This article shows you how to analyze your applications that are written in C# using NG SAST. It assumes that you have already set up and authenticated with ShiftLeft.
NG-SAST supports the analysis of applications written in C# 9 (or earlier) with the following characteristics.
|Specification||MSBuild format (.csproj file).|
|Build Environment (.NET Framework)||.NET Framework 4.7 or earlier (though ShiftLeft suppports 4.8) and MSBuild 15.0+|
|Build Environment (.NET Core)||.NET Core 3.1|
|Build Environment (.NET Standard)||.Net 2.0 or earlier|
|Runtime (.NET Framework)||.NET Framework 4.7.2|
|Runtime (.NET Core)||.NET Core 3.1|
|Runtime (.NET)||.NET 5.0|
We recommend running NG SAST on a machine with a minimum of 4 GB RAM and 2 CPU Cores. For each subsequent 100,000 lines of code that you submit for analysis, we recommend an additional 2 GB RAM and 1+ CPU Core.
|Lines of Code||CPUs||RAM|
|<100k||3 cores||6 GB|
|>100k||4 cores||8 GB|
|> 200k||5 cores||10 GB|
|+100k||+1 core||+2 GB|
For example, if your application contains 200,000 lines of code, we recommend that the machine you're using have 8 GB RAM and 4 CPU cores.
Determining Your MSBuild Version
You can determine the version of MSBuild installed by:
- Launching the Developer Command Prompt for Visual Studio
msbuild /versionin the newly-launched prompt
Building Your Application
Before analyzing your code with NG SAST, we recommend building your application to ensure that you have restored dependencies and that you've applied any necessary project-specific settings. For applications based on the .NET Core, use
dotnet restore; for applications based on the .NET Framework, use
For example, you can verify that a .NET Framework-based application can be built by doing the following:
- Launch the Developer Command Prompt for Visual Studio
- In the newly-launched command prompt, navigate to your project location
- Restore NuGet packages using
nuget.exe restore <MySolution.sln>
- Start the build with
msbuild <MyProject.csproj>. Depending on your application, you may need to apply additional options
Please note that you must submit your code to NG SAST from a system that can build your application. Both Windows and Linux machines can be used to build your .NET Core apps, while .NET Framework apps require a Windows machine.
Analyzing Your C# Application
ShiftLeft offers a sample application that you can use to run and test NG SAST. It also includes a functioning configuration file to demonstrate how you can leverage Azure Pipelines or GitHub Actions to automate code analysis whenever you open a new Pull Request (PR).
To analyze your C# application based on .NET, run:
To analyze your C# application based on .NET Core, run:
To analyze your C# application based on .NET Framework, run:
|The name of the application to be analyzed|
|The flag identifying the application's language|
|Whether you're using .NET, .NET Core or .NET Framework in the development of your application|
|The location of the application's |
See the CLI reference for additional
sl analyze options.
Choosing Files to Analyze
We recommend analyzing the
.csproj files for speed and more robust results. When doing so, be sure to use the following two flags when invoking sl analyze:
-- --with-ProjectReference --ignore-tests
If you opt to analyze your
.sln files, be sure to omit
Combining C# Projects for Analysis
When working with .NET apps, you can combine multiple C# projects for analysis as follows:
Note that you can include
--dep multiple times for libs, subprojects, components, etc. The
--dep option allows you to filter for the subprojects/dependencies to include with the primary
.csproj project for analysis. This allows you to adopt the middle ground between analyzing just the primary project:
and analyzing the primary file with all of its dependencies/subprojects:
Passing in Build Parameters
You can pass custom build parameters as part of your
sl analyze command to replicate your build configuration.
All parameters present after
-- are passed directly to the build configuration process. For example, if the build requires a custom parameter for the C# build configuration (
Enabling Log Information
By default, we print logs at the Information level. If you would like more detailed information, pass in the