SAST Scan

Run Vulnetix SAST against changed files (or whole repo). Augments with local Semgrep rules when present.

Run Vulnetix SAST against changed files (or whole repo). Augments with local Semgrep rules when present.

Invocation

/vulnetix:sast-scan [--rule-id ID] [--paths file1 file2]

Capabilities-aware

Reads .vulnetix/capabilities.yaml first and scopes the Vulnetix CLI calls and external integrations (snort, yara, nuclei, semgrep, syft, grype, trivy, cosign) to what the system and repo support. The session-start hook keeps that file fresh; force a refresh with /vulnetix:capabilities-detect or VULNETIX_FORCE_DETECT=1.

Workflow

See the SKILL.md source for the full workflow. Key steps: load capabilities, run the relevant vulnetix subcommand(s) with -o json, render the result, and update .vulnetix/memory.yaml (where applicable).

See also

• Capabilities YAML schema
• Skills index