sast-runner | web-audit-tools | ClaudePluginHub

Skill

Community

sast-runner

From web-audit-tools

0

Description

Runs Static Application Security Testing (SAST) using Semgrep. Scans source code for vulnerabilities, security anti-patterns, and OWASP Top 10 issues. Use when user asks to "run SAST", "scan for vulnerabilities", "static analysis", "code security scan", "静的解析", "脆弱性スキャン".

Install

1

Add the repository(one-time)

$

/plugin marketplace add naporin0624/claude-web-audit-plugins

2

Install the plugin

$

/plugin install web-audit-tools@web-audit-marketplace

Tool Access

This skill inherits all available tools. When active, it can use any tool Claude has access to.

Supporting Assets

View in Repository

dist/index.js

package.json

src/index.ts

src/types.ts

tsconfig.json

Skill Content

SAST Runner

Wrapper for Semgrep to perform Static Application Security Testing.

Prerequisites

Semgrep must be installed:

# pip
pip install semgrep

# macOS
brew install semgrep

# Docker
docker pull semgrep/semgrep

Usage

# Scan current directory with auto config
npx sast-runner .

# Scan with specific ruleset
npx sast-runner . --config security-audit

# Scan with JSON output
npx sast-runner . --json

# Available rulesets
npx sast-runner --list-configs

# Check if semgrep is installed
npx sast-runner --check

Rulesets

Config	Description
auto	Auto-detect languages and apply relevant rules
security-audit	Comprehensive security audit
owasp-top-ten	OWASP Top 10 focused
cwe-top-25	CWE/SANS Top 25
default	Default ruleset

Output Format

{
  "tool": "semgrep",
  "scanPath": ".",
  "findings": [
    {
      "id": "javascript.express.security.audit.xss.mustache-escape",
      "severity": "high",
      "message": "Potential XSS vulnerability",
      "file": "src/app.js",
      "line": 42,
      "code": "res.send(userInput)",
      "cwes": ["CWE-79"],
      "owasp": ["A03:2021"],
      "fix": "Use proper output encoding"
    }
  ],
  "summary": {
    "total": 1,
    "critical": 0,
    "high": 1,
    "medium": 0,
    "low": 0
  }
}

Exit Codes

0: No issues found
1: Issues detected
2: Tool not installed or error

CWE Coverage

Common vulnerabilities detected:

CWE-89: SQL Injection
CWE-79: Cross-site Scripting (XSS)
CWE-78: OS Command Injection
CWE-94: Code Injection
CWE-22: Path Traversal
CWE-502: Deserialization of Untrusted Data
CWE-200: Exposure of Sensitive Information

Supported Languages

JavaScript, TypeScript, Python, Go, Java, Ruby, PHP, C, C++, Rust, Kotlin, Swift, and more.

Links

GitHub Stats

0 forks

Updated 2 days ago

Similar Skills

Agent Development

This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.

47.1k

Command Development

This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.

47.1k

Hook Development

This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.

47.1k