Microsoft Application Inspector
When to Use Application Inspector
Ideal scenarios:
- Technology stack profiling and discovery
- Identifying security-relevant code patterns (authentication, cryptography, logging)
- Pre-audit reconnaissance to understand codebase capabilities
- Detecting use of sensitive APIs and security controls
- Creating software composition reports
- Finding data handling patterns (PII, credentials, encryption)
Complements other tools:
- Use before Semgrep/CodeQL for context on what security patterns exist
- Combine with SARIF Issue Reporter for detailed findings analysis
- Use alongside SCA tools to understand both dependencies and implementation
When NOT to Use
Do NOT use this skill for:
- Finding specific vulnerabilities (use Semgrep, CodeQL, or SAST tools)
- Dependency vulnerability scanning (use OSV-Scanner or Depscan)
- Secrets detection (use Gitleaks)
- IaC security analysis (use KICS)
- Deep data flow analysis
Installation
# .NET tool (recommended)
dotnet tool install --global Microsoft.CST.ApplicationInspector.CLI
# Update
dotnet tool update --global Microsoft.CST.ApplicationInspector.CLI
# Verify
appinspector --version
# Docker
docker pull mcr.microsoft.com/app-inspector
docker run -v ${PWD}:/app mcr.microsoft.com/app-inspector analyze -s /app -f sarif -o /app/results.sarif
Core Workflow
1. Quick Analysis
# Analyze directory with default rules
appinspector analyze -s /path/to/code -f html -o report.html
# Text summary
appinspector analyze -s /path/to/code -f text
# JSON output
appinspector analyze -s /path/to/code -f json -o results.json
2. SARIF Output
# Generate SARIF report
appinspector analyze -s /path/to/code \
--output-file-format sarif \
--output-file-path results.sarif
# With custom rules
appinspector analyze -s /path/to/code \
-r /path/to/custom-rules \
--output-file-format sarif \
--output-file-path results.sarif
# Single-threaded for stability
appinspector analyze -s /path/to/code \
--single-threaded \
--file-timeout 500000 \
--output-file-format sarif \
--output-file-path results.sarif
3. Security-Focused Analysis
# Focus on security features
appinspector analyze -s /path/to/code \
-t "Authentication,Cryptography,Authorization" \
-f json -o security-features.json
# Exclude test files
appinspector analyze -s /path/to/code \
-e "test,tests,spec,__pycache__" \
-f sarif -o results.sarif
Understanding Output
Tag Categories
Application Inspector detects patterns across categories:
| Category | Examples |
|---|---|
| Authentication | OAuth, JWT, Session management, Password handling |
| Cryptography | AES, RSA, Hashing, Key derivation, Random generation |
| Authorization | RBAC, ACL, Permission checks, Policy enforcement |
| Data.PII | Email, SSN, Credit card, Phone numbers |
| Data.Credentials | API keys, Passwords, Tokens, Certificates |
| CloudServices | AWS, Azure, GCP API usage |
| Framework | Express, Django, Spring, ASP.NET |
| Database | SQL, NoSQL, ORM usage |
Severity Levels
- Critical: High-risk patterns (hardcoded secrets, weak crypto)
- Important: Security-relevant code requiring review
- Moderate: Potentially sensitive functionality
- ManualReview: Patterns requiring human analysis
- BestPractice: Recommended patterns found
Custom Rules
Rule Structure
{
"name": "Detect hardcoded API keys",
"id": "DS123456",
"description": "Identifies potential hardcoded API keys",
"tags": [
"Data.Credentials.APIKey"
],
"severity": "Critical",
"patterns": [
{
"pattern": "api[_-]?key\\s*=\\s*['\"][a-zA-Z0-9]{20,}['\"]",
"type": "regex",
"confidence": "High",
"scopes": [
"code"
]
}
]
}
Rule File Format
Create custom-rules.json:
[
{
"name": "AWS Access Key",
"id": "DS001",
"tags": ["Data.Credentials.AWS"],
"severity": "Critical",
"patterns": [
{
"pattern": "AKIA[0-9A-Z]{16}",
"type": "regex",
"confidence": "High"
}
]
}
]
Use with:
appinspector analyze -s /code -r custom-rules.json -f sarif -o results.sarif
Verification Commands
# Verify rules
appinspector verify-rules -r /path/to/rules
