utkusen/sast-skills — reverse-engineered prompt

Build me a small repo that turns an AI coding assistant into a built in security scanner for whatever codebase I drop into it. I want it to work with tools like Claude Code, Cursor, Codex, and similar agents through a simple entry file like CLAUDE.md or AGENTS.md that orchestrates the whole flow automatically.

The experience should be, I copy a project into a folder called sast files, open that folder in my assistant, and type something like Run vulnerability scan. From there it should first map the app architecture and trust boundaries, then run a set of focused security checks for things like SQL injection, XSS, GraphQL injection, remote code execution, SSRF, IDOR, XXE, template injection, JWT mistakes, missing auth, path traversal, insecure file upload, and business logic flaws, then produce a final ranked report with remediation advice and test steps.

Please save everything into a sast folder with architecture notes, per issue result files, and a final report. Make it safe to rerun by skipping work that already exists.