Introduction
Owasp.Analyzers is a collection of Roslyn diagnostic analyzers that surface OWASP Top 10 2021 security vulnerabilities as compiler warnings and errors in your C#/.NET projects.
How it works
Roslyn analyzers run inside the compiler pipeline — no external tools, no CI-only scans. Every build checks your code against the rules. Violations appear inline in your IDE (Visual Studio, Rider, VS Code) and as dotnet build output, exactly like ordinary compiler warnings.
warning OWASPA01001: Action 'GetProfile' is not decorated with [Authorize] or [AllowAnonymous]
error OWASPA03001: User-controlled data flows into SQL command without parameterization
Coverage
| Category | Rules | Technique |
|---|---|---|
| A01 Broken Access Control | 5 | Syntax / Semantic |
| A02 Cryptographic Failures | 8 | Syntax / Semantic |
| A03 Injection | 6 | Taint analysis |
| A04 Insecure Design | 1 | Syntax |
| A05 Security Misconfiguration | 6 | Syntax |
| A06 Vulnerable Components | 2 | MSBuild target |
| A07 Authentication Failures | 5 | Semantic |
| A08 Data Integrity Failures | 4 | Semantic |
| A09 Logging Failures | 4 | Syntax / Taint |
| A10 SSRF | 3 | Taint analysis |