DevSkim is a set of IDE plugins, language analyzers, and rules that provide security "linting" capabilities.
Перейти к файлу
Gabe Stocco 22a847af3a Remove stale TODO 2023-02-27 13:46:20 -08:00
.github/ISSUE_TEMPLATE Create codeql3000.yml (#401) 2022-09-06 11:36:54 -07:00
.vscode Undo --disable-extensions due to dep on .net locator extension 2023-02-08 15:19:08 -08:00
DevSkim-DotNet Remove stale TODO 2023-02-27 13:46:20 -08:00
DevSkim-VSCode-Plugin Fix respecting suppressions 2023-02-27 12:54:26 -08:00
Pipelines Merge branch 'main' into da/LanguageServer 2023-02-17 15:29:55 -08:00
flycheck Redo directory structure. 2020-01-30 18:06:29 -08:00
guidance docs: correct typo in URL (#425) 2022-12-13 04:24:47 -08:00
media Add logo svg 2020-04-22 16:18:19 -07:00
rules/default Fix condition positioning (#450) 2023-02-01 11:35:26 -08:00
scripts Remove deb pkg references 2020-12-03 16:46:02 -08:00
.gitignore Merge branch 'main' into da/LanguageServer 2023-02-17 15:29:55 -08:00
CONTRIBUTING.md Update CONTRIBUTING.md 2020-05-14 01:59:56 -07:00
Directory.Build.props Add options to analyze to specify ruleids (#445) 2023-01-18 14:16:45 -08:00
LICENSE.txt Add Package and Deploy of Dotnet Tool, Update Licenses (#124) 2020-02-28 09:48:18 -08:00
NOTICE.txt Create NOTICE.txt 2020-05-13 23:00:06 -07:00
README.md Rewrite DevSkim to use the Application Inspector Engine (#390) 2022-08-11 19:02:20 -07:00
SECURITY.md Create SECURITY.md 2020-05-14 01:48:16 -07:00
SUPPORT.md s/master/main 2020-06-16 15:01:49 -07:00
codeql3000.yml Create codeql3000.yml (#401) 2022-09-06 11:36:54 -07:00
version.json Adds Fix Command (#412) 2022-11-11 18:03:19 -08:00

README.md

DevSkim

CodeQL (CLI) Nuget

Nuget Visual Studio Marketplace Installs Visual Studio Marketplace Installs

DevSkim is a framework of IDE extensions and language analyzers that provide inline security analysis in the dev environment as the developer writes code. It has a flexible rule model that supports multiple programming languages. The goal is to notify the developer as they are introducing a security vulnerability in order to fix the issue at the point of introduction, and to help build awareness for the developer.

Features

  • Built-in rules, and support for writing custom rules
  • Cross-platform CLI built on .NET 6.0 for file analysis
  • IDE plugins for Visual Studio and Visual Studio Code
  • IntelliSense error "squiggly lines" for identified security issues
  • Information and guidance provided for identified security issues
  • Optional suppression of unwanted findings
  • Broad language support including: C, C++, C#, Cobol, Go, Java, Javascript/Typescript, Python, and more.

Repository Structure

This repository contains DevSkim and its official supported plugins. Issues and contributions are accepted here for:

  • DevSkim Library
    • Location: ./DevSkim-DotNet/
  • DevSkim CLI
    • Location: ./DevSkim-DotNet/Microsoft.DevSkim.CLI/
  • DevSkim Visual Studio Extension
    • Location: ./DevSkim-DotNet/Microsoft.DevSkim.VSExtension/
  • DevSkim Visual Studio Code Plugin
    • Location: ./DevSkim-VSCode-Plugin/
  • Common Rules and Guidance
    • Location: ./rules/default/

Official Releases

Platform specific binaries of the DevSkim CLI are available on our GitHub releases page.

The C# library is available on NuGet as Microsoft.CST.DevSkim.

The .NET Global Tool is available on NuGet as Microsoft.CST.DevSkim.CLI.

The Visual Studio extension is available in the Visual Studio Marketplace.

The Visual Studio Code plugin is available in the Visual Studio Code Marketplace.

DevSkim is also available as a GitHub Action to itegrate with the GitHub Security Issues pane.

Installation

Visual Studio Extension

The DevSkim Visual Studio extension can be downloaded and installed from the Visual Studio Marketplace.

Alternatively, in Visual Studio, open the Extension Manager (Menu: Extensions -> Manage Extensions), search for "Microsoft DevSkim", select the entry, and click on the Download button.

Visual Studio Code Plugin

The DevSkim Visual Studio Code plugin can be downloaded and installed from the Visual Studio Code Marketplace.

Alternatively, In VS Code, launch the Quick Open bar (Ctrl + P), and run the following command: ext install ms-cst-e.vscode-devskim

.NET Core App (Self Contained)

Download the platform specific binary archive for your system (Windows, Mac OS, Linux) from the releases page. Extract the archive, navigate to the DevSkim folder from a command line, and invoke devskim or devskim.exe.

.NET Core Global Tool

If you already have .NET 6.0 installed, you can install the DevSkim CLI dotnet global tool by running the following from a command line:

dotnet tool install --global Microsoft.CST.DevSkim.CLI

This will add DevSkim to your PATH. You can then invoke the devskim command from a command line.

.NET Core Runtime Dependent App

First download and install the .NET Core 56.0 runtime. Then download the DevSkim netcoreapp archive from the releases page. Extract the archive, navigate to the DevSkim folder from a command line, and invoke dotnet devskim.dll.

Build from Source

For more information, see the wiki page about how to Build from Source.

Basic Usage

DevSkim CLI

devskim analyze c:\path\to\FilesToAnalyze

For more information, see the wiki page about the Command Line Interface.

Visual Studio Extension / Visual Studio Code Plugin

Once the DevSkim plugin is installed and enabled, simply write some code, and feedback will be provided inline if issues are detected.

Writing Rules

Please see Writing Rules for instructions on how to author new rules.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

For more information, please see How to Contribute.

Reporting Issues

For more information, please see How to Contribute.

Reporting Security Vulnerabilities

To report a security vulnerability, please see SECURITY.md.

License

DevSkim and its official plugins are licensed under the MIT license.