Claude Skill
utkusen/sast-skills
SAST Skills is a collection of agent skills that turn your AI coder into a SAST scanner for static application security testing within Claude Code.
Overview
Repository
Install this Skill
git clone https://github.com/utkusen/sast-skills.gitRegistry
Summary
A collection of agent skills that transform your AI coder into a SAST scanner, enabling static application security testing directly within Claude Code.
将您的AI编码器转变为SAST扫描器的代理技能集合
Key features
- Turns Claude Code into a SAST scanner
- Collection of reusable agent skills
- Focuses on AI security and code analysis
- Open-source and community-driven
- Lightweight integration with existing workflows
Use cases
- Static analysis of codebases during development
- Automated security scanning in CI/CD pipelines
- Enhancing AI coding assistants with security awareness
- Teaching secure coding practices via agent feedback
- Rapid vulnerability detection in open-source projects
README excerpt
# LLM SAST Skills A collection of agent skills that turn your LLM coding assistant into a fully functional SAST scanner to find vulnerabilities in your codebase. Works natively with Claude Code, Codex, Opencode, Cursor and any other assistant that supports agent skills. No third-party tools required. Claude Code with Opus model is recommended. But if the cost is a concern, use any IDE and model you trust.  ## How It Works `CLAUDE.md` (for Claude Code) or `AGENTS.md` (for Opencode and other IDEs) orchestrates the entire assessment workflow automatically. The assessment runs in three steps: 1. **Codebase Analysis** -- The `sast-analysis` skill maps the technology stack, architecture, entry points, data flows, and trust boundaries. It writes its findings to `sast/architecture.md`. 2. **Vulnerability Detection (parallel)** -- All 13 vulnerability detection skills run in parallel as subagents. Each skill follows a two-phase approach: first a recon/discovery phase to find candidate sections, then a verification phase to confirm exploitability. Results are written to `sast/*-results.md`. 3. **Report Generation** -- The `sast-report` skill consolidates all findings into a single `sast/final-report.md`, ranked by severity with full remediation guidance and dynamic test instructions. ## What It Detects | Skill | Vulnerability Class | |---|---| | sast-analysis | Codebase reconnaissance, architecture mapping, threat modeling | | sast-sqli | SQL Injection | | sast-graphql | GraphQL injection | | sast-xss | Cross-Site Scripting (XSS) | | sast-rce | Remote Code Execution (command injection, eval, unsafe deserialization) | | sast-ssrf | Server-Side Request Forgery | | sast-idor | Insecure Direct Object Reference | | sast-xxe | XML External E