Snyk Code adds security scanning for C# and .NET
As a quick note, I have a personal history with .NET, including time working at Microsoft as a .NET evangelist. And I’ve briefly met Anders Jejlsberg, the designer of C# and Typescript, so this blog is a bit personal for me.
C# is intertwined with the .NET framework and has seen a lot of changes. Version 9.0 was released in 2020 and is both an ECMA (ECMA-334) and an ISO (23270) standard. C# is multi-paradigm (structured, imperative, object-oriented, event-driven, task-driven, functional, generic, reflective, concurrent) or in short: a mature language with history.
How to add C# projects to Snyk
There are several ways to get your repository scanned. The IDE allows you to scan source code independently from the version management system when you want to check your code before checking it in.
Pro tip: You can get open source repositories scanned without forking or cloning them. Just use Add project > Monitor public GitHub repos.
In general, Snyk Code supports GitHub, GitLab, Bitbucket Cloud and Azure Repos. Integrations are configured in Settings. Note: Azure Repos are not directly in the Add project menu. Click on + Other to find it.
For existing Snyk users, projects that have already been imported will need to be rescanned to see C# results immediately. If not, the results will appear when the regular rescan is done.
Finding vulnerabilities with Snyk Code
Snyk Code performs data flow analysis that can surface typical injection attacks like SQL injection, XML injection, open redirect, or LDAP injection, just to name some. In our training set, we saw path traversals frequently. In this type of attack, external data is used without prior sanitation to open files. An attacker could use the file path to move through the directories and read or write files you want to protect. Also, unpacking ZIP files and using the path stored in these packages can result in important files being overwritten. (This is called Zip Slip and yes, Snyk Code also scans for those.) And Snyk Code will find interfile issues over file margins which is especially interesting as you can split class definitions over multiple files in C#.
Snyk Code supports the major frameworks of .NET: .NET Framework, .NET Core, ASP.NET (4.x), and ASP.NET Core. As usual, out-of-the-box Snyk Code supports all libraries using C#.
Pro tip: Snyk Code scans the source files with
*.cs ending and will not scan the
*.cshtml markup file.
Secure your C# projects today
C# security with Snyk
Use Snyk Code today to scan for vulnerabilities and provide remediation recommendations in your C# and .NET projects. Get 100 free scans per month — unlimited on open source projects.