Awesome-omni-skill SAST Triage
Triage static analysis findings from gosec, golangci-lint, and govulncheck — classify severity, filter false positives, and prioritize remediation
install
source · Clone the upstream repo
git clone https://github.com/diegosouzapw/awesome-omni-skill
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/diegosouzapw/awesome-omni-skill "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/testing-security/sast-triage" ~/.claude/skills/diegosouzapw-awesome-omni-skill-sast-triage && rm -rf "$T"
manifest:
skills/testing-security/sast-triage/SKILL.mdsource content
SAST Triage Skill
Systematically triage static application security testing (SAST) results to separate real vulnerabilities from false positives and prioritize remediation.
Trigger Conditions
- CI security scan produces findings
,gosec
, orgolangci-lint
run completesgovulncheck- Dependency update introduces new vulnerabilities
- User invokes with "triage security findings" or "sast-triage"
Input Contract
- Required: SAST tool output (gosec JSON, golangci-lint output, govulncheck results)
- Optional: Previous triage results for delta comparison
Output Contract
- Classified findings: Critical/High/Medium/Low/FalsePositive
- CWE/CVE mapping for each finding
- Remediation priority with estimated effort
- False positive justifications
Tool Permissions
- Read: All Go source files, SAST output, go.mod, go.sum
- Write: Triage report
- Search: Grep for vulnerable patterns, dependency versions
- Shell: Run
,gosec
,govulncheckgolangci-lint
Execution Steps
- Collect findings: Run or parse SAST tool outputs
- Deduplicate: Merge findings across tools that point to the same issue
- Filter false positives: Identify findings that are false positives due to context (e.g., test files, disabled code)
- Map to CWE/CVE: Link each finding to its CWE or CVE identifier
- Report: Produce triage report with actions for each finding