Open
Conversation
…ulnerabilities Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… interfaces Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ceptions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…BinaryFormatter Suppress for vendored third-party code (dnlib). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ialize without first setting Binder Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…set before calling Deserialize Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…LosFormatter Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…NetDataContractSerializer Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…rializer and ObjectStateFormatter deserializer rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…leTypeResolver rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…s other than None Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…urity rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…taTable security rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…vulnerability rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fix DotnetCommon.cs to use XmlReader with DtdProcessing.Prohibit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…, XML Document and XML Text Reader Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ntiForgeryToken Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…orithms Suppress for vendored code. Pragma suppress IAST aspect that intentionally constructs TripleDES to detect weak crypto usage. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…lgorithms Suppress for vendored code. Pragma suppress Md5Helper (intentional MD5 usage) and IAST aspects (intentional DES/RC2 detection). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…tion Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…deserialization Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…rong crypto Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…rialized object graph Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…n, security protocols, HTTP header checking Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…aSet, pointer fields, ViewStateUserKey Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ize, validating reader, schema read, XPathDocument Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…rm, shared access signature rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ivation, certificate store rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ey size rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…Type value Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ve path injection rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CA5391 - Use antiforgery tokens in ASP.NET Core MVC controllers. CA5392 - Use DefaultDllImportSearchPaths attribute for P/Invokes (commented out, too many P/Invoke methods across the codebase). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…Path value Suppress for vendored third-party code (dnlib). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Suppress for vendored code and non-security Random usage (sampling, rate limiting, trace/span ID generation). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ookie HttpOnly rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…and hardcoding rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…vocation list check rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…d-coded certificate rules Suppress CA5401 for vendored third-party code (SharpZipLib). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
andrewlock
added
the
area:builds
andrewlock
added
the
AI Generated
NachoEchevarria
approved these changes
Apr 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of changes
Enables the built-in security analyzers
Reason for change
We added the performance once, adding the security ones seemed to be the prudent thing to do
Implementation details
Had 🤖 iterate through them all, enabling, and fixing. But it turns out, there's basically nothing to fix, except in the vendored code, where we can't easily fix it... So, do we actually want all these analyzers running in the build? 🤷♂️ 🤔
Test coverage
If the tests pass, we're good
Other details
Only one analyzer that hit too many places, "Use DefaultDllImportSearchPaths attribute for P/Invokes". I'll look into that one further to see if I can fix it. But still, do we actually want all these turned on?