{"id":47704128,"url":"https://github.com/utkusen/sast-skills","last_synced_at":"2026-04-05T21:01:12.412Z","repository":{"id":348309701,"uuid":"1196248606","full_name":"utkusen/sast-skills","owner":"utkusen","description":"Collection of agent skills that turn your AI coder into a SAST scanner","archived":false,"fork":false,"pushed_at":"2026-04-02T20:46:16.000Z","size":5289,"stargazers_count":221,"open_issues_count":0,"forks_count":9,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-04T20:49:06.523Z","etag":null,"topics":["ai-security","claude","claude-code","sast"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/utkusen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-30T14:11:49.000Z","updated_at":"2026-04-04T19:13:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"ff40da8d-cffa-4a6d-8398-2e582d6739bb","html_url":"https://github.com/utkusen/sast-skills","commit_stats":null,"previous_names":["utkusen/sast-skills"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/utkusen/sast-skills","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utkusen%2Fsast-skills","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utkusen%2Fsast-skills/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utkusen%2Fsast-skills/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utkusen%2Fsast-skills/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/utkusen","download_url":"https://codeload.github.com/utkusen/sast-skills/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utkusen%2Fsast-skills/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31449836,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T15:22:31.103Z","status":"ssl_error","status_checked_at":"2026-04-05T15:22:00.205Z","response_time":75,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-security","claude","claude-code","sast"],"created_at":"2026-04-02T17:49:40.124Z","updated_at":"2026-04-05T21:01:12.360Z","avatar_url":"https://github.com/utkusen.png","language":null,"funding_links":[],"categories":["Agentic AI Security Skills"],"sub_categories":["Data \u0026 Supply Chain Security"],"readme":"# LLM SAST Skills\n\nA collection of agent skills that turn your LLM coding assistant into a fully functional SAST scanner to find vulnerabilities in your codebase. Works natively with Claude Code, Codex, Opencode, Cursor and any other assistant that supports agent skills. No third-party tools required.\n\nClaude Code with Opus model is recommended. But if the cost is a concern, use any IDE and model you trust.\n\n![Process in Claude Code](demo.gif)\n\n## How It Works\n\n`CLAUDE.md` (for Claude Code) or `AGENTS.md` (for Opencode and other IDEs) orchestrates the entire assessment workflow automatically. The assessment runs in three steps:\n\n1. **Codebase Analysis** -- The `sast-analysis` skill maps the technology stack, architecture, entry points, data flows, and trust boundaries. It writes its findings to `sast/architecture.md`.\n\n2. **Vulnerability Detection (parallel)** -- All 13 vulnerability detection skills run in parallel as subagents. Each skill follows a two-phase approach: first a recon/discovery phase to find candidate sections, then a verification phase to confirm exploitability. Results are written to `sast/*-results.md`.\n\n3. **Report Generation** -- The `sast-report` skill consolidates all findings into a single `sast/final-report.md`, ranked by severity with full remediation guidance and dynamic test instructions.\n\n## What It Detects\n\n| Skill | Vulnerability Class |\n|---|---|\n| sast-analysis | Codebase reconnaissance, architecture mapping, threat modeling |\n| sast-sqli | SQL Injection |\n| sast-graphql | GraphQL injection |\n| sast-xss | Cross-Site Scripting (XSS) |\n| sast-rce | Remote Code Execution (command injection, eval, unsafe deserialization) |\n| sast-ssrf | Server-Side Request Forgery |\n| sast-idor | Insecure Direct Object Reference |\n| sast-xxe | XML External Entity |\n| sast-ssti | Server-Side Template Injection |\n| sast-jwt | Insecure JWT implementations |\n| sast-missingauth | Missing authentication and broken function-level authorization |\n| sast-pathtraversal | Path / directory traversal |\n| sast-fileupload | Insecure file upload |\n| sast-businesslogic | Business logic flaws (price manipulation, workflow bypass, race conditions, etc.) |\n| sast-report | Consolidated final report ranked by severity |\n\n\n## Installation\n\nCopy your project into the `sast-files` folder, then open `sast-files` as your workspace in your AI coding assistant.\n\n```bash\ncp -r /path/to/your/project sast-files/\n```\n\n\u003e **Note:** If your project already contains a `CLAUDE.md` or `AGENTS.md` file, remove it before running the assessment — otherwise it will conflict with the orchestration file provided by this toolkit.\n\n\n## Usage\n\nAfter copying the files, open your project in your AI coding assistant and ask:\n\n\u003e Run vulnerability scan\n\nor\n\n\u003e Find vulnerabilities in this codebase\n\nThe entry point file (`CLAUDE.md` or `AGENTS.md`) orchestrates the full workflow automatically. It will skip any steps whose output files already exist, so you can safely re-run it after fixing issues.\n\n## Output\n\nAll output is written to a `sast/` folder in your project root:\n\n| File | Description |\n|---|---|\n| `sast/architecture.md` | Technology stack, architecture, entry points, data flows |\n| `sast/*-results.md` | Per-vulnerability-class findings with proof and remediation |\n| `sast/final-report.md` | Consolidated report ranked by severity |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Futkusen%2Fsast-skills","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Futkusen%2Fsast-skills","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Futkusen%2Fsast-skills/lists"}