DataDog · andrewlock · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
@@ -66,3 +66,110 @@ dotnet_diagnostic.CA1870.severity = error # Use a cached SearchValues instance
 dotnet_diagnostic.CA1871.severity = error # Do not pass a nullable struct to ArgumentNullException.ThrowIfNull.
 dotnet_diagnostic.CA1872.severity = error # Prefer Convert.ToHexString over BitConverter.ToString
 
+# Microsoft security analyzers
+dotnet_diagnostic.CA2100.severity = error # Review SQL queries for security vulnerabilities
+dotnet_diagnostic.CA2109.severity = error # Review visible event handlers
+dotnet_diagnostic.CA2119.severity = error # Seal methods that satisfy private interfaces
+dotnet_diagnostic.CA2153.severity = error # Avoid handling corrupted state exceptions
+dotnet_diagnostic.CA2300.severity = error # Do not use insecure deserializer BinaryFormatter
+dotnet_diagnostic.CA2301.severity = error # Do not call BinaryFormatter.Deserialize without first setting Binder
+dotnet_diagnostic.CA2302.severity = error # Ensure BinaryFormatter.Binder is set before calling Deserialize
+dotnet_diagnostic.CA2305.severity = error # Do not use insecure deserializer LosFormatter
+dotnet_diagnostic.CA2310.severity = error # Do not use insecure deserializer NetDataContractSerializer
+dotnet_diagnostic.CA2311.severity = error # Do not deserialize without first setting NetDataContractSerializer.Binder
+dotnet_diagnostic.CA2312.severity = error # Ensure NetDataContractSerializer.Binder is set before deserializing
+dotnet_diagnostic.CA2315.severity = error # Do not use insecure deserializer ObjectStateFormatter
+dotnet_diagnostic.CA2321.severity = error # Do not deserialize with JavaScriptSerializer using SimpleTypeResolver
+dotnet_diagnostic.CA2322.severity = error # Ensure JavaScriptSerializer is not initialized with SimpleTypeResolver
+dotnet_diagnostic.CA2326.severity = error # Do not use TypeNameHandling values other than None
+dotnet_diagnostic.CA2327.severity = error # Do not use insecure JsonSerializerSettings
+dotnet_diagnostic.CA2328.severity = error # Ensure that JsonSerializerSettings are secure
+dotnet_diagnostic.CA2329.severity = error # Do not deserialize with JsonSerializer using insecure configuration
+dotnet_diagnostic.CA2330.severity = error # Ensure JsonSerializer has secure configuration when deserializing
+dotnet_diagnostic.CA2350.severity = error # Ensure DataTable.ReadXml() input is trusted
+dotnet_diagnostic.CA2351.severity = error # Ensure DataSet.ReadXml() input is trusted
+dotnet_diagnostic.CA2352.severity = error # Unsafe DataSet or DataTable in serializable type
+dotnet_diagnostic.CA2353.severity = error # Unsafe DataSet or DataTable in serializable type
+dotnet_diagnostic.CA2354.severity = error # Unsafe DataSet or DataTable in deserialized object graph
+dotnet_diagnostic.CA2355.severity = error # Unsafe DataSet or DataTable in deserialized object graph
+dotnet_diagnostic.CA2356.severity = error # Unsafe DataSet or DataTable in web deserialized object graph
+dotnet_diagnostic.CA2361.severity = error # Ensure autogenerated class with DataSet.ReadXml() not used with untrusted data
+dotnet_diagnostic.CA2362.severity = error # Unsafe DataSet or DataTable in autogenerated serializable type
+dotnet_diagnostic.CA3001.severity = error # Review code for SQL injection vulnerabilities
+dotnet_diagnostic.CA3002.severity = error # Review code for XSS vulnerabilities
+dotnet_diagnostic.CA3003.severity = error # Review code for file path injection vulnerabilities
+dotnet_diagnostic.CA3004.severity = error # Review code for information disclosure vulnerabilities
+dotnet_diagnostic.CA3006.severity = error # Review code for process command injection vulnerabilities
+dotnet_diagnostic.CA3007.severity = error # Review code for open redirect vulnerabilities
+dotnet_diagnostic.CA3008.severity = error # Review code for XPath injection vulnerabilities
+dotnet_diagnostic.CA3009.severity = error # Review code for XML injection vulnerabilities
+dotnet_diagnostic.CA3010.severity = error # Review code for XAML injection vulnerabilities
+dotnet_diagnostic.CA3011.severity = error # Review code for DLL injection vulnerabilities
+dotnet_diagnostic.CA3012.severity = error # Review code for regex injection vulnerabilities
+dotnet_diagnostic.CA3061.severity = error # Do not add schema by URL
+dotnet_diagnostic.CA3075.severity = error # Insecure DTD Processing
+dotnet_diagnostic.CA3076.severity = error # Insecure XSLT Script Execution
+dotnet_diagnostic.CA3077.severity = error # Insecure Processing in API Design, XML Document and XML Text Reader
+dotnet_diagnostic.CA3147.severity = error # Mark verb handlers with ValidateAntiForgeryToken
+dotnet_diagnostic.CA5350.severity = error # Do Not Use Weak Cryptographic Algorithms
+dotnet_diagnostic.CA5351.severity = error # Do Not Use Broken Cryptographic Algorithms
