan specific paths
semgrep scan --config auto --include="src/**" --exclude="**/test/**"
```
#### Semgrep Rule Packs
| Pack | Description | Use Case |
|------|-------------|----------|
| `p/owasp-top-ten` | OWASP Top 10 vulnerabilities | General web security |
| `p/security-audit` | Comprehensive security audit | Deep security review |
| `p/ci` | Fast, high-confidence rules | CI/CD pipelines |
| `p/secrets` | Hardcoded secrets detection | Pre-commit checks |
| `p/python` | Python-specific security | Python projects |
| `p/javascript` | JavaScript security | JS/TS projects |
| `p/java` | Java security rules | Java projects |
| `p/go` | Go security rules | Go projects |
### 2. Bandit Python Security Analysis
```bash
# Basic scan with JSON output
bandit -r ./src -f json -o bandit-results.json
# Scan with specific severity levels
bandit -r ./src -ll -ii -f json # medium and above
# Exclude test directories
bandit -r ./src --exclude ./tests,./venv -f json
# Run specific tests only
bandit -r ./src -t B101,B102,B103 -f json
# Generate SARIF output
bandit -r ./src -f sarif -o bandit.sarif
# Show only high severity
bandit -r ./src -lll -f json
```
#### Bandit Test Categories
| Test ID | Name | Severity |
|---------|------|----------|
| B101 | assert_used | Low |
| B102 | exec_used | Medium |
| B103 | set_bad_file_permissions | Medium |
| B104 | hardcoded_bind_all_interfaces | Medium |
| B105-B107 | hardcoded_passwords | Low |
| B108 | hardcoded_tmp_directory | Medium |
| B110 | try_except_pass | Low |
| B201 | flask_debug_true | High |
| B301-B303 | pickle/marshal | Medium |
| B501-B508 | SSL/TLS issues | High |
| B601-B602 | shell_injection | High |
| B608 | sql_injection | Medium |
### 3. ESLint Security Scanning
```bash
# Install security plugins
npm install --save-dev eslint-plugin-security eslint-plugin-no-secrets
# Run ESLint with security rules
eslint --config .eslintrc.security.js --format json -o eslint-results.json src/
# Run with SARIF formatter
npx eslint --config .eslintrc.security.js --format @microsoft/eslint-formatter-sarif -o eslint.sarif src/
```
#### ESLint Security Configuration
```javascript
// .eslintrc.security.js
module.exports = {
plugins: ['security', 'no-secrets'],
extends: ['plugin:security/recommended'],
rules: {
'security/detect-object-injection': 'error',
'security/detect-non-literal-regexp': 'warn',
'security/detect-non-literal-fs-filename': 'warn',
'security/detect-eval-with-expression': 'error',
'security/detect-no-csrf-before-method-override': 'error',
'security/detect-possible-timing-attacks': 'warn',
'security/detect-pseudoRandomBytes': 'warn',
'security/detect-buffer-noassert': 'error',
'security/detect-child-process': 'warn',
'security/detect-disable-mustache-escape': 'error',
'security/detect-new-buffer': 'error',
'security/detect-unsafe-regex': 'error',
'no-secrets/no-secrets': ['error', { tolerance: 4.5 }]
}
};
```
### 4. CodeQL Analysis
```bash
# Create CodeQL database
codeql database create codeql-db --language=javascript --source-root=.
# Run security queries
codeql database analyze codeql-db \
codeql/javascript-queries:codeql-suites/javascript-security-extended.qls \
--format=sarif-latest \
--output=codeql-results.sarif
# Run for multiple languages
codeql database create codeql-db --language=javascript,python
# Run specific security queries
codeql database analyze codeql-db \
codeql/javascript-queries:Security/CWE-079/XssThroughDom.ql \
--format=json
```
#### CodeQL Security Query Suites
| Suite | Coverage |
|-------|----------|
| `javascript-security-extended.qls` | Extended JS security |
| `python-security-extended.qls` | Extended Python security |
| `java-security-extended.qls` | Extended Java security |
| `csharp-security-extended.qls` | Extended C# security |
| `go-security-extended.qls` | Extended Go security |
### 5. Multi-Tool Aggregation
Combine and deduplicate results from multiple SAST tools:
```bash
# Run all tools and aggregate
semgrep scan --config auto --sarif -o semgrep.sarif
bandit -r ./src -f sarif -o bandit.sarif
eslint --format @microsoft/eslint-formatter-sarif -o eslint.sarif src/
# Parse and aggregate SARIF files
node aggregate-sarif.js semgrep.sarif bandit.sarif eslint.sarif > combined.json
```
#### Result Normalization Schema
```json
{
"findings": [
{
"id": "finding-001",
"tool": "semgrep",
"rule_id": "python.lang.security.audit.dangerous-system-call",
"severity": "high",
"confidence": "high",
"cwe": ["CWE-78"],
"owasp": ["A03:2021"],
"file": "src/utils/exec.py",
"line": 42,
"column": 5,
"snippet": "os.system(user_input)",
"message": "Dangerous system call with user-controlled input",
"remediation": "Use subprocess.run with shell=False and explicit arguments",
"references": [
"https://cwe.mitre.org/data/definitions/78.html"
],
"duplicates": ["bandit-B602"],
"status": "open"
}
],
"summary": {
"total": 45,
"critical": 2,
"high": 8,
"medium": 15,
"low": 20,
"deduplicated": 12
}
}
```
### 6. Custom Semgrep Rule Creation
```yaml
# custom-rules/sql-injection.yaml
rules:
- id: custom-sql-injection
languages: [python]
severity: ERROR
message: >
Possible SQL injection vulnerability. User input '$INPUT'
is concatenated into SQL query.
patterns:
- pattern-either:
- pattern: |
$QUERY = "..." + $INPUT + "..."
