Security Code Scan – static code analyzer for .NET
- Detects various security vulnerability patterns: SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), XML eXternal Entity Injection (XXE), etc.
- Taint analysis to track user input data.
- One click refactoring for some vulnerabilities.
- Analyzes .NET and .NET Core projects in a background (intellisense) or during a build.
- Continuous Integration (CI) through MSBuild.
- Works with Visual Studio 2015 or higher. Visual Studio Community, Professional, and Enterprise editions are supported.
This is a major release that introduces configurable taint sources, sanitizers and validators. Configuration file schema version has changed to 2.0, so if you had custom config settings, you’ll need to adjust to the schema and bump your file name from config-1.0.yml to config-2.0.yml or change from Version: 1.0 to Version: 2.0 if it was added to a project.
With the introduction of taint sources and taint entry points warning are shown only for the tainted data. Unknowns are reported only in the Audit Mode.
Multiple improvements and fixes were done to Taint, Anti-CSRF token, XSS, SQL injection, Path traversal, XPath injection, Certificate validation analyzers.
New LDAP injection detection was added.
An issue was fixed that could surface as Session Terminated unexpectedly. Disabling ‘Security Code Scan’ might help prevent….
Security Code Scan (SCS) can be installed as:
- Visual Studio extension. Use the link or open “Tools > Extensions and Updates…” Select “Online” in the tree on the left and search for SecurityCodeScan in the right upper field. Click “Download” and install.
- NuGet package.
- Right-click on the root item in your solution. Select “Manage NuGet Packages for Solution…”. Select “Browse” on the top and search for Security Code Scan. Select project you want to install into and click “Install”.
- Another option is to install the package into all projects in a solution: use “Tools > NuGet Package Manager > Package Manager Console”. Run the command Get-Project -All | Install-Package SecurityCodeScan.
Installing it as NuGet package gives the advantage to choose projects in a solution that should be analyzed. It is a good idea to exclude test projects because they do not make it into a final product. However, it requires discipline to install SCS into every solution a developer works with. Installing it as a Visual Studio extension is a single install action.
git clone https://github.com/security-code-scan/security-code-scan.git