DEV.co
Open-Source Security · utkusen

sast-skills

sast-skills is a collection of AI agent skills that transform LLM coding assistants (Claude, Cursor, etc.) into automated vulnerability scanners. It detects 13 vulnerability classes without requiring external tools, outputting architecture maps and severity-ranked security reports.

Source: GitHub — github.com/utkusen/sast-skills
681
GitHub stars
31
Forks
Unknown
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryutkusen/sast-skills
Ownerutkusen
Primary languageUnknown
LicenseMIT — OSI-approved
Stars681
Forks31
Open issues1
Latest releaseUnknown
Last updated2026-04-08
Sourcehttps://github.com/utkusen/sast-skills

What sast-skills is

Provides 15 modular agent skills orchestrated via CLAUDE.md or AGENTS.md that perform three-phase assessment: codebase analysis, parallel vulnerability detection (SQL injection, XSS, RCE, SSRF, IDOR, XXE, SSTI, JWT, auth flaws, path traversal, file upload, GraphQL injection, business logic), and consolidated report generation. Designed for LLM-native execution without third-party SAST tools.

Quickstart

Get the sast-skills source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/utkusen/sast-skills.gitcd sast-skills# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

AI-Assisted Code Review in Development

Integrate into Claude Code or Cursor workflows to run ad-hoc vulnerability scans alongside daily development, catching common injection and authentication flaws before commit.

Rapid Security Assessment of Codebases

Quickly map threat model and identify high-severity vulnerabilities across new acquisitions, third-party integrations, or legacy modules without standing up traditional SAST infrastructure.

Educational / Proof-of-Concept Security Testing

Teach security engineers and developers about OWASP classes and LLM-based threat detection in controlled environments; generate remediation guidance for training.

Implementation considerations

  • Copy target codebase into sast-files/ folder before execution; remove conflicting CLAUDE.md or AGENTS.md files to prevent orchestration conflicts.
  • Best performance with Claude Opus; cost-conscious teams may use cheaper models but risk reduced detection accuracy for complex logic flaws and business logic vulnerabilities.
  • Output files (architecture.md, vulnerability results, final-report.md) are regenerated on re-run but skip previously completed steps; manual review of generated findings is required.
  • Parallel execution of 13 vulnerability skills depends on LLM/IDE rate limits and model concurrency; total scan time not published—validate against your codebase size.
  • No native exclusion patterns, false-positive tuning, or policy definitions documented; all findings require manual triage to assess severity and exploitability in context.

When to avoid it — and what to weigh

  • Compliance-Driven Audits Requiring Tool Certification — Regulatory frameworks (PCI-DSS, HIPAA, SOC 2) often mandate formally certified SAST tools with audit trails and vendor support; LLM-based detection may not satisfy compliance requirements.
  • Large Enterprise Production Pipelines — Lacks mature CI/CD integration, configurable policies, or documented SLA guarantees. Best suited for development-time scanning, not critical release gates.
  • Polyglot Codebases Requiring Precise Language-Specific Analysis — LLM-based detection can hallucinate or miss subtle type-system exploits; dedicated SAST tools (SonarQube, Checkmarx) offer stronger guarantees for specific language stacks.
  • Projects Without Reliable AI Model Access or Cost Constraints — Requires calls to Claude Opus or similar capable models; per-scan cost and API dependencies may exceed traditional SAST licenses for high-volume scanning.

License & commercial use

MIT License. Permissive OSI-approved open-source license permitting free use, modification, and redistribution with minimal restrictions (attribution required, no warranty).

MIT permits commercial use without royalty or vendor approval. However, use of dependent LLM APIs (Claude, OpenAI, etc.) is subject to those vendors' terms. Ensure your AI provider's ToS permits automated security scanning and integration into internal tools; some providers restrict bulk/automated use.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

LLM-based detection is probabilistic and can miss subtle exploits or generate false positives; not suitable as sole security control. Code is transmitted to LLM API (Claude, etc.)—ensure your data governance policy permits sending source code to third-party LLM providers. No formal security audit, threat model, or vulnerability disclosure policy documented. Requires human security expert review of generated findings before remediation.

Alternatives to consider

SonarQube / SonarCloud

Mature, rule-based SAST with strong language-specific support, compliance integrations, and CI/CD pipelines. Higher cost and setup overhead but proven for production security gates.

Checkmarx / Semgrep

Specialized static analysis with policy engines, exclusion patterns, and formal vendor support. Better suited to regulated environments and polyglot codebases.

GitHub Code Scanning (CodeQL)

Integrated into GitHub workflows, free for public repos, native to development pipelines. Limited to languages CodeQL supports; tightly coupled to GitHub ecosystem.

Software development agency

Build on sast-skills with DEV.co software developers

sast-skills integrates with Claude Code and Cursor to catch vulnerabilities in minutes. Perfect for development-time discovery and code review—complement, not replace, traditional SAST tools.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

sast-skills FAQ

Does sast-skills replace traditional SAST tools?
No. It is a development-time, LLM-assisted scanner best for early discovery and code review. For compliance, CI/CD gates, and production release validation, use certified SAST tools.
What happens to my source code when I run a scan?
Code in sast-files/ is transmitted to your chosen LLM API (Claude, OpenAI, etc.) for analysis. Review your LLM vendor's data retention and privacy policies before scanning proprietary code.
Can I use sast-skills in a CI/CD pipeline?
Not natively. The tool is designed for interactive IDE workflows. CI/CD integration would require custom scripting and LLM API orchestration; no documented examples or templates provided.
How accurate is LLM-based vulnerability detection?
Unknown. No published benchmarks, false-positive rates, or testing against standard vulnerability datasets (e.g., OWASP Top 10 test suites). Results require manual verification by security experts.

Software development & web development with DEV.co

DEV.co helps companies turn open-source tools like sast-skills into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Ready to add AI-driven security scanning to your dev workflow?

sast-skills integrates with Claude Code and Cursor to catch vulnerabilities in minutes. Perfect for development-time discovery and code review—complement, not replace, traditional SAST tools.