Stop Paying for SAST Tools! Turn Your AI Coder Into a Security Scanner
Stop Paying for SAST Tools! Turn Your AI Coder Into a Security Scanner
What if your $20/month AI coding assistant could replace your $20,000/year SAST platform?
Here's a dirty secret the cybersecurity industry doesn't want you to know: most Static Application Security Testing (SAST) tools are glorified pattern matchers wrapped in enterprise pricing. They drown you in false positives, require endless tuning, and charge per-line-of-code fees that would make a telecom executive blush. Meanwhile, your Claude Code subscription sits there, already reading your entire codebase, already understanding context better than any regex engine ever could.
The gap between "what AI assistants can do" and "what security vendors sell" has become a chasm. Developers have been begging for this bridge. Security teams have been praying for democratized scanning. And now, someone finally built it.
Enter sast-skills — a collection of agent skills that transforms your LLM coding assistant into a fully functional, zero-cost SAST scanner. No API keys to manage. No agents to deploy. No per-seat licensing nightmares. Just copy, paste, and watch your AI find vulnerabilities that traditional tools miss entirely. This isn't a prototype. It's a production-ready reconnaissance and detection framework that runs 13 specialized vulnerability detection skills in parallel, orchestrated entirely through natural language prompts embedded in markdown files.
If you're still running SonarQube with 400 false positives per sprint, you're about to feel very foolish. And very relieved.
What is sast-skills?
sast-skills is an open-source toolkit created by Utku Sen, a security researcher who clearly got tired of watching developers choose between "secure code" and "staying on budget." Released on GitHub as utkusen/sast-skills, this repository contains a collection of agent skills designed to turn any LLM coding assistant — Claude Code, Codex, Opencode, Cursor, or anything supporting agent skills — into a comprehensive SAST scanner.
The genius lies in its architectural simplicity. Rather than building yet another standalone scanner, sast-skills hijacks the context window and reasoning capabilities of modern LLMs to perform structured security analysis. It leverages the fact that today's coding assistants already ingest entire codebases, understand data flow, and can reason about exploitability. Why not channel that power into systematic vulnerability detection?
The project is trending precisely because it solves three simultaneous pain points:
- Cost elimination: Zero licensing fees, zero per-scan charges, zero infrastructure costs
- Contextual accuracy: LLMs understand semantic vulnerability patterns, not just syntactic ones — dramatically reducing false positives
- Developer experience: Security scanning happens in the same interface where developers already work
The toolkit is specifically optimized for Claude Code with the Opus model, though the author notes you can use "any IDE and model you trust" if cost is a concern. This flexibility matters — it means a solo developer on Cursor's free tier and an enterprise team on Claude Code Pro get identical security capabilities.
Key Features That Make sast-skills Insane
Native IDE Integration — No Context Switching
Unlike traditional SAST tools that demand CI/CD pipeline configuration, webhook setup, and dashboard logins, sast-skills lives where developers already work. The entire orchestration happens through CLAUDE.md (Claude Code) or AGENTS.md (Opencode and other IDEs). These aren't configuration files in the traditional sense — they're prompt engineering masterpieces that turn the AI assistant itself into a security orchestrator.
Three-Phase Assessment Workflow
The toolkit implements a rigorous methodology that rivals commercial scanners:
-
Codebase Analysis: The
sast-analysisskill performs comprehensive reconnaissance — mapping technology stacks, architecture patterns, entry points, data flows, and trust boundaries. This isn't surface-level; it writes detailed findings tosast/architecture.md, creating a foundation that prevents false positives later. -
Parallel Vulnerability Detection: All 13 detection skills execute simultaneously as subagents. Each follows a two-phase verification approach: first reconnaissance/discovery to identify candidate vulnerable sections, then rigorous verification to confirm actual exploitability. This dual-phase design is what separates signal from noise.
-
Consolidated Reporting: The
sast-reportskill synthesizes everything intosast/final-report.md, ranked by severity with full remediation guidance and dynamic test instructions.
13 Specialized Detection Skills
The breadth is remarkable — from injection flaws (SQLi, GraphQL, XSS, RCE, SSTI) to architectural weaknesses (SSRF, IDOR, XXE, path traversal) to logic-layer attacks (JWT weaknesses, missing authentication, business logic flaws) and even file upload vulnerabilities. The sast-analysis skill itself functions as threat modeling automation.
