All skills
Skillintermediate

SAST Tools

```bash # Dependency vulnerabilities npm audit npm audit --json > npm-audit.json

Claude Code Knowledge Pack7/10/2026

Overview

SAST Tools

JavaScript/TypeScript

# Dependency vulnerabilities
npm audit
npm audit --json > npm-audit.json

# ESLint security plugin
npm install eslint-plugin-security --save-dev
npx eslint --ext .js,.ts . --plugin security

# Snyk
npx snyk test
npx snyk code test

Python

# Bandit - Python SAST
pip install bandit
bandit -r . -f json -o bandit-report.json
bandit -r . -ll  # Only high severity

# Safety - Dependency check
pip install safety
safety check
safety check -r requirements.txt --json > safety-report.json

# Pyup Safety
pip install pyupio-safety
pyupio-safety check

Go

# GoSec - Go security checker
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec ./...
gosec -fmt=json -out=gosec-report.json ./...

# Go vulnerability database
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

Multi-Language Tools

# Semgrep - Universal SAST
pip install semgrep
semgrep --config=auto .
semgrep --config=p/security-audit .
semgrep --config=p/owasp-top-ten .

# Trivy - Comprehensive scanner
brew install trivy
trivy fs .
trivy fs --security-checks vuln,secret,config .

# SonarQube (requires server)
sonar-scanner -Dsonar.projectKey=myproject

CI/CD Integration

GitHub Actions

- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: p/security-audit

- name: Run npm audit
  run: npm audit --audit-level=high

- name: Run Trivy
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: 'fs'
    severity: 'CRITICAL,HIGH'

GitLab CI

security-scan:
  image: returntocorp/semgrep
  script:
    - semgrep --config=auto --json -o semgrep.json .
  artifacts:
    reports:
      sast: semgrep.json

Quick Reference

LanguagePrimary ToolDependency Check
JavaScriptESLint + securitynpm audit
TypeScriptESLint + securitynpm audit
PythonBanditSafety
GoGoSecgovulncheck
JavaSpotBugsOWASP Dependency-Check
RubyBrakemanbundler-audit
ToolStrengthsBest For
SemgrepMulti-language, custom rulesGeneral SAST
TrivyContainer + code + secretsComprehensive
BanditPython-specificPython projects
GoSecGo-specificGo projects
npm auditBuilt-in, fastNode.js deps