Snyk Code adds security scanning for C# and .NET

As a quick note, I have a personal history with .NET, including time working at Microsoft as a .NET evangelist. And I’ve briefly met Anders Jejlsberg, the designer of C# and Typescript, so this blog is a bit personal for me.

We are happy to announce that Snyk Code scans for security vulnerabilities and provides remediation suggestions for yet another language: C#. This adds a major language to our portfolio which includes support for Java, JavaScript, TypeScript, and Python.

C# is intertwined with the .NET framework and has seen a lot of changes. Version 9.0 was released in 2020 and is both an ECMA (ECMA-334) and an ISO (23270) standard. C# is multi-paradigm (structured, imperative, object-oriented, event-driven, task-driven, functional, generic, reflective, concurrent) or in short: a mature language with history.

C# accounts for roughly 8% of the developer language market which makes it fourth behind Java, JavaScript, and Python. While C# started as the language of choice for Windows and business applications, it was also adopted in the game development and VR industries because it is widely used in Unity applications.

How to add C# projects to Snyk

There are several ways to get your repository scanned. The IDE allows you to scan source code independently from the version management system when you want to check your code before checking it in.

Pro tip: You can get open source repositories scanned without forking or cloning them. Just use Add project > Monitor public GitHub repos.

In general, Snyk Code supports GitHub, GitLab, Bitbucket Cloud and Azure Repos. Integrations are configured in Settings. Note: Azure Repos are not directly in the Add project menu. Click on + Other to find it.

For existing Snyk users, projects that have already been imported will need to be rescanned to see C# results immediately. If not, the results will appear when the regular rescan is done.

Finding vulnerabilities with Snyk Code

Snyk Code performs data flow analysis that can surface typical injection attacks like SQL injection, XML injection, open redirect, or LDAP injection, just to name some. In our training set, we saw path traversals frequently. In this type of attack, external data is used without prior sanitation to open files. An attacker could use the file path to move through the directories and read or write files you want to protect. Also, unpacking ZIP files and using the path stored in these packages can result in important files being overwritten. (This is called Zip Slip and yes, Snyk Code also scans for those.) And Snyk Code will find interfile issues over file margins which is especially interesting as you can split class definitions over multiple files in C#.

Snyk Code supports the major frameworks of .NET: .NET Framework, .NET Core, ASP.NET (4.x), and ASP.NET Core. As usual, out-of-the-box Snyk Code supports all libraries using C#.

Pro tip: Snyk Code scans the source files with *.cs ending and will not scan the *.cshtml markup file.

Secure your C# projects today

After 6 months on the market, Snyk Code now supports JavaScript, TypeScript, C#, Python, and Java. There is more to come and we plan to publish new languages in short succession for the upcoming months. If yours is not on the list yet, make sure to check in frequently — we might have news for you.