ApplicationInspector
A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.
Top Related Projects
Find, verify, and analyze leaked credentials
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Protect and discover secrets using Gitleaks 🔑
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Snyk CLI scans and monitors your projects for security vulnerabilities.
Quick Overview
Microsoft Application Inspector is an open-source cross-platform tool that helps developers and security professionals analyze and understand the characteristics and features of source code. It uses pattern-based static analysis to identify interesting features and metadata about a codebase, providing insights into its purpose, programming languages, frameworks, and potential security implications.
Pros
- Supports multiple programming languages and platforms
- Provides detailed reports on code characteristics and potential security issues
- Offers both command-line and GUI interfaces for flexibility
- Can be integrated into CI/CD pipelines for automated analysis
Cons
- May produce false positives in some cases
- Requires regular updates to maintain accuracy with evolving technologies
- Large codebases may take significant time to analyze
- Limited customization options for analysis rules
Getting Started
To get started with Microsoft Application Inspector:
-
Install the tool:
dotnet tool install -g Microsoft.CST.ApplicationInspector.CLI -
Run a basic analysis on a source code directory:
appinspector analyze -s /path/to/source/code -f html -
View the generated HTML report in your browser to explore the analysis results.
For more advanced usage and options, refer to the official documentation on the GitHub repository.
Competitor Comparisons
Find, verify, and analyze leaked credentials
Pros of Trufflehog
- Specialized in detecting and preventing secrets leakage
- Supports scanning Git repositories, filesystems, and S3 buckets
- Offers both CLI and API interfaces for integration
Cons of Trufflehog
- Limited to secrets detection, not a comprehensive code analysis tool
- May produce false positives, requiring manual verification
- Less extensive language support compared to ApplicationInspector
Code Comparison
ApplicationInspector:
var inspector = new Inspector();
inspector.AddPath(sourceCodePath);
var result = inspector.Analyze();
Trufflehog:
from truffleHog import truffleHog
results = truffleHog.find_strings(repo_path, entropy=True, regex=True)
Summary
ApplicationInspector is a more comprehensive code analysis tool that focuses on identifying application features, while Trufflehog specializes in detecting secrets and sensitive information in codebases. ApplicationInspector offers broader language support and more detailed analysis, but Trufflehog excels in its specific use case of secrets detection. The choice between the two depends on the primary goal of the analysis: general code inspection or focused secrets scanning.
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Pros of Semgrep
- Supports a wide range of programming languages (40+)
- Offers a powerful rule language for custom pattern matching
- Provides both local and cloud-based scanning options
Cons of Semgrep
- Steeper learning curve for writing custom rules
- May produce more false positives in certain scenarios
- Requires more setup and configuration for advanced use cases
Code Comparison
ApplicationInspector uses a JSON-based rule format:
{
"name": "Hardcoded Password",
"id": "AI000000",
"description": "Detects hardcoded passwords",
"tags": ["Security", "Credential"],
"severity": "Critical",
"patterns": [
{
"pattern": "password\\s*=\\s*[\"']\\w+[\"']",
"type": "regex"
}
]
}
Semgrep uses a YAML-based rule format:
rules:
- id: hardcoded-password
pattern: password = "..."
message: "Hardcoded password detected"
severity: ERROR
languages: [python, javascript]
Both tools aim to detect security issues and code patterns, but Semgrep offers more flexibility in rule writing and language support, while ApplicationInspector provides a simpler JSON-based approach with predefined tags and severities.
Protect and discover secrets using Gitleaks 🔑
Pros of Gitleaks
- Specialized in detecting secrets and sensitive information in Git repositories
- Supports pre-commit hooks for preventing accidental commits of secrets
- Highly customizable with regex patterns and rules
Cons of Gitleaks
- Limited to secret detection, lacks broader code analysis capabilities
- May produce false positives, requiring manual review of results
- Less comprehensive reporting compared to ApplicationInspector
Code Comparison
ApplicationInspector:
public static int Main(string[] args)
{
return new Microsoft.ApplicationInspector.Commands.ArgsProcessor().Execute(args);
}
Gitleaks:
func main() {
cmd.Execute()
}
ApplicationInspector offers a more comprehensive code analysis tool, focusing on various aspects of application behavior and characteristics. It provides detailed reports and supports multiple programming languages.