# Test specific rule
appinspector verify-rules -r custom-rules.json
# List default rules
appinspector exportrules -o default-rules.json
CI/CD Integration (GitHub Actions)
name: Application Inspector
on:
push:
branches: [main]
pull_request:
schedule:
- cron: '0 0 1 * *'
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.0'
- name: Install Application Inspector
run: dotnet tool install --global Microsoft.CST.ApplicationInspector.CLI
- name: Run Analysis
run: |
appinspector analyze \
-s ${{ github.workspace }} \
--output-file-format sarif \
--output-file-path results.sarif \
--single-threaded \
--disable-archive-crawling
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: application-inspector
- name: Upload Results
uses: actions/upload-artifact@v4
if: always()
with:
name: application-inspector-results
path: results.sarif
Configuration
Performance Options
# Single-threaded (more stable)
appinspector analyze -s /code --single-threaded
# Increase timeout for large files
appinspector analyze -s /code --file-timeout 500000
# Disable archive scanning (faster)
appinspector analyze -s /code --disable-archive-crawling
# Process only specific languages
appinspector analyze -s /code -l "javascript,typescript,python"
Exclusions
# Exclude paths
appinspector analyze -s /code \
-e "node_modules,vendor,dist,build,__pycache__"
# Exclude file patterns
appinspector analyze -s /code \
-e "*.min.js,*.test.js,*.spec.ts"
Common Use Cases
1. Pre-Audit Technology Discovery
# Generate comprehensive technology report
appinspector analyze -s /code -f html -o tech-report.html
# Review report to understand:
# - What frameworks are used
# - What crypto libraries are present
# - How authentication is implemented
# - What cloud services are integrated
2. Security Feature Inventory
# Find all security-relevant patterns
appinspector analyze -s /code \
-t "Authentication,Authorization,Cryptography,Data.Credentials" \
-f json -o security-inventory.json
3. Compliance Scanning
# Detect PII handling
appinspector analyze -s /code \
-t "Data.PII" \
-f sarif -o pii-report.sarif
# Find credential usage
appinspector analyze -s /code \
-t "Data.Credentials" \
-f sarif -o credentials-report.sarif
Interpreting Results
SARIF Structure
Application Inspector SARIF includes:
- Rules: Each detected pattern/tag
- Results: Specific code locations matching patterns
- Properties: Confidence, severity, tags
- Locations: File path, line number, code snippet
Filter by Severity
# Use SARIF tools to filter
pip install sarif-tools
# Extract critical findings only
sarif summary results.sarif --level error
# Filter by tag
sarif filter --level error --rule-id "DS.*Credentials.*" results.sarif
Limitations
- Not a vulnerability scanner: Identifies patterns, not exploits
- False positives: Regex-based detection can flag legitimate code
- Performance: Large codebases may require single-threaded mode
- Language coverage: Better for common languages (JS, Python, C#, Java)
- No data flow: Can't track how data moves through application
Rationalizations to Reject
| Shortcut | Why It's Wrong |
|---|---|
| "AppInspector found crypto, so it's secure" | Finding crypto usage doesn't mean it's implemented correctly; manual review required |
| "No credentials found = code is clean" | Pattern-based detection misses obfuscated or dynamically constructed secrets |
| "High confidence = definite issue" | High confidence means pattern match strength, not security impact |
| "Skip single-threaded mode for speed" | Multi-threaded can crash on complex codebases; stability > speed |
| "HTML report is enough" | SARIF output enables integration with other tools and automated workflows |
References
- Repository: https://github.com/microsoft/ApplicationInspector
- Documentation: https://github.com/microsoft/ApplicationInspector/wiki
- Default Rules: https://github.com/microsoft/ApplicationInspector/tree/main/AppInspector/rules
- SARIF Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html