sast-orchestratorlisted

# SAST Orchestrator ## When to use This skill configures static-analysis tooling and keeps the noise low enough that findings stay actionable. It's the engine behind phase 3 of `security-review` and the SAST gate of `/security-gate`. Activates on: - A request like "set up Semgrep on this repo", "which CodeQL query suite should we use", "our SonarQube is full of false positives", "integrate SAST in CI". - Existing SAST output that needs to be triaged before it goes to developers. - PR-comment configuration where you have to decide between inline annotations and silent failure. - A new repo where SAST is missing, or an existing one where the rule sets have grown without hygiene. - A handoff from `security-review` phase 3 or the `security-gate` SAST gate. ### When NOT to use (handoff) - Secrets in code → `secrets-scanner`. SAST tools have secret rules but they are not the sharpest layer. - Vulnerabilities in dependencies → `cve-triage` and `supply-chain`. SCA is a separate discipline. - Runtime / dynamic analysis → `dast-workflow`. SAST doesn't see live auth-flow or response headers. - IaC misconfig → `iac-security`. Even though tools like Semgrep have IaC rules, the specialist coverage in `iac-security` is sharper. - Framework-deep rules (Django, Rails, Spring, Next.js) → `django-security`, `rails-security`, `spring-security`, `nextjs-security` respectively. Those skills can call this one for CI integration of their framework-specific rule sets. - Pure code-pattern questi