SAST for .NET Framework
The first implementation of SAST for .NET is based on Security Code Scan and the microsoft/dotnet Docker image. The Docker image runs on Linux systems and it integrates with SAST but it suffers from a major limitation: it only contains .NET Core. Most projects need the .NET Framework in order to compile.
There's a Docker image that contains the .NET Framework but it requires a Windows system: https://hub.docker.com/r/microsoft/dotnet-framework
Assuming that customers already have GitLab Runners deployed on Windows servers, and that they've configured a CI job that builds the .NET project, make it possible to run SAST for .NET from within that build job. This involves:
- Build a Windows-compatible binary the users can install and run on their CI servers.
- Write some documentation on how to install and execute the binary in order to generate SAST artifacts.
- Determine if there are multiple
.csprojfiles in the repo and be able to support the case of one or more than one
Ideally we'd provide a Nuget package that would depend on
SecurityCodeScan and generate the artifact automatically when building the .NET project.