https://github.com/feliceiorillo/jwt-analyzer

A .NET CLI tool that performs static analysis on C# source code to detect insecure or misconfigured JWT authentication patterns.
https://github.com/feliceiorillo/jwt-analyzer

authentication authorization ci-cd csharp devsecops dotnet dotnet-cli jwt jwt-security security security-tool static-analysis token-security

Last synced: 4 months ago
JSON representation

A .NET CLI tool that performs static analysis on C# source code to detect insecure or misconfigured JWT authentication patterns.

• Host: GitHub
• URL: https://github.com/feliceiorillo/jwt-analyzer
• Owner: feliceiorillo
• Created: 2025-12-24T10:26:05.000Z (5 months ago)
• Default Branch: trunk
• Last Pushed: 2025-12-25T09:26:15.000Z (5 months ago)
• Last Synced: 2025-12-26T22:29:58.362Z (5 months ago)
• Topics: authentication, authorization, ci-cd, csharp, devsecops, dotnet, dotnet-cli, jwt, jwt-security, security, security-tool, static-analysis, token-security
• Language: C#
• Homepage:
• Size: 44.9 KB
• Stars: 1
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# JWT Analyzer

A .NET 10 CLI tool that performs static analysis on C# source code to detect insecure or misconfigured JWT authentication.

## Features

- **Dual Analysis Modes**: Roslyn-based semantic analysis + regex pattern matching

- **Recursive Scanning**: Scans all `.cs` files in a directory, excluding `bin/`, `obj/`, `.git/`, etc.

- **Semantic Analysis**: Uses Microsoft.CodeAnalysis for accurate detection of JWT misconfigurations

- **Regex Fallback**: Lightweight pattern matching for quick scans

- **Multiple Output Formats**: Console, Markdown, and JSON reporting

- **Security Scoring**: 0-100 score based on findings severity

- **CI/CD Integration**: Configurable exit codes for build pipelines

## Installation

Build the project:

```bash

dotnet build -c Release

```

## Usage

```bash

jwt-analyzer  [options]

```

### Arguments

- `` - Path to scan for C# source files

### Options

- `--format ` - Output format: `console`, `md`, `json` (default: `console`)

- `--fail-on ` - Exit with code 1 if findings >= level: `none`, `medium`, `high`, `critical` (default: `none`)

- `--output ` - Write report to file instead of console

- `--mode ` - Analysis mode: `regex`, `semantic`, `hybrid` (default: `hybrid`)

### Analysis Modes

- **`regex`** - Fast regex-based pattern matching (legacy mode)

- **`semantic`** - Roslyn-based semantic analysis (accurate, slower)

- **`hybrid`** - Both semantic and regex analysis (recommended)

### Examples

Scan current directory with semantic analysis:

```bash

jwt-analyzer . --mode semantic

```

Generate markdown report with hybrid analysis:

```bash

jwt-analyzer ./src --format md --output report.md --mode hybrid

```

Fail build on high severity issues (regex only for speed):

```bash

jwt-analyzer ./src --fail-on high --mode regex

```

Generate JSON report for CI with full semantic analysis:

```bash

jwt-analyzer ./src --format json --output results.json --fail-on medium --mode semantic

```

## Detection Rules

### CRITICAL Severity (-25 points each)

| Rule ID | Description | Semantic | Regex |

|---------|-------------|----------|-------|

| JWT001 | `ValidateIssuer = false` - Accepts tokens from any issuer | ? | ? |

| JWT002 | `ValidateAudience = false` - Accepts tokens for any audience | ? | ? |

| JWT003 | `SecurityAlgorithms.None` - Allows unsigned tokens | | ? |

| JWT004 | `alg = "none"` - Creates unsigned tokens | | ? |

### HIGH Severity (-10 points each)

| Rule ID | Description | Semantic | Regex |

|---------|-------------|----------|-------|

| JWT005 | `RequireExpirationTime = false` - Accepts tokens without expiration | ? | ? |

| JWT006 | `ValidateLifetime = false` - Accepts expired tokens | ? | ? |

| JWT007 | `ClockSkew > 5 minutes` - Excessive time tolerance | ? | ? |

| JWT008 | Hardcoded symmetric signing key in source code | ? | ? |

### MEDIUM Severity (-5 points each)

| Rule ID | Description | Semantic | Regex |

|---------|-------------|----------|-------|

| JWT009 | Hardcoded `ValidIssuer` value | | ? |

| JWT010 | Hardcoded `ValidAudience` value | | ? |

| JWT011 | Manual JWT parsing without validation | | ? |

## Semantic Analysis

The semantic analyzer uses Microsoft.CodeAnalysis (Roslyn) to:

- **Parse syntax trees** for accurate code structure analysis

- **Build semantic models** to understand type information

- **Detect JWT configurations** in `TokenValidationParameters` and `JwtBearerOptions`

- **Avoid false positives** by understanding code context

- **Analyze initialization patterns** including object initializers and property assignments

### Benefits over Regex

- More accurate detection of configuration issues

- Understands C# syntax and semantics

- Fewer false positives

- Can detect issues across method boundaries

- Type-aware analysis

## Security Score

The security score starts at 100 and decreases based on findings:

- **CRITICAL**: -25 points

- **HIGH**: -10 points

- **MEDIUM**: -5 points

Score is clamped between 0-100.

## Exit Codes

- `0` - Success (or findings below `--fail-on` threshold)

- `1` - Failure (findings >= `--fail-on` threshold, or error)

## Architecture

```

jwt-analyzer/

??? CLI/              # Command-line parsing

??? Scanning/         # Source file discovery

??? Rules/            # Regex-based JWT security rules

??? Semantic/         # Roslyn-based semantic analysis

?   ??? SemanticAnalyzer.cs

?   ??? SemanticRuleEngine.cs

?   ??? Rules/        # Semantic JWT security rules

??? Engine/           # Rule execution engine

??? Reporting/        # Output formatters

??? Models/           # Core data structures

```

## Example Output

### Console Format

```

Running semantic analysis...

Running regex analysis...

??????????????????????????????????????????????????????????????????????

?           JWT Security Analysis Report                             ?

??????????????????????????????????????????????????????????????????????

Files Scanned: 15

Total Findings: 3

[CRITICAL] 1 finding(s)

[HIGH] 1 finding(s)

[MEDIUM] 1 finding(s)

Security Score: 60/100

????????????????????????????????????????????????????????????????????

Findings:

????????????????????????????????????????????????????????????????????

[CRITICAL] JWT001

  File: src/Auth/JwtConfig.cs:42

  CRITICAL: ValidateIssuer is set to false. This allows tokens from any issuer...

```

## Performance Considerations

- **Regex mode**: Fast, suitable for large codebases, may have false positives

- **Semantic mode**: Slower, very accurate, recommended for critical analysis

- **Hybrid mode**: Best of both worlds, deduplicates findings

## Limitations

- Semantic analysis requires valid C# syntax (but not full compilation)

- Some rules only available in regex mode (e.g., JWT003, JWT004, JWT009-011)

- No auto-fix capabilities

- No runtime validation

## License

MIT