Incremental Re-runs Without Duplication
The workflow is idempotent by design. If sast/architecture.md already exists, the analysis step skips. If individual vulnerability result files exist, those skills skip. This means you can fix vulnerabilities and re-run seamlessly — a workflow that most commercial tools still struggle with.
Use Cases: Where sast-skills Absolutely Dominates
1. Startup Security on a Shoestring
Pre-Series A companies face an impossible choice: ship fast or ship secure. Commercial SAST tools cost $10K-50K annually — budget that could hire another engineer. sast-skills gives these teams enterprise-grade scanning for the cost of their existing AI assistant subscription. A three-person team can now find SQL injection in their Django app before the penetration tester does.
2. Legacy Codebase Triage
Inheriting a 200K-line PHP monolith from 2016? Traditional scanners will generate 3,000 "potential" issues you'll never prioritize. sast-skills's architecture-first approach means the AI understands which code paths are actually reachable, which inputs are actually attacker-controllable, and which "vulnerabilities" are buried in dead code. The two-phase verification eliminates the noise that makes legacy audits impossible.
3. CI/CD Pre-commit Gate
While designed for interactive use, sophisticated teams can automate sast-skills in pre-commit hooks or nightly builds. The markdown output format is machine-parseable — parse sast/final-report.md, fail builds on HIGH/CRITICAL findings, and create tickets automatically. You're getting custom SAST-as-code without vendor lock-in.
4. Security Research and Bug Bounty Prep
Bug bounty hunters and security consultants can use sast-skills for rapid target assessment. Drop a client's open-source dependencies into sast-files/, run the scan, and identify the most promising vulnerability classes before manual review even begins. The sast-businesslogic skill alone — detecting price manipulation, workflow bypass, and race conditions — covers attack vectors that automated scanners consistently miss.
5. Developer Education and Secure Code Training
The generated reports don't just say "SQL injection found" — they explain why the pattern is vulnerable, how to exploit it, and what secure code looks like. Junior developers reviewing sast/sqli-results.md receive contextualized security education tied to their actual codebase, not abstract examples.
Step-by-Step Installation & Setup Guide
Getting started with sast-skills is almost embarrassingly simple. The entire "installation" is file placement and workspace configuration.
Prerequisites
- An AI coding assistant with agent skills support (Claude Code recommended, Opus model optimal)
- Your target project source code
- Git (to clone the repository)
Step 1: Clone the sast-skills Repository
git clone https://github.com/utkusen/sast-skills.git
cd sast-skills
This gives you the orchestration files and all 13 detection skills.
Step 2: Copy Your Target Project
The toolkit expects your code in a specific directory structure:
cp -r /path/to/your/project sast-files/
Critical warning: If your project already contains a CLAUDE.md or AGENTS.md file, you must remove it before proceeding. The orchestration file from sast-skills conflicts with existing files of the same name, and your scan will fail or behave unpredictably.
# Check for conflicting files
ls sast-files/CLAUDE.md sast-files/AGENTS.md 2>/dev/null && echo "WARNING: Remove existing orchestration files first"
Step 3: Open as Workspace
Open the sast-files directory as your workspace in your AI coding assistant:
- Claude Code:
cd sast-files && claude - Cursor: File → Open Folder → select
sast-files/ - Opencode: Open
sast-files/in your Opencode IDE
The assistant automatically detects and loads the CLAUDE.md or AGENTS.md orchestration file.
Step 4: Initiate the Security Scan
With your workspace open, simply ask:
Run vulnerability scan
Or alternatively:
Find vulnerabilities in this codebase
That's it. No flags, no configuration files, no API key management. The orchestration file takes over and manages the entire three-phase workflow automatically.
Step 5: Review Results
All output materializes in a sast/ folder within your project:
| File | Purpose |
|---|---|
sast/architecture.md |
Complete technology and threat model analysis |
sast/*-results.md |
Individual vulnerability findings with proof-of-concept and remediation |
sast/final-report.md |
Executive summary ranked by severity with dynamic test instructions |
REAL Code Examples: Inside the sast-skills Engine
Let's examine the actual mechanics that make this toolkit work. These patterns from the repository demonstrate both the simplicity of deployment and the sophistication of the approach.
