.Net static code analysis in Azure DevOps with Security Code Scan
You've probably heard about other SAST tools like SonarQube, but since Security Code Scan is a lesser known tool I'll start off with a list of reasons why you might consider using it. Free with no features locked behind a commericial version There's no restrictions such as only supporting the main branch like with SonarQube Low barrier of entry There is no seperate server to run, it runs completely within your pipeline so anyone can start using it without making infrastructure decisions Scan code without running a build With SonarQube .Net scanning you have to build your project, which means if you want to run it seperately from your main build pipeline you have to repeat the build Reports export to SARIF so can be consumed by other platforms There are multiple different ways we can use Security Code Scan in an Azure DevOps pipeline, so let's check out three options. Following along I'll be using the ProCodeGuide.Samples.BrokenAccessControl repo as the targe