utkusen/sast-skills
SAST Skills is a collection of agent skills that turns AI coding assistants like Claude Code, Cursor, and Opencode into a fully automated Static Application Security Testing (SAST) scanner — no third-party tools required. The system runs in three phases: first, a codebase analysis skill maps the technology stack, frameworks, entry points, trust boundaries, and data flows into an architecture document. Next, 13 specialized vulnerability detection skills run in parallel, each following a recon-then-batched-verify pattern to reduce false positives. Detectors cover SQL injection, GraphQL injection, XSS, RCE, SSRF, IDOR, XXE, SSTI, insecure JWT implementations, missing authentication and broken function-level authorization, path traversal, insecure file uploads, hardcoded secrets, and business logic flaws. Finally, a report generator consolidates findings into a severity-ranked markdown report with exploit paths and remediation guidance. Drop your repository into the sast-files/ folder, open the project in your AI assistant, and ask for a vulnerability scan — the orchestration file drives the entire workflow and writes results to a local sast/ folder.
git clone https://github.com/utkusen/sast-skills.git
Quick Start Example
# 1. Copy the target codebase into the skills workspace
cp -r /path/to/your/project sast-files/
# 2. Open this folder in Claude Code (or Cursor / Opencode)
# and prompt the agent:
#
# "Run vulnerability scan"
# "Find vulnerabilities in this codebase"
#
# The orchestration file (CLAUDE.md / AGENTS.md) drives:
# • sast-analysis → architecture.md
# • parallel detectors → sqli, xss, rce, ssrf, idor, xxe,
# ssti, jwt, missingauth, pathtraversal,
# fileupload, hardcodedsecrets, businesslogic,
# graphql
# • sast-report → final-report.md (severity-ranked)
ls sast/ # architecture.md, *-results.md, final-report.md