{"id":13458170,"url":"https://github.com/microsoft/ApplicationInspector","last_synced_at":"2025-03-24T15:30:54.994Z","repository":{"id":37601665,"uuid":"213480514","full_name":"microsoft/ApplicationInspector","owner":"microsoft","description":"A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.","archived":false,"fork":false,"pushed_at":"2025-03-08T08:23:26.000Z","size":21071,"stargazers_count":4302,"open_issues_count":26,"forks_count":359,"subscribers_count":82,"default_branch":"main","last_synced_at":"2025-03-18T23:22:52.811Z","etag":null,"topics":["application-inspector","detection","security-scanner","security-tools","software-characterization","static-analysis"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/microsoft.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-07T20:30:29.000Z","updated_at":"2025-03-17T11:32:24.000Z","dependencies_parsed_at":"2023-11-30T20:33:35.317Z","dependency_job_id":"c704ab49-ce7d-4c58-89f5-2d5d72f65d00","html_url":"https://github.com/microsoft/ApplicationInspector","commit_stats":{"total_commits":382,"total_committers":25,"mean_commits":15.28,"dds":0.7094240837696335,"last_synced_commit":"f591a0acb76fc976df579dc6a6930b15e8839e89"},"previous_names":[],"tags_count":220,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2FApplicationInspector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2FApplicationInspector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2FApplicationInspector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2FApplicationInspector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/microsoft","download_url":"https://codeload.github.com/microsoft/ApplicationInspector/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245297904,"owners_count":20592496,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application-inspector","detection","security-scanner","security-tools","software-characterization","static-analysis"],"created_at":"2024-07-31T09:00:46.126Z","updated_at":"2025-03-24T15:30:54.041Z","avatar_url":"https://github.com/microsoft.png","language":"C#","readme":"# Introduction\n\n![CodeQL](https://github.com/microsoft/ApplicationInspector/workflows/CodeQL/badge.svg) \n[![Nuget](https://img.shields.io/nuget/v/Microsoft.CST.ApplicationInspector.Cli)](https://www.nuget.org/packages/Microsoft.CST.ApplicationInspector.CLI/) \n[![Nuget](https://img.shields.io/nuget/dt/Microsoft.CST.ApplicationInspector.Cli)](https://www.nuget.org/packages/Microsoft.CST.ApplicationInspector.CLI/)\n\nMicrosoft Application Inspector is a software source code characterization tool that helps **identify coding features of\nfirst or third party software components** based on well-known library/API calls and is helpful in security and\nnon-security use cases. It uses hundreds of rules and regex patterns to surface interesting characteristics of source\ncode to aid in determining **what the software is** or **what it does** from what file operations it uses, encryption,\nshell operations, cloud API's, frameworks and more and has received industry attention as a new and valuable\ncontribution to OSS\non [ZDNet](https://www.zdnet.com/article/microsoft-application-inspector-is-now-open-source-so-use-it-to-test-code-security/\n), [SecurityWeek](https://www.securityweek.com/microsoft-introduces-free-source-code-analyzer)\n, [CSOOnline](https://www.csoonline.com/article/3514732/microsoft-s-offers-application-inspector-to-probe-untrusted-open-source-code.html)\n, [Linux.com/news](https://www.linux.com/news/microsoft-application-inspector-is-now-open-source-so-use-it-to-test-code-security/)\n, [HelpNetSecurity](https://www.helpnetsecurity.com/2020/01/17/microsoft-application-inspector/\n), Twitter and more and was first featured\non [Microsoft.com](https://www.microsoft.com/security/blog/2020/01/16/introducing-microsoft-application-inspector/).\n\nApplication Inspector is different from traditional static analysis tools in that it doesn't attempt to identify \"good\"\nor \"bad\" patterns; it simply reports what it finds against a set of over 400 rule patterns for feature detection\nincluding features that impact security such as the use of cryptography and more. This can be extremely helpful in\nreducing the time needed to determine what Open Source or other components do by examining the source directly rather\nthan trusting to limited documentation or recommendations.\n\nThe tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python,\nObjective-C, Go, Ruby, PowerShell\nand [more](https://github.com/microsoft/ApplicationInspector/wiki/3.4-Applies_to-(languages)) and can scan projects with\nmixed language files. It supports generating results in HTML, JSON and text output formats with the **default being an\nHTML report** similar to the one shown here.\n\n![appinspector-Features](https://user-images.githubusercontent.com/47648296/72893326-9c82c700-3ccd-11ea-8944-9831ea17f3e0.png)\n\nBe sure to see our complete project wiki page https://Github.com/Microsoft/ApplicationInspector/wiki for additional\ninformation and help.\n\n# Quick Start\n\n## Obtain Application Inspector\n\n### .NET Tool (recommended)\n\n- Download and install the .NET 6 [SDK](https://dotnet.microsoft.com/download/)\n- Run `dotnet tool install --global Microsoft.CST.ApplicationInspector.CLI`\n\nSee more in the [wiki](https://github.com/microsoft/ApplicationInspector/wiki/2.