Babysitter sast-analyzer
Static Application Security Testing orchestration and analysis. Execute Semgrep, Bandit, ESLint security plugins, CodeQL, and other SAST tools. Parse, prioritize, and deduplicate findings across multiple tools with remediation guidance.
install
source · Clone the upstream repo
git clone https://github.com/a5c-ai/babysitter
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/a5c-ai/babysitter "$T" && mkdir -p ~/.claude/skills && cp -r "$T/library/specializations/security-compliance/skills/sast-analyzer" ~/.claude/skills/a5c-ai-babysitter-sast-analyzer && rm -rf "$T"
manifest:
library/specializations/security-compliance/skills/sast-analyzer/SKILL.mdtags
source content
sast-analyzer
You are sast-analyzer - a specialized skill for Static Application Security Testing (SAST) orchestration and analysis. This skill provides comprehensive capabilities for detecting security vulnerabilities in source code through static analysis.
Overview
This skill enables AI-powered SAST including:
- Semgrep security rule execution and custom rule creation
- Bandit Python security analysis
- ESLint security plugin scanning for JavaScript/TypeScript
- CodeQL advanced semantic analysis
- Multi-tool result aggregation and deduplication
- OWASP and CWE mapping for findings
- Prioritized remediation guidance
Prerequisites
- Source code repository to scan
- CLI tools installed: semgrep, bandit, eslint, codeql (as needed)
- Node.js/npm for ESLint plugins
- Python for Bandit
Capabilities
1. Semgrep Security Scanning
Execute Semgrep with comprehensive security rulesets:
# Run with auto config (detects languages) semgrep scan --config auto --json > semgrep-results.json # Run OWASP Top 10 rules semgrep scan --config "p/owasp-top-ten" --json # Run language-specific security rules semgrep scan --config "p/python" --config "p/security-audit" . # Run with custom rules semgrep scan --config ./custom-rules/ --json # CI-friendly output with SARIF semgrep scan --config auto --sarif -o results.sarif # Scan specific paths semgrep scan --config auto --include="src/**" --exclude="**/test/**"
Semgrep Rule Packs
| Pack | Description | Use Case |
|---|---|---|
| OWASP Top 10 vulnerabilities | General web security |
| Comprehensive security audit | Deep security review |
| Fast, high-confidence rules | CI/CD pipelines |
| Hardcoded secrets detection | Pre-commit checks |
| Python-specific security | Python projects |
| JavaScript security | JS/TS projects |
| Java security rules | Java projects |
| Go security rules | Go projects |
2. Bandit Python Security Analysis
# Basic scan with JSON output bandit -r ./src -f json -o bandit-results.json # Scan with specific severity levels bandit -r ./src -ll -ii -f json # medium and above # Exclude test directories bandit -r ./src --exclude ./tests,./venv -f json # Run specific tests only bandit -r ./src -t B101,B102,B103 -f json # Generate SARIF output bandit -r ./src -f sarif -o bandit.sarif # Show only high severity bandit -r ./src -lll -f json
Bandit Test Categories
| Test ID | Name | Severity |
|---|---|---|
| B101 | assert_used | Low |
| B102 | exec_used | Medium |
| B103 | set_bad_file_permissions | Medium |
| B104 | hardcoded_bind_all_interfaces | Medium |
| B105-B107 | hardcoded_passwords | Low |
| B108 | hardcoded_tmp_directory | Medium |
| B110 | try_except_pass | Low |
| B201 | flask_debug_true | High |
| B301-B303 | pickle/marshal | Medium |
| B501-B508 | SSL/TLS issues | High |
| B601-B602 | shell_injection | High |
| B608 | sql_injection | Medium |
3. ESLint Security Scanning
# Install security plugins npm install --save-dev eslint-plugin-security eslint-plugin-no-secrets # Run ESLint with security rules eslint --config .eslintrc.security.js --format json -o eslint-results.json src/ # Run with SARIF formatter npx eslint --config .eslintrc.security.js --format @microsoft/eslint-formatter-sarif -o eslint.sarif src/
ESLint Security Configuration
// .eslintrc.security.js module.exports = { plugins: ['security', 'no-secrets'], extends: ['plugin:security/recommended'], rules: { 'security/detect-object-injection': 'error', 'security/detect-non-literal-regexp': 'warn', 'security/detect-non-literal-fs-filename': 'warn', 'security/detect-eval-with-expression': 'error', 'security/detect-no-csrf-before-method-override': 'error', 'security/detect-possible-timing-attacks': 'warn', 'security/detect-pseudoRandomBytes': 'warn', 'security/detect-buffer-noassert': 'error', 'security/detect-child-process': 'warn', 'security/detect-disable-mustache-escape': 'error', 'security/detect-new-buffer': 'error', 'security/detect-unsafe-regex': 'error', 'no-secrets/no-secrets': ['error', { tolerance: 4.5 }] } };
4. CodeQL Analysis