Example 1: Project Setup Command
The entire installation is a single copy operation:
# Copy your target project into the designated scan directory
cp -r /path/to/your/project sast-files/
Why this matters: sast-skills uses directory convention over configuration. By placing code in sast-files/, you create an isolated workspace where the AI assistant's context window focuses entirely on your target. This prevents the orchestration prompts from interfering with your actual development workflow — the scan runs in a sandboxed view of your code.
Example 2: Conflict Prevention Check
The README explicitly warns about file conflicts:
> **Note:** If your project already contains a `CLAUDE.md` or `AGENTS.md` file,
> remove it before running the assessment — otherwise it will conflict with the
> orchestration file provided by this toolkit.
Deep dive: This reveals the prompt injection architecture at sast-skills's core. The CLAUDE.md and AGENTS.md files aren't passive documentation — they're active instruction sets that redefine the AI assistant's behavior for that workspace. When Claude Code sees CLAUDE.md, it treats those instructions as system-level directives. If your project already uses this file for other purposes, you get conflicting directives and unpredictable behavior. This is why the toolkit requires a clean workspace — it's essentially performing behavioral hijacking of your AI assistant, redirecting it from "help me code" to "find security flaws systematically."
Example 3: Natural Language Trigger
The usage interface is pure natural language:
After copying the files, open your project in your AI coding assistant and ask:
> Run vulnerability scan
or
> Find vulnerabilities in this codebase
Technical explanation: This is where sast-skills demonstrates prompt engineering at scale. The orchestration file (CLAUDE.md/AGENTS.md) contains embedded triggers that recognize these specific intent phrases. When the AI assistant processes your request, it:
- Matches your query against the orchestration instructions
- Initiates the
sast-analysisphase automatically - Spawns parallel subagents for each detection skill
- Manages file I/O to the
sast/output directory - Coordinates the final report generation
The "natural language" interface masks an incredibly sophisticated state machine implemented entirely through prompt context. No REST APIs, no WebSocket connections, no background daemons — just intelligent prompt design turning a conversational interface into a security automation platform.
Example 4: Output Structure Convention
The results follow a predictable schema:
| File | Description |
|---|---|
| `sast/architecture.md` | Technology stack, architecture, entry points, data flows |
| `sast/*-results.md` | Per-vulnerability-class findings with proof and remediation |
| `sast/final-report.md` | Consolidated report ranked by severity |
Implementation insight: This convention enables programmatic consumption of results. The * wildcard in sast/*-results.md expands to sast/sqli-results.md, sast/xss-results.md, etc. — one per detection skill. Security-conscious teams can write simple scripts to:
# Count critical findings across all result files
grep -r "CRITICAL" sast/*-results.md | wc -l
# Extract all proof-of-concept code blocks for validation
awk '/```/{flag=!flag; next} flag' sast/final-report.md > pocs.txt
The markdown format is a deliberate choice — human-readable for developers, parseable for automation, and diff-friendly for version control tracking of security posture over time.
Advanced Usage & Best Practices
Optimize with Model Selection
The author recommends Claude Code with Opus for maximum accuracy. If cost-constrained, prioritize the sast-analysis and sast-businesslogic skills with cheaper models — these benefit most from reasoning capabilities. Injection detection (SQLi, XSS, RCE) pattern matches reasonably well with smaller models.
Custom Skill Development
The modular architecture invites extension. Study the existing skill patterns in the repository, then create sast-yourcustom-results.md templates for organization-specific threats — API key leakage, hardcoded credentials, or compliance violations (GDPR data handling, SOC2 controls).
Baseline and Diff Scanning
For CI/CD integration, commit baseline sast/ outputs to a security-baseline branch. Subsequent scans generate diffs against this baseline, surfacing only newly introduced vulnerabilities — eliminating noise from accepted risks.