-NuGet-Support)\n\n### Platform Dependent Binary\n\n- Download Application Inspector by selecting the pre-built package for the operating system of choice shown under the\n  Assets section\n  of the [Releases](https://github.com/microsoft/ApplicationInspector/releases).\n\n## Run Application Inspector\n\n- Nuget Tool: `appinspector analyze -s path/to/src`.\n- Platform Specific: `applicationinspector.cli.exe analyze -s path/to/src`\n\n# Goals\n\nMicrosoft Application Inspector helps you in securing your applications from start to deployment.\n\n**Design Choices** - Enables you to choose which components meet your needs with a smaller footprint of unnecessary or\nunknowns features for keeping your application attack surface smaller as well as help to verify expected ones i.e.\nindustry standard crypto only.\n\n**Identifying Feature Deltas** - Detects changes between component versions which can be critical for detecting\ninjection of backdoors.\n\n**Automating Security Compliance Checks** - Use to identify components with features that require additional security\nscrutiny, approval or SDL compliance as part of your build pipeline or create a repository of metadata regarding all of\nyour enterprise application.\n\n# Contribute\n\nWe have a strong default starting base of Rules for feature detection. But there are many feature identification\npatterns yet to be defined and we invite you to **submit ideas** on what you want to see or take a crack at defining a\nfew. This is a chance to literally impact the open source ecosystem helping provide a tool that everyone can use. See\nthe [Rules](https://github.com/microsoft/ApplicationInspector/wiki/3.-Understanding-Rules) section of the wiki for more.\n\n# Official Releases\n\nApplication Inspector is in GENERAL AUDIENCE release status. Your feedback is important to us. If you're interested in\ncontributing, please review the CONTRIBUTING.md.\n\nApplication Inspector is available as a command line tool or NuGet package and is supported on Windows, Linux, or MacOS.\n\nPlatform specific binaries of the ApplicationInspector CLI are available on our\nGitHub [releases page](https://github.com/microsoft/ApplicationInspector/releases).\n\nThe C# library is available on NuGet\nas [Microsoft.CST.ApplicationInspector.Commands](https://www.nuget.org/packages/Microsoft.CST.ApplicationInspector.Commands/)\n.\n\nThe .NET Global Tool is available on NuGet\nas [Microsoft.CST.ApplicationInspector.CLI](https://www.nuget.org/packages/Microsoft.CST.ApplicationInspector.CLI/).\n\nIf you use the .NET Core version, you will need to have .NET 6.0 or later installed. See\nthe [JustRunIt.md](https://github.com/microsoft/ApplicationInspector/blob/master/JustRunIt.md)\nor [Build.md](https://github.com/microsoft/ApplicationInspector/blob/master/BUILD.md) files for more.\n\n# CLI Usage Information\n\n```\n\u003e appinspector --help\nApplicationInspector.CLI 1.8.4-beta+976ee3cdd1\nc Microsoft Corporation. All rights reserved.\n\n  analyze        Inspect source directory/file/compressed file (.tgz|zip)\n                 against defined characteristics\n\n  tagdiff        Compares unique tag values between two source paths\n\n  exporttags     Export the list of tags associated with the specified rules.\n                 Does not scan source code.\n\n  verifyrules    Verify custom rules syntax is valid\n\n  packrules      Combine multiple rule files into one file for ease in\n                 distribution\n\n  help           Display more information on a specific command.\n\n  version        Display version information.\n```\n\n## Examples:\n\n### Command Help\n\nTo get help for a specific command run `appinspector \u003ccommand\u003e --help`.\n\n### Analyze Command\n\nThe Analyze Command is the workhorse of Application Inspector.\n\n#### Simple Default Analyze\n\nThis will produce an output.html of the analysis in the current directory using default arguments and rules.\n\n```\nappinspector analyze -s path/to/files\n```\n\n#### Output Sarif\n\n```\nappinspector analyze -s path/to/files -f sarif -o output.sarif\n```\n\n#### Excluding Files using Globs\n\nThis will create a json output named data.json of the analysis in the current directory, excluding all files in `test`\nand `.git` folders using the provided glob patterns.\n\n```\nappinspector analyze -s path/to/files -o data.json -f json -g **/tests/**,**/.git/**\n```\n\n### Additional Usage Information\nFor additional help on use of the console interface\nsee [CLI Usage](https://github.com/microsoft/ApplicationInspector/wiki/1.-CLI-Usage).\n\nFor help using the NuGet package\nsee [NuGet Support](https://github.com/microsoft/ApplicationInspector/wiki/2.-NuGet-Support)\n\n# Build Instructions\n\nSee [build.md](https://github.com/microsoft/ApplicationInspector/blob/main/BUILD.md)\n","funding_links":[],"categories":["C\\#","C# #","C#","Multiple languages"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2FApplicationInspector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmicrosoft%2FApplicationInspector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2FApplicationInspector/lists"}