sast-semgreplisted

# SAST with Semgrep ## Overview Perform comprehensive static application security testing using Semgrep, a fast, open-source static analysis tool. This skill provides automated vulnerability detection, security code review workflows, and remediation guidance mapped to OWASP Top 10 and CWE standards. ## Quick Start Scan a codebase for security vulnerabilities: ```bash semgrep --config=auto --severity=ERROR --severity=WARNING /path/to/code ``` Run with OWASP Top 10 ruleset: ```bash semgrep --config="p/owasp-top-ten" /path/to/code ``` ## Core Workflows ### Workflow 1: Initial Security Scan 1. Identify the primary languages in the codebase 2. Run `scripts/semgrep_scan.py` with appropriate rulesets 3. Parse findings and categorize by severity (CRITICAL, HIGH, MEDIUM, LOW) 4. Map findings to OWASP Top 10 and CWE categories 5. Generate prioritized remediation report ### Workflow 2: Security Code Review 1. For pull requests or commits, run targeted scans on changed files 2. Use `semgrep --diff` to scan only modified code 3. Flag high-severity findings as blocking issues 4. Provide inline remediation guidance from `references/remediation_guide.md` 5. Link findings to secure coding patterns ### Workflow 3: Custom Rule Development 1. Identify organization-specific security patterns to detect 2. Create custom Semgrep rules in YAML format using `assets/rule_template.yaml` 3. Test rules against known vulnerable code samples 4. Integrate custom rules into CI/CD pipeline 5. Doc