# Create CodeQL database codeql database create codeql-db --language=javascript --source-root=. # Run security queries codeql database analyze codeql-db \ codeql/javascript-queries:codeql-suites/javascript-security-extended.qls \ --format=sarif-latest \ --output=codeql-results.sarif # Run for multiple languages codeql database create codeql-db --language=javascript,python # Run specific security queries codeql database analyze codeql-db \ codeql/javascript-queries:Security/CWE-079/XssThroughDom.ql \ --format=json
CodeQL Security Query Suites
| Suite | Coverage |
|---|---|
| Extended JS security |
| Extended Python security |
| Extended Java security |
| Extended C# security |
| Extended Go security |
5. Multi-Tool Aggregation
Combine and deduplicate results from multiple SAST tools:
# Run all tools and aggregate semgrep scan --config auto --sarif -o semgrep.sarif bandit -r ./src -f sarif -o bandit.sarif eslint --format @microsoft/eslint-formatter-sarif -o eslint.sarif src/ # Parse and aggregate SARIF files node aggregate-sarif.js semgrep.sarif bandit.sarif eslint.sarif > combined.json
Result Normalization Schema
{ "findings": [ { "id": "finding-001", "tool": "semgrep", "rule_id": "python.lang.security.audit.dangerous-system-call", "severity": "high", "confidence": "high", "cwe": ["CWE-78"], "owasp": ["A03:2021"], "file": "src/utils/exec.py", "line": 42, "column": 5, "snippet": "os.system(user_input)", "message": "Dangerous system call with user-controlled input", "remediation": "Use subprocess.run with shell=False and explicit arguments", "references": [ "https://cwe.mitre.org/data/definitions/78.html" ], "duplicates": ["bandit-B602"], "status": "open" } ], "summary": { "total": 45, "critical": 2, "high": 8, "medium": 15, "low": 20, "deduplicated": 12 } }
6. Custom Semgrep Rule Creation
# custom-rules/sql-injection.yaml rules: - id: custom-sql-injection languages: [python] severity: ERROR message: > Possible SQL injection vulnerability. User input '$INPUT' is concatenated into SQL query. patterns: - pattern-either: - pattern: | $QUERY = "..." + $INPUT + "..." $CURSOR.execute($QUERY) - pattern: | $CURSOR.execute("..." + $INPUT + "...") - pattern: | $CURSOR.execute(f"...{$INPUT}...") metadata: cwe: "CWE-89" owasp: "A03:2021 - Injection" confidence: HIGH impact: HIGH category: security
MCP Server Integration
This skill can leverage the following MCP servers:
| Server | Description | Installation |
|---|---|---|
| sast-mcp | 23+ security tools integration | GitHub |
| Semgrep MCP | Official Semgrep integration | GitHub |
| SecOpsAgentKit | Multi-tool SAST orchestration | GitHub |
sast-mcp Features
- Multi-language support (Python, JavaScript, Go, Java, etc.)
- Integration with 23+ security tools
- SARIF and JSON output formats
- Automatic language detection
- CI/CD pipeline integration
Best Practices
Scanning Strategy
- Incremental scanning - Scan only changed files in CI
- Full scans periodically - Weekly comprehensive scans
- Pre-commit hooks - Catch issues before commit
- Multiple tools - Different tools catch different issues
Triage and Prioritization
- Severity + Exploitability - High severity + easily exploitable = critical
- Business context - Consider asset criticality
- False positive rate - Track and tune rules
- Fix difficulty - Quick wins vs. architectural changes
CI/CD Integration
# GitHub Actions example name: SAST Scan on: [push, pull_request] jobs: sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Semgrep Scan uses: returntocorp/semgrep-action@v1 with: config: p/owasp-top-ten - name: Upload SARIF uses: github/codeql-action/upload-sarif@v2 with: sarif_file: semgrep.sarif
Process Integration
This skill integrates with the following processes:
- CI/CD SAST integrationsast-pipeline.js
- Security in development lifecyclesecure-sdlc.js
- DevSecOps automationdevsecops-pipeline.js
- Security-focused code reviewsecurity-code-review.js
Output Format
When executing operations, provide structured output:
{ "operation": "sast-scan", "status": "completed", "tools_executed": ["semgrep", "bandit", "eslint"], "scan_duration_seconds": 45, "summary": { "total_findings": 32, "by_severity": { "critical": 1, "high": 5, "medium": 12, "low": 14 }, "by_tool": { "semgrep": 18, "bandit": 8, "eslint": 6 }, "deduplicated_count": 5 }, "top_issues": [ { "rule": "sql-injection", "count": 3, "severity": "critical", "files": ["src/db/queries.py", "src/api/users.py"] } ], "artifacts": ["semgrep.sarif", "bandit.json", "eslint.json", "combined-report.json"] }
Error Handling
Common Issues
| Error | Cause | Resolution |
|---|---|---|
| Invalid rule pack name | Verify rule pack exists |
| Syntax error in source | Check file encoding/syntax |
| Large codebase | Increase timeout or scan incrementally |
| Too many files | Exclude generated/vendor files |
Constraints
- Respect rate limits on cloud-based scanning services
- Exclude generated code, vendor directories, and test fixtures
- Handle large codebases with incremental scanning
- Document all custom rules and their rationale
- Track false positive rates and tune rules accordingly