+dotnet_diagnostic.CA5358.severity = error # Do Not Use Unsafe Cipher Modes
+dotnet_diagnostic.CA5359.severity = error # Do not disable certificate validation
+dotnet_diagnostic.CA5360.severity = error # Do not call dangerous methods in deserialization
+dotnet_diagnostic.CA5361.severity = error # Do not disable SChannel use of strong crypto
+dotnet_diagnostic.CA5362.severity = error # Potential reference cycle in deserialized object graph
+dotnet_diagnostic.CA5363.severity = error # Do not disable request validation
+dotnet_diagnostic.CA5364.severity = error # Do not use deprecated security protocols
+dotnet_diagnostic.CA5365.severity = error # Do Not Disable HTTP Header Checking
+dotnet_diagnostic.CA5366.severity = error # Use XmlReader For DataSet Read XML
+dotnet_diagnostic.CA5367.severity = error # Do Not Serialize Types With Pointer Fields
+dotnet_diagnostic.CA5368.severity = error # Set ViewStateUserKey For Classes Derived From Page
+dotnet_diagnostic.CA5369.severity = error # Use XmlReader for Deserialize
+dotnet_diagnostic.CA5370.severity = error # Use XmlReader for validating reader
+dotnet_diagnostic.CA5371.severity = error # Use XmlReader for schema read
+dotnet_diagnostic.CA5372.severity = error # Use XmlReader for XPathDocument
+dotnet_diagnostic.CA5373.severity = error # Do not use obsolete key derivation function
+dotnet_diagnostic.CA5374.severity = error # Do Not Use XslTransform
+dotnet_diagnostic.CA5375.severity = error # Do not use account shared access signature
+dotnet_diagnostic.CA5376.severity = error # Use SharedAccessProtocol HttpsOnly
+dotnet_diagnostic.CA5377.severity = error # Use container level access policy
+dotnet_diagnostic.CA5378.severity = error # Do not disable ServicePointManagerSecurityProtocols
+dotnet_diagnostic.CA5379.severity = error # Ensure key derivation function algorithm is sufficiently strong
+dotnet_diagnostic.CA5380.severity = error # Do not add certificates to root store
+dotnet_diagnostic.CA5381.severity = error # Ensure certificates are not added to root store
+dotnet_diagnostic.CA5382.severity = error # Use secure cookies in ASP.NET Core
+dotnet_diagnostic.CA5383.severity = error # Ensure use secure cookies in ASP.NET Core
+dotnet_diagnostic.CA5384.severity = error # Do not use digital signature algorithm (DSA)
+dotnet_diagnostic.CA5385.severity = error # Use RSA algorithm with sufficient key size
+dotnet_diagnostic.CA5386.severity = error # Avoid hardcoding SecurityProtocolType value
+dotnet_diagnostic.CA5387.severity = error # Do not use weak key derivation function with insufficient iteration count
+dotnet_diagnostic.CA5388.severity = error # Ensure sufficient iteration count when using weak key derivation function
+dotnet_diagnostic.CA5389.severity = error # Do not add archive item's path to the target file system path
+dotnet_diagnostic.CA5390.severity = error # Do not hard-code encryption key
+dotnet_diagnostic.CA5391.severity = error # Use antiforgery tokens in ASP.NET Core MVC controllers
+# dotnet_diagnostic.CA5392.severity = error # Use DefaultDllImportSearchPaths attribute for P/Invokes - too many P/Invoke methods to fix
+dotnet_diagnostic.CA5393.severity = error # Do not use unsafe DllImportSearchPath value
+dotnet_diagnostic.CA5394.severity = error # Do not use insecure randomness
+dotnet_diagnostic.CA5395.severity = error # Miss HttpVerb attribute for action methods
+dotnet_diagnostic.CA5396.severity = error # Set HttpOnly to true for HttpCookie
+dotnet_diagnostic.CA5397.severity = error # Do not use deprecated SslProtocols values
+dotnet_diagnostic.CA5398.severity = error # Avoid hardcoded SslProtocols values
+dotnet_diagnostic.CA5399.severity = error # Definitely disable HttpClient certificate revocation list check
+dotnet_diagnostic.CA5400.severity = error # Ensure HttpClient certificate revocation list check is not disabled
+dotnet_diagnostic.CA5401.severity = error # Do not use CreateEncryptor with non-default IV
+dotnet_diagnostic.CA5402.severity = error # Use CreateEncryptor with the default IV
+dotnet_diagnostic.CA5403.severity = error # Do not hard-code certificate
+dotnet_diagnostic.CA5404.severity = error # Do not disable token validation checks
+dotnet_diagnostic.CA5405.severity = error # Do not always skip token validation in delegates
+
+# Disable security analyzers for vendored third-party code
+[Vendors/**/*.{cs,vb}]
+dotnet_diagnostic.CA2300.severity = none
+dotnet_diagnostic.CA2301.severity = none
+dotnet_diagnostic.CA2302.severity = none
+dotnet_diagnostic.CA5350.severity = none
+dotnet_diagnostic.CA5351.severity = none
+dotnet_diagnostic.CA5393.severity = none
+dotnet_diagnostic.CA5394.severity = none
+dotnet_diagnostic.CA5401.severity = none
+
@@ -228,8 +228,11 @@ internal static bool TryGetCoveragePercentageFromXml(string filePath, out double
             }
 
