Core Security
Production Ready v2.4.9
This module is production-ready. Static analysis runs via 62 Roslyn analyzers at scan time via scanner.ScanAsync() — not at build time. Dependency scanning uses the live OSV.dev API; no local CVE database required for basic CVE scanning.
Overview
Core Security provides local-first scanning for .NET applications:
- Secret detection and content scanning.
- Dependency vulnerability scanning when a local CVE database is present.
- Roslyn analyzers for common OWASP patterns (runs at build/CI time, not via
ScanAsync). - Optional policy validation against scan results.
No external network calls are made by default. Any outbound integration depends on how you configure your own app.
Integration Guide
Step 1: Install the package
dotnet add package PrimusSaaS.Security
Step 2: Configure Program.cs
using PrimusSaaS.Security;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddPrimusSecurity(options =>
builder.Configuration.GetSection("PrimusSecurity").Bind(options));
var app = builder.Build();
Step 3: Configure appsettings.json
{
"PrimusSecurity": {
"EnableStaticAnalysis": true,
"EnableDependencyScanning": true,
"EnableSecretDetection": true,
"EnablePolicyValidation": true,
"FailOnCritical": false
}
}
Optional configuration fields
CveDatabasePath— path to a local SQLite CVE database for offline CVE scanning. Not required — by default, dependency scanning uses the live OSV.dev API with no configuration.PoliciesPath— directory containing custom policy rule files (JSON).ComplianceStandards— list used for internal report mapping only (["OWASP", "PCI-DSS"]). Does not certify compliance.DataPath,FindingsPath,ReportsPath— local filesystem paths for persisted output. Optional.
Step 4: Configure endpoint
Map the built-in security endpoints:
app.MapPrimusSecurityEndpoints();
app.Run();
This exposes:
POST /api/security/scanPOST /api/security/detect-secretsGET /api/security/status
Step 5: Test the endpoint
curl http://localhost:5000/api/security/status
curl -X POST http://localhost:5000/api/security/scan \
-H "Content-Type: application/json" \
-d '{ "path": "./" }'