LLM SAST Skills

March 30, 2026 ยท View on GitHub

A collection of agent skills that turn your LLM coding assistant into a fully functional SAST scanner to find vulnerabilities in your codebase. Works natively with Claude Code, Codex, Opencode, Cursor and any other assistant that supports agent skills. No third-party tools required.

Claude Code with Opus model is recommended. But if the cost is a concern, use any IDE and model you trust.

Process in Claude Code

How It Works

CLAUDE.md (for Claude Code) or AGENTS.md (for Opencode and other IDEs) orchestrates the entire assessment workflow automatically. The assessment runs in three steps:

  1. Codebase Analysis -- The sast-analysis skill maps the technology stack, architecture, entry points, data flows, and trust boundaries. It writes its findings to sast/architecture.md.

  2. Vulnerability Detection (parallel) -- All 13 vulnerability detection skills run in parallel as subagents. Each skill follows a two-phase approach: first a recon/discovery phase to find candidate sections, then a verification phase to confirm exploitability. Results are written to sast/*-results.md.

  3. Report Generation -- The sast-report skill consolidates all findings into a single sast/final-report.md, ranked by severity with full remediation guidance and dynamic test instructions.

What It Detects

SkillVulnerability Class
sast-analysisCodebase reconnaissance, architecture mapping, threat modeling
sast-sqliSQL Injection
sast-graphqlGraphQL injection
sast-xssCross-Site Scripting (XSS)
sast-rceRemote Code Execution (command injection, eval, unsafe deserialization)
sast-ssrfServer-Side Request Forgery
sast-idorInsecure Direct Object Reference
sast-xxeXML External Entity
sast-sstiServer-Side Template Injection
sast-jwtInsecure JWT implementations
sast-missingauthMissing authentication and broken function-level authorization
sast-pathtraversalPath / directory traversal
sast-fileuploadInsecure file upload
sast-businesslogicBusiness logic flaws (price manipulation, workflow bypass, race conditions, etc.)
sast-reportConsolidated final report ranked by severity

Installation

Copy your project into the sast-files folder, then open sast-files as your workspace in your AI coding assistant.

cp -r /path/to/your/project sast-files/

Note: If your project already contains a CLAUDE.md or AGENTS.md file, remove it before running the assessment โ€” otherwise it will conflict with the orchestration file provided by this toolkit.

Usage

After copying the files, open your project in your AI coding assistant and ask:

Run vulnerability scan

or

Find vulnerabilities in this codebase

The entry point file (CLAUDE.md or AGENTS.md) orchestrates the full workflow automatically. It will skip any steps whose output files already exist, so you can safely re-run it after fixing issues.

Output

All output is written to a sast/ folder in your project root:

FileDescription
sast/architecture.mdTechnology stack, architecture, entry points, data flows
sast/*-results.mdPer-vulnerability-class findings with proof and remediation
sast/final-report.mdConsolidated report ranked by severity