---
title: SAST Configuration
category: product
entity_type: skill
price: $15
canonical: https://forgehouse.ai/skills/sast-configuration/
lang: en
hreflang_alt: https://forgehouse.ai/tr/skiller/sast-configuration/
last_updated: 2026-06-20
---

# SAST Configuration

> Configure Static Application Security Testing (SAST) tools for automated vulnerability…

A complete blueprint for setting up Static Application Security Testing across multiple languages using a three-tool defense-in-depth stack (Semgrep, SonarQube, CodeQL). It shifts vulnerability detection left into the IDE, pre-commit, and CI layers so bugs are caught before they ship, while keeping false-positive noise under control so developers actually trust the alerts.

## Use cases
- Standing up SAST scanning in a CI/CD pipeline
- Writing custom pattern-matching security rules
- Cutting false-positive rate below 10% with baselines and tuning
- Configuring merge-blocking quality gates for critical findings
- Adding pre-commit and IDE scanning for shift-left coverage
- Combining multiple scan engines for defense in depth

## Benefits
- Catch injection, hardcoded secrets, and path traversal before merge instead of in production
- Reduce alert fatigue with baseline commits and expiring suppressions so real issues surface
- Block insecure code at the gate with fail-secure CI policies that can't be silently bypassed
- Prioritize the 20% of rules (OWASP Top 10, CWE Top 25) that catch 80% of real risk

## What’s included
- Production-ready Semgrep config plus custom rule examples and tuning patterns
- Three-tool engine comparison (pattern-matching, quality gate, taint analysis)
- Baseline-commit workflow that shows only new findings, not the whole backlog
- GitHub Actions, GitLab CI, and pre-commit hook integration snippets
- Compliance scan presets (PCI-DSS) and SARIF output handling
- Anti-pattern and edge-case guide (monorepos, generated code, vendor deps)

## Who it’s for
Engineering and DevSecOps teams who want automated, low-noise vulnerability scanning wired into every stage of development without drowning developers in false positives.

## How it runs
Show developers 502 warnings and they will ignore all of them. Static security scanning gets wired with a pinned baseline, ruthless noise control, and four enforcement layers that only surface what is new.
1. Inventory the languages and compliance requirements, then assemble the 3-tool stack on purpose: Semgrep for fast custom pattern rules, SonarQube for quality gates and debt, CodeQL for taint tracking that pattern matching misses.
2. Run a baseline scan and pin it with a baseline commit so developers only ever see NEW findings; 500 legacy warnings plus 2 new ones means all 502 get ignored, the baseline kills that.
3. Cut the noise deliberately: tests, fixtures and generated code go into .semgrepignore, only 15 to 20 percent of rules are active (OWASP Top 10 and CWE Top 25 first), and the false positive target is under 10 percent.
4. Wire 4 enforcement layers: IDE plugin while typing, pre-commit hook locally, a PR check that blocks merges on P0 findings (SQL injection, command injection, hardcoded secrets, path traversal), and a weekly CodeQL deep scan.
5. Enforce fail-secure policy: a failed or timed-out scan turns the build RED, continue-on-error is banned, and every suppression carries an expiry date after which the finding resurfaces.
6. Ship SARIF output to the code scanning tab and CI artifacts, and review the suppression backlog on schedule so accepted risk stays a decision, not a habit.

## FAQ
### Do I have to run all three tools, or can I start with just one?
You don't need the full stack on day one. The layers are independent, so you can adopt only the Semgrep config with the baseline workflow and add SonarQube or CodeQL later. The three-tool setup exists for defense in depth, not as an entry requirement.

### Semgrep, SonarQube and CodeQL all ship their own rulesets, what does this configuration layer add on top of them?
The value is the tuning discipline around the engines: baseline commits that surface only new findings, expiring suppressions, and prioritizing the OWASP Top 10 and CWE Top 25 rules that catch most real risk. Defaults alone tend to bury teams in false-positive noise until nobody reads the alerts.

### Will it find business-logic flaws or runtime-only vulnerabilities?
No. SAST is static pattern matching and taint analysis: it catches injection, hardcoded secrets, and path traversal before merge. Authorization design mistakes and logic flaws need threat modeling, code review, or DAST on top.

## Price
$15, one-time, no subscription. VAT included.

Related guide: [AI for application security](https://forgehouse.ai/guides/ai-application-security/)