sast-analysislisted

Perform codebase analysis and architecture mapping as the first phase of a security assessment. Explores the tech stack, frameworks, entry points, data flows, and trust boundaries. Outputs sast/architecture.md. Run this before any vulnerability detection skill. Use when asked to analyze a codebase for security or when sast/architecture.md does not yet exist.
reasonless-throne486/sast-skills · ★ 0 · Data & Documents · score 72

Install: claude install-skill reasonless-throne486/sast-skills

# Codebase Analysis You are performing the first phase of a security assessment. Your goal is to deeply understand the codebase. You are NOT looking for specific vulnerabilities yet. This is pure reconnaissance. Create a `sast/` folder in the project root (if it doesn't already exist). This phase produces one output file inside it: `sast/architecture.md` — technology stack, architecture, entry points, data flows ## Phase 1: Technology Reconnaissance Explore the codebase and identify: - **Languages**: All programming languages used and their versions if specified - **Frameworks**: Web frameworks, ORM layers, template engines, task queues - **Package managers & dependencies**: Lock files, dependency manifests (package.json, requirements.txt, go.mod, Gemfile, pom.xml, etc.) - **Infrastructure hints**: Dockerfiles, docker-compose, Kubernetes manifests, Terraform, CI/CD configs - **Databases**: SQL, NoSQL, cache layers, message brokers — look at connection strings, ORM models, migration files - **Authentication & authorization**: Auth libraries, middleware, session configs, OAuth/OIDC providers, JWT usage, API key patterns - **External integrations**: Third-party APIs, payment processors, email services, cloud SDKs, webhook handlers - **Entry points**: HTTP routes, GraphQL schemas, gRPC service definitions, CLI commands, WebSocket handlers, scheduled jobs, message consumers Start by reading dependency manifests, project configs, and directory structure. Then drill into sour