Parallel Execution Optimization
While skills run in parallel by default, massive codebases may hit context window limits. If you encounter truncation, sequentially execute high-priority skills:
# Manual sequential execution for large codebases
# Run sast-analysis first, then individual skills on demand
Comparison with Alternatives
| Capability | sast-skills | SonarQube | Semgrep | CodeQL | GitHub Copilot Security |
|---|---|---|---|---|---|
| Cost | Free (AI sub required) | $$$$ Enterprise | $$ Team plans | $$$$ Enterprise | $$$ Copilot Business |
| Setup Time | 2 minutes | Hours-Days | 30 minutes | Hours | Minutes |
| False Positive Rate | Low (LLM reasoning) | High (rule-based) | Medium | Low | Medium |
| Business Logic Detection | ✅ Native | ❌ No | ❌ No | ❌ No | ❌ No |
| Custom Rules | Prompt engineering | Java plugins | YAML patterns | QL language | Limited |
| CI/CD Integration | Manual/scripted | Native | Native | Native | Native |
| Exploitability Verification | ✅ Two-phase | ❌ Pattern match | ❌ Pattern match | ✅ Taint analysis | ❌ Limited |
| Architecture Understanding | ✅ Deep context | ❌ None | ❌ None | ⚠️ Limited | ❌ None |
The verdict: sast-skills wins on cost, flexibility, and detection depth for teams already using AI assistants. Traditional tools win on enterprise governance, audit trails, and native CI/CD. The smartest teams will use sast-skills for developer-driven discovery and commercial tools for compliance reporting.
FAQ
Does sast-skills require sending my code to external APIs?
No third-party SAST services are involved. Your code stays in your sast-files/ directory, processed only by your chosen AI assistant's existing infrastructure. For Claude Code with local projects, analysis happens locally through the Claude Desktop application.
Can I use sast-skills with GPT-4 or Gemini?
The toolkit is designed for any assistant supporting agent skills. While optimized for Claude Code, the AGENTS.md format works with Opencode and similar platforms. GPT-4 through Cursor or custom integrations may require prompt adaptation.
How accurate are the vulnerability findings?
The two-phase verification (discovery + confirmation) significantly reduces false positives versus pure pattern matching. However, LLM-based analysis can hallucinate. Always validate findings manually, especially for CRITICAL severity reports.
Is this suitable for compliance audits (SOC2, PCI-DSS)?
sast-skills provides technical findings but lacks the audit trail, access controls, and formal reporting required for compliance evidence. Use it for pre-audit hardening and developer security workflows, not regulatory submission.
What codebase sizes work best?
The toolkit handles moderate codebases (10K-100K lines) optimally. Very large monorepos may require sequential skill execution or chunking. The architecture analysis phase helps identify the most critical subsystems to prioritize.
Can I contribute new detection skills?
Absolutely! The repository welcomes community contributions. Follow the existing skill patterns — reconnaissance prompt, verification prompt, and output template — and submit pull requests to utkusen/sast-skills.
How does this compare to AI-powered security tools like Snyk DeepCode AI?
Snyk and similar tools use AI for result prioritization but still rely on traditional analysis engines. sast-skills embeds the analysis in the AI itself, enabling reasoning about exploitability that rule engines cannot match — at zero incremental cost.
Conclusion: The Future of Security Scanning Is Already Here
sast-skills isn't just a clever hack — it's a paradigm shift that exposes how overpriced and underpowered traditional SAST has become. By weaponizing the context understanding and reasoning capabilities of modern LLMs, Utku Sen has democratized security analysis in a way that vendors charging $50K/year should find deeply threatening.
The toolkit isn't perfect. It lacks enterprise governance features. It requires manual validation. It won't generate your SOC2 audit trail. But for developers who need accurate, actionable security findings without budget approval cycles, it's genuinely revolutionary.
My prediction? Within 18 months, every major AI coding assistant will embed native security scanning. sast-skills is the open-source vanguard proving what's possible. Early adopters get months of competitive advantage — finding vulnerabilities competitors miss, shipping faster with confidence, and redirecting security budget to actual engineering.
Stop overpaying for pattern matchers. Start using intelligence.
Clone the repository today and transform your AI assistant from code monkey to security analyst:
👉 github.com/utkusen/sast-skills
Your first vulnerability scan takes two minutes. Your first missed SQL injection in production costs infinitely more.
Found this analysis valuable? Star the repository, share with your security team, and watch how quickly "we can't afford SAST" becomes "we can't afford NOT to use this."
Comments (0)
No comments yet. Be the first to share your thoughts!
