qa-sast

Adversarial unifier of multi-scanner SAST output (Semgrep + SonarQube + CodeQL + Bandit + gosec). Reads each scanner's normalized JSON / SARIF; deduplicates by `(file, line, normalized_cwe)` recording all scanners that flagged each finding (consensus signal); applies `.sast-waivers.yaml` waivers (rejects waivers without `expires:` + `approved_by:` + `reason:`); classifies into Critical / High / Medium / Low / Info; emits PR-comment summary with verdict (BLOCK / PASS). Refuses to mark PR pass if any unwaived critical finding remains. Mirror of qa-iac/iac-policy-checker pattern. Use after any subset of the SAST scanners runs in CI.

Configures and runs Bandit - Python-specific SAST from the OpenStack security plugin set covering 60+ rule IDs across 7 categories (B1xx misc, B2xx application, B3xx blacklists/cryptography, B4xx imports, B5xx, B6xx injections, B7xx XSS); supports `bandit -r .` recursive scan, `--severity-level low|medium|high`, `--confidence-level low|medium|high` filtering, `# nosec` and `# nosec B404` per-line + per-rule suppressions, `pyproject.toml` `[tool.bandit]` config including `exclude_dirs`. Use when the user works with Python and needs a focused, low-overhead SAST integrated with pre-commit / CI.

Configures and runs GitHub CodeQL - semantic-database SAST with queries written in the CodeQL declarative query language; supports `codeql database create` (per-language) + `codeql database analyze` with --format=sarif; ships query packs (`codeql/javascript-queries`, `codeql/python-queries`, `codeql/java-queries`, `codeql/go-queries`, etc.); integrates with GitHub Code Scanning via SARIF upload; suppression via inline comment + sarif-filter + Security-tab dismissal. Use when the team uses GitHub-hosted repos and needs deep semantic SAST beyond pattern matching (cross-file taint flows, dataflow analysis).

Configures and runs `eslint-plugin-security` (14 detect-* rules covering injection, path traversal, ReDoS, unsafe buffers, and bidi trojan-source) plus `eslint-plugin-no-unsanitized` (DOM XSS via `innerHTML`, `outerHTML`, `document.write`, `insertAdjacentHTML`) as the JS/TS first-party SAST layer; covers flat config setup, per-rule suppression with justification templates, SARIF output via `@microsoft/eslint-formatter-sarif` for GitHub Code Scanning upload, and CI gating on ESLint exit code 1. Use when the project is JS or TS and needs an in-process security lint pass without a separate SAST server.

Configures and runs gosec - Go-specific SAST covering 40+ rule IDs (G101 hardcoded creds, G104 unhandled errors, G304 file path traversal, G401 weak crypto algorithms, G601 implicit memory aliasing, etc.); supports `gosec ./...` recursive scan via Go AST + SSA analysis with taint tracking; per-line `#nosec G404 -- justification` suppression; output formats `--fmt sarif|json|junit-xml|html|text`; integrates with golangci-lint as a linter. Use when the user works with Go and needs a focused SAST integrated with golangci-lint.

Runs PMD's built-in Apex security ruleset (`category/apex/security.xml`) against Salesforce Apex source to detect injection, privilege-escalation, cryptographic, and XSS vulnerabilities; configures custom rulesets for regulated-industry Apex codebases; emits SARIF for GitHub Code Scanning upload; integrates `pmd check` as a PR-blocking CI gate. Use when the codebase contains Salesforce Apex and the team needs SAST coverage for ApexSOQLInjection, ApexCRUDViolation, ApexSharingViolations, or the full 10-rule security category.