sast-skills
sast-skills is a collection of AI agent skills that transform LLM coding assistants (Claude, Cursor, etc.) into automated vulnerability scanners. It detects 13 vulnerability classes without requiring external tools, outputting architecture maps and severity-ranked security reports.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | utkusen/sast-skills |
| Owner | utkusen |
| Primary language | Unknown |
| License | MIT — OSI-approved |
| Stars | 681 |
| Forks | 31 |
| Open issues | 1 |
| Latest release | Unknown |
| Last updated | 2026-04-08 |
| Source | https://github.com/utkusen/sast-skills |
What sast-skills is
Provides 15 modular agent skills orchestrated via CLAUDE.md or AGENTS.md that perform three-phase assessment: codebase analysis, parallel vulnerability detection (SQL injection, XSS, RCE, SSRF, IDOR, XXE, SSTI, JWT, auth flaws, path traversal, file upload, GraphQL injection, business logic), and consolidated report generation. Designed for LLM-native execution without third-party SAST tools.
Get the sast-skills source
Clone the repository and explore it locally.
git clone https://github.com/utkusen/sast-skills.gitcd sast-skills# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Copy target codebase into sast-files/ folder before execution; remove conflicting CLAUDE.md or AGENTS.md files to prevent orchestration conflicts.
- Best performance with Claude Opus; cost-conscious teams may use cheaper models but risk reduced detection accuracy for complex logic flaws and business logic vulnerabilities.
- Output files (architecture.md, vulnerability results, final-report.md) are regenerated on re-run but skip previously completed steps; manual review of generated findings is required.
- Parallel execution of 13 vulnerability skills depends on LLM/IDE rate limits and model concurrency; total scan time not published—validate against your codebase size.
- No native exclusion patterns, false-positive tuning, or policy definitions documented; all findings require manual triage to assess severity and exploitability in context.
When to avoid it — and what to weigh
- Compliance-Driven Audits Requiring Tool Certification — Regulatory frameworks (PCI-DSS, HIPAA, SOC 2) often mandate formally certified SAST tools with audit trails and vendor support; LLM-based detection may not satisfy compliance requirements.
- Large Enterprise Production Pipelines — Lacks mature CI/CD integration, configurable policies, or documented SLA guarantees. Best suited for development-time scanning, not critical release gates.
- Polyglot Codebases Requiring Precise Language-Specific Analysis — LLM-based detection can hallucinate or miss subtle type-system exploits; dedicated SAST tools (SonarQube, Checkmarx) offer stronger guarantees for specific language stacks.
- Projects Without Reliable AI Model Access or Cost Constraints — Requires calls to Claude Opus or similar capable models; per-scan cost and API dependencies may exceed traditional SAST licenses for high-volume scanning.
License & commercial use
MIT License. Permissive OSI-approved open-source license permitting free use, modification, and redistribution with minimal restrictions (attribution required, no warranty).
MIT permits commercial use without royalty or vendor approval. However, use of dependent LLM APIs (Claude, OpenAI, etc.) is subject to those vendors' terms. Ensure your AI provider's ToS permits automated security scanning and integration into internal tools; some providers restrict bulk/automated use.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
LLM-based detection is probabilistic and can miss subtle exploits or generate false positives; not suitable as sole security control. Code is transmitted to LLM API (Claude, etc.)—ensure your data governance policy permits sending source code to third-party LLM providers. No formal security audit, threat model, or vulnerability disclosure policy documented. Requires human security expert review of generated findings before remediation.
Alternatives to consider
SonarQube / SonarCloud
Mature, rule-based SAST with strong language-specific support, compliance integrations, and CI/CD pipelines. Higher cost and setup overhead but proven for production security gates.
Checkmarx / Semgrep
Specialized static analysis with policy engines, exclusion patterns, and formal vendor support. Better suited to regulated environments and polyglot codebases.
GitHub Code Scanning (CodeQL)
Integrated into GitHub workflows, free for public repos, native to development pipelines. Limited to languages CodeQL supports; tightly coupled to GitHub ecosystem.
Build on sast-skills with DEV.co software developers
sast-skills integrates with Claude Code and Cursor to catch vulnerabilities in minutes. Perfect for development-time discovery and code review—complement, not replace, traditional SAST tools.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
sast-skills FAQ
Does sast-skills replace traditional SAST tools?
What happens to my source code when I run a scan?
Can I use sast-skills in a CI/CD pipeline?
How accurate is LLM-based vulnerability detection?
Software development & web development with DEV.co
DEV.co helps companies turn open-source tools like sast-skills into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Ready to add AI-driven security scanning to your dev workflow?
sast-skills integrates with Claude Code and Cursor to catch vulnerabilities in minutes. Perfect for development-time discovery and code review—complement, not replace, traditional SAST tools.