             // Load Code Coverage from the file.
-            var xmlDoc = new XmlDocument();
-            xmlDoc.Load(filePath);
+            var xmlDoc = new XmlDocument() { XmlResolver = null };
+            using (var reader = XmlReader.Create(filePath, new XmlReaderSettings { DtdProcessing = DtdProcessing.Prohibit, XmlResolver = null }))
+            {
+                xmlDoc.Load(reader);
+            }
 
             if (xmlDoc.SelectSingleNode("/CoverageSession/Summary/@sequenceCoverage") is { } seqCovAttribute &&
                 double.TryParse(seqCovAttribute.Value, NumberStyles.AllowDecimalPoint, CultureInfo.InvariantCulture, out var seqCovValue))

@@ -131,7 +131,9 @@ public bool Drop()
 
         public double NextDouble()
         {
+#pragma warning disable CA5394 // Intentional: non-security randomness for rate limiting
             return ThreadSafeRandom.Shared.NextDouble();
+#pragma warning restore CA5394
         }
 
         private double ComputeIntervalAlpha(int lookback)

@@ -40,7 +40,9 @@ private static void ProcessCipherClassCreation(SymmetricAlgorithm target)
     [AspectCtorReplace("System.Security.Cryptography.DESCryptoServiceProvider::.ctor()")]
     public static DESCryptoServiceProvider InitDES()
     {
+#pragma warning disable CA5351 // Intentional: IAST aspect replaces weak crypto constructor to detect its usage
         var target = new DESCryptoServiceProvider();
+#pragma warning restore CA5351
         try
         {
             ProcessCipherClassCreation(target);
@@ -60,7 +62,9 @@ public static DESCryptoServiceProvider InitDES()
     [AspectCtorReplace("System.Security.Cryptography.RC2CryptoServiceProvider::.ctor()")]
     public static RC2CryptoServiceProvider InitRC2()
     {
+#pragma warning disable CA5351 // Intentional: IAST aspect replaces weak crypto constructor to detect its usage
         var target = new RC2CryptoServiceProvider();
+#pragma warning restore CA5351
         try
         {
             ProcessCipherClassCreation(target);
@@ -80,7 +84,9 @@ public static RC2CryptoServiceProvider InitRC2()
     [AspectCtorReplace("System.Security.Cryptography.TripleDESCryptoServiceProvider::.ctor()")]
     public static TripleDESCryptoServiceProvider InitTripleDES()
     {
+#pragma warning disable CA5350 // Intentional: IAST aspect replaces weak crypto constructor to detect its usage
         var target = new TripleDESCryptoServiceProvider();
+#pragma warning restore CA5350
         try
         {
             ProcessCipherClassCreation(target);

@@ -9,6 +9,8 @@
 using System.Security.Cryptography;
 using System.Text;
 
+#pragma warning disable CA5351 // Intentional: this helper exists specifically to compute MD5 hashes
+
 namespace Datadog.Trace.Util;
 
 internal static class Md5Helper

@@ -8,6 +8,8 @@
 using System;
 using System.Runtime.InteropServices;
 
+#pragma warning disable CA5394 // Intentional: non-security randomness for trace/span ID generation
+
 namespace Datadog.Trace.Util;
 
 /// <summary>

@@ -7,6 +7,8 @@
 
 using System;
 
+#pragma warning disable CA5394 // Intentional: non-security randomness for sampling and ID generation
+
 namespace Datadog.Trace.Util;
 
 internal static class ThreadSafeRandom