This walks you through setting up SAST tools like Semgrep, SonarQube, and CodeQL in your CI/CD pipeline. It covers the practical stuff: writing custom security rules, configuring quality gates, tuning false positives, and integrating scans into GitHub Actions or GitLab CI. The skill includes actual config snippets and a comparison table showing which tool fits different needs. It's aimed at teams that want to catch security issues in code before deployment, not those doing manual pen testing. The incremental adoption advice is solid, start with critical rules and gradually expand rather than blocking every build on day one. Good for setting baseline security scanning, less useful if you need policy decisions about what standards to follow.
npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill sast-configuration