C# SAST

xgrep parses .cs into tree-sitter ASTs and ships roughly 150 rules, with coverage for ASP.NET and Razor views. Detection here leans more on precise structural and configuration patterns than on taint, with a handful of taint-based rules for the highest-impact flows.

xgrep scan --include '*.cs' .

What xgrep detects

Injection — sql-injection, command-injection, code-injection, ldap-injection, xpath-injection, xml-injection, resource-injection, log-injection, format-string, regex-injection.

Cross-site scripting — xss, razor-unescaped-output, razor-inline-js-injection, ihtmlstring-xss.

Deserialization & XML — unsafe-deserialization, xxe, xml-validation.

SSRF, redirects & path traversal — ssrf-request, open-redirect, path-traversal, directory-listing.

Broken access control — missing-access-control, missing-authorization, idor, csrf, session-fixation, request-validation-mode, validate-request, runtime-checks-bypass.

Crypto & TLS — weak-cipher, weak-random, inadequate-hashing, hashed-but-no-hash, insecure-tls, disabled-cert-validation, install-root-cert, insecure-sql-connection.

Cookies & headers — insecure-cookie, cookie-no-httponly, persistent-cookie, missing-security-headers, missing-x-frame-options, max-request-length.

Data exposure — cleartext-storage, sensitive-data-logging, sensitive-exposure, stacktrace-exposure, hardcoded-credentials, privacy.

Availability (DoS) — regex-dos, buffer-overflow.

Correctness — extensive api-abuse-*, language-abuse-*, and likely-bugs-* families catch IDisposable misuse, inconsistent Equals/GetHashCode, precision loss, and dead stores (run with --category correctness).

Taint analysis

A focused set of rules uses taint mode for the highest-impact flows (e.g. untrusted-input reaching injection sinks). Most C# rules match precise structural or configuration patterns, which is the more reliable signal for ASP.NET request-validation and crypto-configuration issues.

See also Secrets scanning and the CLI reference.