Gitleaks, on the other hand, is specifically designed for detecting secrets and sensitive information in Git repositories. It excels in this particular area but lacks the broader analysis capabilities of ApplicationInspector.
While ApplicationInspector is better suited for general code analysis and understanding application behavior, Gitleaks is the preferred choice for teams primarily concerned with preventing secret leaks in their version control systems.
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Pros of Trivy
- Broader scope: Scans containers, filesystems, and git repositories for vulnerabilities and misconfigurations
- Faster scanning speed, especially for large projects
- More frequent updates to vulnerability database
Cons of Trivy
- Less detailed code analysis for application-specific patterns
- Limited support for custom rules compared to ApplicationInspector
Code Comparison
ApplicationInspector uses custom rules in JSON format:
{
"name": "Hardcoded Password",
"id": "AI000000",
"description": "Detects hardcoded passwords",
"tags": ["Security", "Credential"],
"severity": "Critical",
"patterns": [
{
"pattern": "password\\s*=\\s*[\"']\\w+[\"']",
"type": "regex"
}
]
}
Trivy uses YAML-based policies:
policies:
- id: hardcoded-password
severity: CRITICAL
title: Hardcoded Password
description: Detects hardcoded passwords in source code
rego: |
package trivy
deny[res] {
input.type == "source"
regex.match("password\\s*=\\s*[\"']\\w+[\"']", input.content)
res := {"message": "Hardcoded password detected"}
}
Both tools aim to improve code security, but ApplicationInspector focuses more on detailed application analysis, while Trivy offers broader vulnerability scanning capabilities across different environments.
Snyk CLI scans and monitors your projects for security vulnerabilities.
Pros of Snyk CLI
- Broader security coverage, including vulnerability scanning for dependencies and container images
- Integrates with CI/CD pipelines and provides automated fix suggestions
- Offers a larger database of known vulnerabilities and security issues
Cons of Snyk CLI
- Requires an account and potentially a paid subscription for full features
- May have a steeper learning curve due to its more comprehensive feature set
- Less focused on source code analysis compared to ApplicationInspector
Code Comparison
ApplicationInspector:
var inspector = new Inspector();
var options = new Options();
inspector.Analyze(options);
Snyk CLI:
snyk test
snyk monitor
snyk container test <image>
Summary
While ApplicationInspector focuses on static code analysis and pattern matching, Snyk CLI offers a more comprehensive security solution with vulnerability scanning for dependencies and containers. ApplicationInspector may be easier to use for quick source code analysis, while Snyk CLI provides broader security coverage and integrates better with development workflows. The choice between the two depends on specific project needs and the desired depth of security analysis.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Introduction
Microsoft Application Inspector is a software source code characterization tool that helps identify coding features of first or third party software components based on well-known library/API calls and is helpful in security and non-security use cases. It uses hundreds of rules and regex patterns to surface interesting characteristics of source code to aid in determining what the software is or what it does from what file operations it uses, encryption, shell operations, cloud API's, frameworks and more and has received industry attention as a new and valuable contribution to OSS on ZDNet, SecurityWeek , CSOOnline , Linux.com/news , HelpNetSecurity, Twitter and more and was first featured on Microsoft.com.
Application Inspector is different from traditional static analysis tools in that it doesn't attempt to identify "good" or "bad" patterns; it simply reports what it finds against a set of over 400 rule patterns for feature detection including features that impact security such as the use of cryptography and more. This can be extremely helpful in reducing the time needed to determine what Open Source or other components do by examining the source directly rather than trusting to limited documentation or recommendations.