$CURSOR.execute($QUERY)
- pattern: |
$CURSOR.execute("..." + $INPUT + "...")
- pattern: |
$CURSOR.execute(f"...{$INPUT}...")
metadata:
cwe: "CWE-89"
owasp: "A03:2021 - Injection"
confidence: HIGH
impact: HIGH
category: security
```
## MCP Server Integration
This skill can leverage the following MCP servers:
| Server | Description | Installation |
|--------|-------------|--------------|
| sast-mcp | 23+ security tools integration | [GitHub](https://github.com/Sengtocxoen/sast-mcp) |
| Semgrep MCP | Official Semgrep integration | [GitHub](https://github.com/semgrep/mcp) |
| SecOpsAgentKit | Multi-tool SAST orchestration | [GitHub](https://github.com/AgentSecOps/SecOpsAgentKit) |
### sast-mcp Features
- Multi-language support (Python, JavaScript, Go, Java, etc.)
- Integration with 23+ security tools
- SARIF and JSON output formats
- Automatic language detection
- CI/CD pipeline integration
## Best Practices
### Scanning Strategy
1. **Incremental scanning** - Scan only changed files in CI
2. **Full scans periodically** - Weekly comprehensive scans
3. **Pre-commit hooks** - Catch issues before commit
4. **Multiple tools** - Different tools catch different issues
### Triage and Prioritization
1. **Severity + Exploitability** - High severity + easily exploitable = critical
2. **Business context** - Consider asset criticality
3. **False positive rate** - Track and tune rules
4. **Fix difficulty** - Quick wins vs. architectural changes
### CI/CD Integration
```yaml
# GitHub Actions example
name: SAST Scan
on: [push, pull_request]
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Semgrep Scan
uses: returntocorp/semgrep-action@v1
with:
config: p/owasp-top-ten
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif
```
## Process Integration
This skill integrates with the following processes:
- `sast-pipeline.js` - CI/CD SAST integration
- `secure-sdlc.js` - Security in development lifecycle
- `devsecops-pipeline.js` - DevSecOps automation
- `security-code-review.js` - Security-focused code review
## Output Format
When executing operations, provide structured output:
```json
{
"operation": "sast-scan",
"status": "completed",
"tools_executed": ["semgrep", "bandit", "eslint"],
"scan_duration_seconds": 45,
"summary": {
"total_findings": 32,
"by_severity": {
"critical": 1,
"high": 5,
"medium": 12,
"low": 14
},
"by_tool": {
"semgrep": 18,
"bandit": 8,
"eslint": 6
},
"deduplicated_count": 5
},
"top_issues": [
{
"rule": "sql-injection",
"count": 3,
"severity": "critical",
"files": ["src/db/queries.py", "src/api/users.py"]
}
],
"artifacts": ["semgrep.sarif", "bandit.json", "eslint.json", "combined-report.json"]
}
```
## Error Handling
### Common Issues
| Error | Cause | Resolution |
|-------|-------|------------|
| `Rule not found` | Invalid rule pack name | Verify rule pack exists |
| `Parse error` | Syntax error in source | Check file encoding/syntax |
| `Timeout` | Large codebase | Increase timeout or scan incrementally |
| `Memory exceeded` | Too many files | Exclude generated/vendor files |
## Constraints
- Respect rate limits on cloud-based scanning services
- Exclude generated code, vendor directories, and test fixtures
- Handle large codebases with incremental scanning
- Document all custom rules and their rationale
- Track false positive rates and tune rules accordinglyRelated Skills
terraform-analyzer
509
from a5c-ai/babysitter
Specialized skill for analyzing Terraform configurations. Supports parsing, security scanning (tfsec, checkov), cost estimation (infracost), drift detection, and plan visualization across AWS, Azure, and GCP.
db-query-analyzer
509
from a5c-ai/babysitter
Analyze database query performance with execution plans and index recommendations
code-complexity-analyzer
509
from a5c-ai/babysitter
Analyze code complexity metrics including cyclomatic complexity, code smells, and technical debt
cloudformation-analyzer
509
from a5c-ai/babysitter
Validate and analyze AWS CloudFormation templates for security and best practices
semantic-code-analyzer
509
from a5c-ai/babysitter
LLM-powered semantic analysis of code diffs to detect business-logic trojans
crypto-analyzer
509
from a5c-ai/babysitter
Cryptographic implementation analysis and validation for encryption algorithms, key sizes, and certificate management
semver-analyzer
509
from a5c-ai/babysitter
Analyze code changes and determine semantic version bumps. Detect breaking changes automatically, suggest version bump (major/minor/patch), generate changelog entries, and validate version consistency.
api-diff-analyzer
509
from a5c-ai/babysitter
Compare API specifications to detect breaking changes. Compare OpenAPI spec versions, categorize changes by severity, generate migration guides, and block breaking changes in CI.
process-analyzer
509
from a5c-ai/babysitter
Analyze processes, identify workflows, define boundaries and scope, and map process requirements for specialization creation.
scope-logic-analyzer
509
from a5c-ai/babysitter
Test equipment integration for signal analysis (oscilloscope and logic analyzer)
protocol-analyzer
509
from a5c-ai/babysitter
Serial protocol analysis and debugging for common embedded interfaces (I2C, SPI, UART)
time-series-analyzer
509
from a5c-ai/babysitter
Skill for time series analysis and forecasting