Quick Start

This guide walks you through triggering your first diagnostic and fixing it.

1. Install the package

dotnet add package Owasp.Analyzers

2. Write code that triggers a rule

Add this to any ASP.NET Core controller:

[ApiController]
[Route("[controller]")]
public class UserController : ControllerBase
{
    [HttpGet("{id}")]
    // ❌ OWASPA01001: missing [Authorize] or [AllowAnonymous]
    public IActionResult GetProfile(int id)
    {
        return Ok(id);
    }
}

3. Build and see the diagnostic

dotnet build

Output:

warning OWASPA01001: Action 'GetProfile' on controller 'UserController' is not decorated with [Authorize] or [AllowAnonymous]. Unauthenticated access may be unintentional.

4. Fix it

Add the appropriate attribute:

[HttpGet("{id}")]
[Authorize]  // ✅ authenticated access required
public IActionResult GetProfile(int id)
{
    return Ok(id);
}

Or, if public access is intentional:

[HttpGet("{id}")]
[AllowAnonymous]  // ✅ explicitly opts out
public IActionResult GetProfile(int id)
{
    return Ok(id);
}

5. Suppress a false positive

If you have a legitimate reason to skip a rule on a specific line, use #pragma:

#pragma warning disable OWASPA01001
[HttpGet("{id}")]
public IActionResult GetProfile(int id) { ... }
#pragma warning restore OWASPA01001

Or suppress globally in .editorconfig:

[*.cs]
dotnet_diagnostic.OWASPA01001.severity = none

1. Install the package​

2. Write code that triggers a rule​

3. Build and see the diagnostic​

4. Fix it​

5. Suppress a false positive​

Next steps​

1. Install the package

2. Write code that triggers a rule

3. Build and see the diagnostic

4. Fix it

5. Suppress a false positive

Next steps