This project provides a collection of agent skills designed to transform AI coding assistants into comprehensive Static Application Security Testing (SAST) scanners. It targets developers and security professionals seeking to integrate automated vulnerability detection directly into their AI-powered development workflows, offering a no-third-party-tool solution for identifying security flaws within codebases.

How It Works

The system orchestrates a three-step SAST assessment workflow using agent skills, primarily driven by CLAUDE.md or AGENTS.md files. Initially, a Codebase Analysis skill maps the project's technology stack, architecture, entry points, data flows, and trust boundaries, documenting findings in sast/architecture.md. Subsequently, 13 specialized vulnerability detection skills execute in parallel as subagents. Each skill employs a two-phase approach: reconnaissance to identify candidate code sections, followed by verification to confirm exploitability. Results are detailed per vulnerability class in sast/*-results.md. Finally, a sast-report skill consolidates all findings into a single sast/final-report.md, ranked by severity and including remediation guidance.

Quick Start & Requirements

1. Installation: Copy the target project's source code into the sast-files/ directory. Open sast-files/ as the workspace within your AI coding assistant. Ensure any pre-existing CLAUDE.md or AGENTS.md files are removed from the project root to avoid conflicts.
2. Prerequisites: Requires an AI coding assistant that supports agent skills (e.g., Claude Code, Codex, Opencode, Cursor). Claude Code with the Opus model is recommended for optimal performance.
3. Usage: Within the AI assistant, prompt with "Run vulnerability scan" or "Find vulnerabilities in this codebase." The system automatically orchestrates the workflow and skips already-completed steps upon re-runs.
4. Output: All results are written to the sast/ directory within the project root.

Highlighted Details

• Detects a broad spectrum of vulnerabilities, including SQL Injection, XSS, RCE, SSRF, IDOR, XXE, SSTI, insecure JWT implementations, missing authentication, path traversal, insecure file uploads, and business logic flaws.
• Operates natively within supported AI coding assistants, eliminating the need for external SAST tools or complex integrations.
• The assessment workflow is fully automated, from initial code analysis and threat modeling to parallel vulnerability detection and consolidated report generation.

Maintenance & Community

Information regarding maintainers, community channels (like Discord/Slack), or project roadmaps is not detailed in the provided README.

Licensing & Compatibility

The license type and any compatibility notes for commercial use or closed-source linking are not specified in the provided README.

Limitations & Caveats

The effectiveness and accuracy are dependent on the capabilities of the chosen AI model and coding assistant. The README recommends specific models (Claude Code with Opus) for best results, implying potential performance variations with other configurations. The system requires the user to manually manage the project directory within the sast-files/ structure.