HomeBack to recipes
RecipesSecuritySAST on Every Commit

TL;DR

SAST on Every Commit is a security workflow that chains GitHub + SonarQube to automate a common task. Static application security testing runs on every commit. Critical vulnerabilities block the pipeline and page the security team. Once configured, it saves ~6 hours/week per security engineer, plus elimination of post-audit remediation sprints and runs through Claude Code, Cursor, Windsurf or any MCP-compatible AI agent.

🐙🔎
SecurityAdvanced

SAST on Every Commit

Static application security testing runs on every commit. Critical vulnerabilities block the pipeline and page the security team.

25 min setup, security on every commit2 MCPs requiredSaves ~6 hours/week per security engineer, plus elimination of post-audit remediation sprints

How it works

🐙GitHub
🔎SonarQube
Automated
1Commit pushed — trigger SAST scan2Analyze code for OWASP Top 10 patterns3Check for secrets and credentials in diff+2 more steps

Partial support — 1 of 2 MCPs hostable

Hosted execution needs every MCP on the whitelist. Use the local CLI for this recipe until the missing MCPs are added.

Not yet hostable:

🔎SonarQube
mcpizy recipe install github-sonarqube-sast

Why this combo?

SonarQube knows the OWASP vulnerability patterns and can scan code statically at high accuracy; GitHub provides the commit trigger and the merge gate. Together they make security a continuous, automated process rather than a periodic manual audit — catching vulnerabilities when they're cheapest to fix.

Without this workflow

Security audit happens quarterly. Vulnerabilities introduced months ago discovered during the audit. Expensive to fix, potentially already exploited.

With MCPizy

Every commit scanned. Critical vuln blocks the PR. Developer fixes it while the code is still fresh in their head. Zero drift.

Business value

Concrete ROI — not marketing fluff.

Time saved

~6 hours/week per security engineer, plus elimination of post-audit remediation sprints

  • Catches vulns at PR time — 20x cheaper to fix than after pentest, and 100x cheaper than after a breach
  • Blocks committed secrets before push — saves the $50-200k post-leak rotation and forensic cleanup
  • Shifts security left: developers learn OWASP patterns from PR comments instead of annual training
  • Makes SOC2/ISO27001 audits painless — continuous SAST evidence is already collected, no audit sprint

Workflow steps

  1. 1
    Commit pushed — trigger SAST scan
  2. 2
    Analyze code for OWASP Top 10 patterns
  3. 3
    Check for secrets and credentials in diff
  4. 4
    Block PR if critical vulnerability found
  5. 5
    Create GitHub issue and notify security team

Use cases

  • Block merges containing OWASP Top 10 vulnerabilities automatically
  • Catch hardcoded secrets and credentials before they reach the repo
  • Create GitHub issues for vulnerabilities that need tracking across sprints
  • Trend vulnerability count over time to measure security program effectiveness

MCPs required

🐙

GitHub

GitHub MCP Server

View
🔎

SonarQube

SonarQube MCP Server

View

Agent prompt (copy into Claude Code)

This prompt is the workflow. Paste into Claude Code, Cursor, or Windsurf.

You are a SAST agent. Runs on every commit pushed to any branch.

On push event:
1. Call github.get_diff(before_sha, after_sha) to extract changed files
2. Call sonarqube.scan(project_key, sources=changed_files, branch=ref) — use pull-request mode if PR context
3. Poll sonarqube.get_issues(component=project, types=["VULNERABILITY","SECURITY_HOTSPOT"], severities=["CRITICAL","BLOCKER"])
4. Also run secret scanning: call sonarqube.scan with secretsEnabled=true (or gitleaks fallback)
5. For each critical finding:
   - Call github.create_review_comment on exact file:line with the rule description + remediation
   - Call github.create_issue with label "security" if it's on main branch
6. Call github.create_status(context="sast", state=critical_count === 0 ? "success" : "failure")
7. If secrets detected, also page security team via pagerduty/slack immediately — never ignore secret leaks

Strictly block merge on any critical finding. Warning-level findings are comments only.

Trigger & credentials

How this workflow fires and what env vars you need.

.env.example
WebhookTrigger
POST /webhook/github (events: push, pull_request)
🐙GitHub· 1 var
GITHUB_TOKENGet key

PAT with repo + security_events scopes

e.g. ghp_...

🔎SonarQube· 3 vars
SONARQUBE_URL

SonarQube server URL

e.g. https://sonar.company.com

SONARQUBE_TOKENGet key

User token with Execute Analysis permission

e.g. squ_...

SONARQUBE_PROJECT_KEY

Project key in SonarQube

e.g. acme:app

One-command deploy

Install everything — MCPs, prompt, env template — in a single call.

$ mcpizy recipe install github-sonarqube-sast

✓ Installs all 2 MCP servers
✓ Writes prompt to ~/.mcpizy/prompts/github-sonarqube-sast.md
✓ Generates .env.example in current directory
✓ Ready to paste into Claude Code

Requires mcpizy CLI v1.1+ — install via npm i -g mcpizy.

Quick install (MCPs only)

25 min setup, security on every commit
$ mcpizy install github && mcpizy install sonarqube

Frequently asked questions

What is this workflow?

SAST on Every Commit is a security automation that uses GitHub + SonarQube together via the Model Context Protocol. Static application security testing runs on every commit. Critical vulnerabilities block the pipeline and page the security team.

How long does setup take?

Setup takes around 25 min setup, security on every commit. You install the required MCP servers with `mcpizy install github && mcpizy install sonarqube`, connect your accounts, and the workflow is ready to run.

How much time does this workflow save?

Once running, this workflow saves ~6 hours/week per security engineer, plus elimination of post-audit remediation sprints. The concrete business value: Catches vulns at PR time — 20x cheaper to fix than after pentest, and 100x cheaper than after a breach; Blocks committed secrets before push — saves the $50-200k post-leak rotation and forensic cleanup.

Which MCP servers do I need for this?

You need 2 MCP servers: GitHub (mcpizy install github), SonarQube (mcpizy install sonarqube). All are installable in one command via the MCPizy CLI and configured in your `.claude.json` or `.cursor/mcp.json`.

Does this work with Claude Code, Cursor, and Windsurf?

Yes. The workflow runs with any MCP-compatible AI agent — Claude Code, Claude Desktop, Cursor, Windsurf, VS Code with Copilot, and custom agents built on the MCP SDK. The MCP servers are identical across clients; only the config file path (`.claude.json` vs `.cursor/mcp.json`) changes.

Start building this workflow

Install the required MCPs from the marketplace and automate this in 25 min setup.

$ mcpizy install github && mcpizy install sonarqube

🐙Install GitHub🔎Install SonarQube

Free to install. Connect your accounts and this workflow runs itself.