Claude Skill
utkusen/sast-skills
SAST Skills是一个代理技能集合,可将您的AI编码器转变为SAST扫描器,在Claude Code中实现静态应用安全测试。
概览
仓库信息
安装这个 Skill
git clone https://github.com/utkusen/sast-skills.gitRegistry 信息
项目简介
一个代理技能集合,可将您的AI编码器转变为SAST扫描器,直接在Claude Code中实现静态应用安全测试。
Collection of agent skills that turn your AI coder into a SAST scanner
要点
- 将Claude Code转变为SAST扫描器
- 可复用的代理技能集合
- 专注于AI安全与代码分析
- 开源且社区驱动
- 轻量级集成到现有工作流中
使用场景
- 开发过程中对代码库进行静态分析
- 在CI/CD流水线中自动化安全扫描
- 增强AI编码助手的安防意识
- 通过代理反馈教授安全编码实践
- 在开源项目中快速检测漏洞
README 摘要
# LLM SAST Skills A collection of agent skills that turn your LLM coding assistant into a fully functional SAST scanner to find vulnerabilities in your codebase. Works natively with Claude Code, Codex, Opencode, Cursor and any other assistant that supports agent skills. No third-party tools required. Claude Code with Opus model is recommended. But if the cost is a concern, use any IDE and model you trust.  ## How It Works `CLAUDE.md` (for Claude Code) or `AGENTS.md` (for Opencode and other IDEs) orchestrates the entire assessment workflow automatically. The assessment runs in three steps: 1. **Codebase Analysis** -- The `sast-analysis` skill maps the technology stack, architecture, entry points, data flows, and trust boundaries. It writes its findings to `sast/architecture.md`. 2. **Vulnerability Detection (parallel)** -- All 13 vulnerability detection skills run in parallel as subagents. Each skill follows a two-phase approach: first a recon/discovery phase to find candidate sections, then a verification phase to confirm exploitability. Results are written to `sast/*-results.md`. 3. **Report Generation** -- The `sast-report` skill consolidates all findings into a single `sast/final-report.md`, ranked by severity with full remediation guidance and dynamic test instructions. ## What It Detects | Skill | Vulnerability Class | |---|---| | sast-analysis | Codebase reconnaissance, architecture mapping, threat modeling | | sast-sqli | SQL Injection | | sast-graphql | GraphQL injection | | sast-xss | Cross-Site Scripting (XSS) | | sast-rce | Remote Code Execution (command injection, eval, unsafe deserialization) | | sast-ssrf | Server-Side Request Forgery | | sast-idor | Insecure Direct Object Reference | | sast-xxe | XML External E