The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Ruby, PowerShell and more and can scan projects with mixed language files. It supports generating results in HTML, JSON and text output formats with the default being an HTML report similar to the one shown here.
Be sure to see our complete project wiki page https://Github.com/Microsoft/ApplicationInspector/wiki for additional information and help.
Quick Start
Obtain Application Inspector
.NET Tool (recommended)
- Download and install the .NET 6 SDK
- Run
dotnet tool install --global Microsoft.CST.ApplicationInspector.CLI
See more in the wiki
Platform Dependent Binary
- Download Application Inspector by selecting the pre-built package for the operating system of choice shown under the Assets section of the Releases.
Run Application Inspector
- Nuget Tool:
appinspector analyze -s path/to/src. - Platform Specific:
applicationinspector.cli.exe analyze -s path/to/src
Goals
Microsoft Application Inspector helps you in securing your applications from start to deployment.
Design Choices - Enables you to choose which components meet your needs with a smaller footprint of unnecessary or unknowns features for keeping your application attack surface smaller as well as help to verify expected ones i.e. industry standard crypto only.
Identifying Feature Deltas - Detects changes between component versions which can be critical for detecting injection of backdoors.
Automating Security Compliance Checks - Use to identify components with features that require additional security scrutiny, approval or SDL compliance as part of your build pipeline or create a repository of metadata regarding all of your enterprise application.
Contribute
We have a strong default starting base of Rules for feature detection. But there are many feature identification patterns yet to be defined and we invite you to submit ideas on what you want to see or take a crack at defining a few. This is a chance to literally impact the open source ecosystem helping provide a tool that everyone can use. See the Rules section of the wiki for more.
Official Releases
Application Inspector is in GENERAL AUDIENCE release status. Your feedback is important to us. If you're interested in contributing, please review the CONTRIBUTING.md.
Application Inspector is available as a command line tool or NuGet package and is supported on Windows, Linux, or MacOS.
Platform specific binaries of the ApplicationInspector CLI are available on our GitHub releases page.
The C# library is available on NuGet as Microsoft.CST.ApplicationInspector.Commands .
The .NET Global Tool is available on NuGet as Microsoft.CST.ApplicationInspector.CLI.
If you use the .NET Core version, you will need to have .NET 6.0 or later installed. See the JustRunIt.md or Build.md files for more.
CLI Usage Information
> appinspector --help
ApplicationInspector.CLI 1.8.4-beta+976ee3cdd1
c Microsoft Corporation. All rights reserved.
analyze Inspect source directory/file/compressed file (.tgz|zip)
against defined characteristics
tagdiff Compares unique tag values between two source paths
exporttags Export the list of tags associated with the specified rules.
Does not scan source code.
verifyrules Verify custom rules syntax is valid
packrules Combine multiple rule files into one file for ease in
distribution
help Display more information on a specific command.
version Display version information.
Examples:
Command Help
To get help for a specific command run appinspector <command> --help.
Analyze Command
The Analyze Command is the workhorse of Application Inspector.
Simple Default Analyze
This will produce an output.html of the analysis in the current directory using default arguments and rules.
appinspector analyze -s path/to/files
Output Sarif
appinspector analyze -s path/to/files -f sarif -o output.sarif
Excluding Files using Globs
This will create a json output named data.json of the analysis in the current directory, excluding all files in test
and .git folders using the provided glob patterns.
appinspector analyze -s path/to/files -o data.json -f json -g **/tests/**,**/.git/**
Additional Usage Information
For additional help on use of the console interface see CLI Usage.
For help using the NuGet package see NuGet Support
Build Instructions
See build.md
Top Related Projects
Find, verify, and analyze leaked credentials
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Protect and discover secrets using Gitleaks 🔑
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Snyk CLI scans and monitors your projects for security vulnerabilities.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot