| name | sast-runner |
| description | Runs Static Application Security Testing (SAST) using Semgrep. Scans source code for vulnerabilities, security anti-patterns, and OWASP Top 10 issues. Use when user asks to "run SAST", "scan for vulnerabilities", "static analysis", "code security scan", "静的解析", "脆弱性スキャン". |
SAST Runner
Wrapper for Semgrep to perform Static Application Security Testing.
Prerequisites
Semgrep must be installed:
# pip
pip install semgrep
# macOS
brew install semgrep
# Docker
docker pull semgrep/semgrep
Usage
# Scan current directory with auto config
npx sast-runner .
# Scan with specific ruleset
npx sast-runner . --config security-audit
# Scan with JSON output
npx sast-runner . --json
# Available rulesets
npx sast-runner --list-configs
# Check if semgrep is installed
npx sast-runner --check
Rulesets
| Config | Description |
|---|---|
| auto | Auto-detect languages and apply relevant rules |
| security-audit | Comprehensive security audit |
| owasp-top-ten | OWASP Top 10 focused |
| cwe-top-25 | CWE/SANS Top 25 |
| default | Default ruleset |
Output Format
{
"tool": "semgrep",
"scanPath": ".",
"findings": [
{
"id": "javascript.express.security.audit.xss.mustache-escape",
"severity": "high",
"message": "Potential XSS vulnerability",
"file": "src/app.js",
"line": 42,
"code": "res.send(userInput)",
"cwes": ["CWE-79"],
"owasp": ["A03:2021"],
"fix": "Use proper output encoding"
}
],
"summary": {
"total": 1,
"critical": 0,
"high": 1,
"medium": 0,
"low": 0
}
}
Exit Codes
0: No issues found1: Issues detected2: Tool not installed or error
CWE Coverage
Common vulnerabilities detected:
- CWE-89: SQL Injection
- CWE-79: Cross-site Scripting (XSS)
- CWE-78: OS Command Injection
- CWE-94: Code Injection
- CWE-22: Path Traversal
- CWE-502: Deserialization of Untrusted Data
- CWE-200: Exposure of Sensitive Information
Supported Languages
JavaScript, TypeScript, Python, Go, Java, Ruby, PHP, C, C++, Rust, Kotlin, Swift, and more.