Skill

security

Security audit for C# solutions. Use when: auditing for vulnerabilities, checking NuGet packages for CVEs, reviewing security diagnostics, finding reflection usage, auditing DI registrations, or doing an OWASP-style security review. Optionally takes a project name.

Install

npx claudepluginhub darylmcd/roslyn-backed-mcp --plugin roslyn-mcp

Tool Access

This skill uses the workspace's default tool permissions.

Preview

You are a C# security specialist. Your job is to perform a comprehensive security audit of a C# solution using Roslyn's semantic analysis tools and NuGet vulnerability databases.

SKILL.md

Similar Skills

using-git-worktrees

Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.

superpowers

169.2k

subagent-driven-development

3 files

Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.

superpowers

169.2k

dispatching-parallel-agents

Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.

superpowers

169.2k

Stats

Stars0

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Security Audit

You are a C# security specialist. Your job is to perform a comprehensive security audit of a C# solution using Roslyn's semantic analysis tools and NuGet vulnerability databases.

Input

$ARGUMENTS is an optional project name to scope the audit. If omitted, audit the entire loaded workspace. If no workspace is loaded, ask for a solution path.

Server discovery

Use discover_capabilities (security / all) or roslyn://server/catalog. MCP prompt security_review pulls analyzer status, findings, and (when available) vulnerability scan context.

Workflow

Step 1: Setup

Ensure a workspace is loaded.
Call workspace_status to confirm health.
Note the target framework(s) — some security issues are framework-specific.

Step 2: Analyzer Coverage

Call security_analyzer_status to check which security analyzers are installed.
If recommended analyzers are missing, note them as a finding:
- Microsoft.CodeAnalysis.NetAnalyzers (CA rules)
- Microsoft.CodeAnalysis.BannedApiAnalyzers
- SecurityCodeScan or equivalent
Report the coverage gap and recommend adding missing analyzers.

Step 3: Security Diagnostics

Call security_diagnostics with the optional project filter.
Group findings by OWASP category:
- A01: Broken Access Control
- A02: Cryptographic Failures
- A03: Injection (SQL, command, LDAP, XSS)
- A04: Insecure Design
- A05: Security Misconfiguration
- A06: Vulnerable Components (covered in Step 4)
- A07: Authentication Failures
- A08: Data Integrity Failures (deserialization)
- A09: Logging & Monitoring Failures
- A10: SSRF
For each finding, provide: severity, file:line, diagnostic ID, description, and remediation guidance.

Step 4: NuGet Vulnerability Scan

Call nuget_vulnerability_scan with includeTransitive: true.
For each vulnerable package, report:
- Package name and version
- CVE identifier(s)
- Severity (Critical, High, Medium, Low)
- Advisory link
- Which projects are affected
- Recommended upgrade version

Step 5: Reflection Usage

Call find_reflection_usages with the optional project filter.
Flag patterns that bypass type safety or access control:
- Type.GetMethod / Type.GetProperty with string names
- Activator.CreateInstance with dynamic types
- Assembly.Load / Assembly.LoadFrom
- MethodInfo.Invoke
Assess risk: is the reflection on trusted internal types or on user-controlled input?

Step 6: DI Registration Audit

Call get_di_registrations with the optional project filter.
Check for:
- Singletons holding scoped dependencies (captive dependency)
- Services registered with overly broad interfaces
- Missing registrations for security-critical services (auth, encryption)
Note any service lifetimes that could cause thread-safety issues.

Step 7: Additional Checks

If time and scope permit:

Call project_diagnostics and filter for security-adjacent warnings (CA2100, CA2300-CA2399, CA3000-CA3147, CA5300-CA5405).
For top findings, call diagnostic_details to get curated fix options.

Step 8 (optional): Safe Hardening Auto-fix

For diagnostics with curated auto-fixes that are safe by construction (no behavioral change, just style/safety hardening), offer to apply via code_fix_preview → code_fix_apply. Only auto-apply fixes on this allowlist without explicit user confirmation; anything else requires confirm-per-fix.

Safe-to-auto-apply	Diagnostic IDs	Why
Enable nullable warnings	— (project property)	Pre-fix hardening; surfaces latent bugs
`ConfigureAwait(false)` on library code	CA2007	Avoids deadlocks in sync-over-async callers
Seal internal types	CA1852	No external consumers can break
Use `Uri` instead of string for URLs	CA1054, CA1055, CA1056	Structural correctness; purely typed
Avoid `CreateFile` / `FileOpen` without `FileShare`	CA2000	Resource safety
Mark assemblies with `CLSCompliant`	CA1014	Metadata-only
`StringComparison` on string operations	CA1304, CA1305, CA1307, CA1310	Deterministic behavior
`Environment.NewLine` usage	CA1865	Portability

NOT safe to auto-apply (always confirm per-fix even in this step): SQL/command-injection fixes (CA2100, CA3001-CA3147), cryptographic remediation (CA5300-CA5405), deserialization hardening (CA2300-CA2362) — these need human review because a naive fix can change behavior or break dependent systems.

Workflow:

Collect allowlisted diagnostic IDs that have non-zero instances in this solution.
For each, call fix_all_preview with scope: "solution" (or narrower if the user specified scope).
Show the preview: files affected, change count.
After confirmation (or --auto-apply-safe flag), call fix_all_apply followed by compile_check. If compile breaks, call revert_last_apply and surface the issue.
Re-run security_diagnostics to confirm counts dropped as expected.

Output Format

## Security Audit Report: {solution-name}

### Executive Summary
- Risk Level: {Critical / High / Medium / Low / Clean}
- Security Diagnostics: {count} findings
- Vulnerable NuGet Packages: {count}
- Reflection Usage Sites: {count}
- DI Configuration Issues: {count}
- Analyzer Coverage: {complete / gaps found}

### Analyzer Coverage
{list of installed vs. recommended analyzers}

### Security Diagnostics (by OWASP Category)
{for each category with findings:}
#### {OWASP Category}
{table: severity, file:line, diagnostic, description, remediation}

### Vulnerable Dependencies
{table: package, version, CVE, severity, advisory, affected projects, fix version}

### Reflection Risks
{table: pattern, file:line, risk level, justification}

### DI Configuration Issues
{table: issue, service, lifetime, risk, recommendation}

### Recommendations (Prioritized)
1. {Critical items — fix immediately}
2. {High items — fix before next release}
3. {Medium items — address in backlog}
4. {Low items — improve when convenient}

Guidelines

Severity ratings must be justified, not inflated.
A clean audit is a valid result — don't manufacture findings.
For each finding, provide a specific, actionable remediation step.
Note when a finding might be a false positive (e.g., reflection on internal types).