This article shows you how to analyze your applications that are written in C# using NG SAST. It assumes that you have already set up and authenticated with ShiftLeft.


NG-SAST supports the analysis of applications written in C# 9 (or earlier) with the following characteristics.

SpecificationMSBuild format (.csproj file).
Build Environment (.NET Framework).NET Framework 4.7 or earlier (though ShiftLeft suppports 4.8) and MSBuild 15.0+
Build Environment (.NET Core).NET Core 3.1
Build Environment (.NET Standard).Net 2.0 or earlier
Runtime (.NET Framework).NET Framework 4.7.2
Runtime (.NET Core).NET Core 3.1
Runtime (.NET).NET 5.0

Machine Requirements

We recommend running NG SAST on a machine with a minimum of 4 GB RAM and 2 CPU Cores. For each subsequent 100,000 lines of code that you submit for analysis, we recommend an additional 2 GB RAM and 1+ CPU Core.

Lines of CodeCPUsRAM
<100k3 cores6 GB
>100k4 cores8 GB
> 200k5 cores10 GB
+100k+1 core+2 GB

For example, if your application contains 200,000 lines of code, we recommend that the machine you're using have 8 GB RAM and 4 CPU cores.

Determining Your MSBuild Version

You can determine the version of MSBuild installed by:

  1. Launching the Developer Command Prompt for Visual Studio
  2. Running msbuild /version in the newly-launched prompt

Building Your Application

Before analyzing your code with NG SAST, we recommend building your application to ensure that you have restored dependencies and that you've applied any necessary project-specific settings. For applications based on the .NET Core, use dotnet restore; for applications based on the .NET Framework, use nuget restore.

For example, you can verify that a .NET Framework-based application can be built by doing the following:

  1. Launch the Developer Command Prompt for Visual Studio
  2. In the newly-launched command prompt, navigate to your project location
  3. Restore NuGet packages using nuget.exe restore <MySolution.sln>
  4. Start the build with msbuild <MyProject.csproj>. Depending on your application, you may need to apply additional options

Please note that you must submit your code to NG SAST from a system that can build your application. Both Windows and Linux machines can be used to build your .NET Core apps, while .NET Framework apps require a Windows machine.

Analyzing Your C# Application


ShiftLeft offers a sample application that you can use to run and test NG SAST. It also includes a functioning configuration file to demonstrate how you can leverage Azure Pipelines or GitHub Actions to automate code analysis whenever you open a new Pull Request (PR).

To analyze your C# application based on .NET, run:

dotnet restore [<path to .sln>]
sl analyze --app <name> --csharp --cpg --dotnet [<path to .sln or .csproj>]

To analyze your C# application based on .NET Core, run:

dotnet restore [<path to .sln>]
sl analyze --app <name> --csharp --cpg --dotnet-core [<path to .sln or .csproj>]

To analyze your C# application based on .NET Framework, run:

msbuild [<path to .sln>]
sl.exe analyze --app <name> --csharp --cpg --dotnet-framework [<path to .sln or .csproj>]
--app <name>The name of the application to be analyzed
--csharpThe flag identifying the application's language
--dotnet, --dotnet-core or --dotnet-frameworkWhether you're using .NET, .NET Core or .NET Framework in the development of your application
<path>The location of the application's .csproj or .sln (for .NET Framework app only) file to be analyzed

See the CLI reference for additional sl analyze options.

Choosing Files to Analyze

We recommend analyzing the .csproj files for speed and more robust results. When doing so, be sure to use the following two flags when invoking sl analyze:

-- --with-ProjectReference --ignore-tests

If you opt to analyze your .sln files, be sure to omit --with-ProjectReference.

Combining C# Projects for Analysis

When working with .NET apps, you can combine multiple C# projects for analysis as follows:

sl analyze --app Xyz --csharp [--dotnet|--dotnet-core|--dotnet-framework] --cpg --dep lib.csproj --dep component.csproj app.csproj

Note that you can include --dep multiple times for libs, subprojects, components, etc. The --dep option allows you to filter for the subprojects/dependencies to include with the primary .csproj project for analysis. This allows you to adopt the middle ground between analyzing just the primary project:

sl analyze --app Xyz --csharp --cpg app.csproj

and analyzing the primary file with all of its dependencies/subprojects:

sl analyze --app Xyz --csharp --cpg <path-to-project-file> -- --with-ProjectReference

Passing in Build Parameters

You can pass custom build parameters as part of your sl analyze command to replicate your build configuration.

All parameters present after -- are passed directly to the build configuration process. For example, if the build requires a custom parameter for the C# build configuration (/p:configuration or /p:platform), run:

sl analyze --app Xyz --csharp [--dotnet|--dotnet-core|--dotnet-framework] --cpg <path-to-project-file> -- /p:configuration="Release" /p:platform="Any CPU"

Enabling Log Information

By default, we print logs at the Information level. If you would like more detailed information, pass in the --verbose flag:

sl analyze --csharp --verbose --app Xyz app.csproj