Security Scanner - Quick Start
Get security scanning working in your .NET API in under 5 minutes with automatic vulnerability detection.
Primus Security Scanner runs entirely within your application. No code, secrets, or data are ever transmitted to Primus servers. All security analysis happens locally on your machine.
1. Install Package
dotnet add package PrimusSaaS.Security
2. Add Using Statement
using PrimusSaaS.Security;
3. Register in Program.cs
Minimal setup (all features enabled):
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddPrimusSecurity(options =>
{
options.EnableStaticAnalysis = true;
options.EnableDependencyScanning = true;
options.EnableSecretDetection = true;
options.ComplianceStandards = new[] { "OWASP", "PCI-DSS" };
options.CveDatabasePath = "./SecurityData/cve-database.db";
});
var app = builder.Build();
app.UseHttpsRedirection();
// Verify security on startup
var report = PrimusSecurityExtensions.VerifyDataIsolation();
if (!report.IsFullyIsolated)
{
Console.WriteLine("⚠️ Security issues found!");
Console.WriteLine($"Module Version: {report.ModuleVersion}");
Console.WriteLine($"Scan Timestamp: {report.Timestamp}");
}
else
{
Console.WriteLine("✅ Security validation passed!");
}
// Optional: Security status endpoint (dev only)
app.MapGet("/security-status", () =>
{
var scanReport = PrimusSecurityExtensions.VerifyDataIsolation();
return new
{
IsSecure = scanReport.IsFullyIsolated,
ModuleVersion = scanReport.ModuleVersion,
ScanTimestamp = scanReport.Timestamp
};
})
.RequireHost("localhost");
app.MapGet("/api/health", () => "OK");
app.Run();
The configuration above includes CveDatabasePath for dependency scanning. The CVE database is optional and only needed if you want to scan NuGet/NPM packages for vulnerabilities.
Don't have the CVE database yet? See CVE Database Setup Guide →
Alternative: Without CVE Database (Recommended for Getting Started)
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddPrimusSecurity(options =>
{
options.EnableStaticAnalysis = true;
options.EnableSecretDetection = true;
options.EnableDependencyScanning = false; // ❌ Disabled (no CVE database needed)
options.ComplianceStandards = new[] { "OWASP", "PCI-DSS" };
// Don't set CveDatabasePath
});
var app = builder.Build();
// ... rest of configuration same as above
4. Run Your API
# Start your API
dotnet run
# Check console output for security scan results
Console output:
⚠️ Security issues found!
Module Version: 2.0.0.0
Scan Timestamp: 1/24/2026 3:33:23 AM
5. Test Security Status
# Check security status via API
curl http://localhost:5000/security-status
Response:
{
"isSecure": false,
"moduleVersion": "2.0.0",
"scanTimestamp": "2026-01-24T03:33:23Z"
}
That's It!
You now have security scanning working. Your API:
- ✅ Scans code for SQL injection, XSS, and other vulnerabilities
- ✅ Checks NuGet packages for known CVEs
- ✅ Detects hardcoded secrets (API keys, passwords, tokens)
- ✅ Validates OWASP & PCI-DSS compliance
- ✅ Reports issues on startup and via API endpoint
What Gets Scanned?
✅ Static Analysis
Detects code vulnerabilities:
// ❌ SQL Injection
var query = "SELECT * FROM Users WHERE id = '" + userId + "'";
// ❌ Weak Cryptography
using var md5 = MD5.Create();
// ❌ Path Traversal
var path = Path.Combine("./uploads", userInput);
✅ Secret Detection
Finds hardcoded secrets:
// ❌ Hardcoded API keys
var apiKey = "sk_live_51H3K2jLkJ...";
// ❌ Database passwords
var connString = "Server=...;Password=Admin123!";
// ❌ AWS credentials
var awsKey = "AKIAIOSFODNN7EXAMPLE";
✅ Dependency Scanning
Checks for vulnerable packages:
⚠️ Newtonsoft.Json v10.0.1 - CVE-2024-1234
Recommended: Update to v13.0.3
Configuration Options
| Option | Default | Description |
|---|---|---|
EnableStaticAnalysis | false | Scan code for vulnerabilities |
EnableDependencyScanning | false | Check NuGet packages for CVEs |
EnableSecretDetection | false | Find hardcoded secrets |
ComplianceStandards | [] | Validate against standards (OWASP, PCI-DSS) |
CveDatabasePath | null | Path to CVE database file |
Common Security Issues Found
1. Hardcoded Secrets in appsettings.json
❌ Bad:
{
"ApiKeys": {
"StripeKey": "sk_test_51ABCDEF..."
}
}
✅ Good:
// Use environment variables
var stripeKey = Environment.GetEnvironmentVariable("STRIPE_KEY");
// Or User Secrets (development)
dotnet user-secrets set "ApiKeys:StripeKey" "sk_test_51ABCDEF..."
2. SQL Injection Vulnerabilities
❌ Bad:
var query = "SELECT * FROM Users WHERE id = '" + userId + "'";
✅ Good:
var query = "SELECT * FROM Users WHERE id = @userId";
command.Parameters.AddWithValue("@userId", userId);
3. Weak Cryptography
❌ Bad:
using var md5 = MD5.Create(); // Weak!
✅ Good:
using var sha256 = SHA256.Create(); // Strong
Next Steps
| Want to... | See Guide |
|---|---|
| Set up CVE database | CVE Database Setup → |
| Fix hardcoded secrets | Secure Configuration Guide → |
| Understand all scan results | Security Report Details → |
| Configure for CI/CD | Pipeline Integration → |
| Add authentication | Identity Validator → |
Troubleshooting
Security scan always passes?
Make sure you have:
- ✅ Called
builder.Services.AddPrimusSecurity()beforebuilder.Build() - ✅ Enabled at least one scanning option (
EnableStaticAnalysis, etc.) - ✅ Rebuilt your project after adding the package
Want to test the scanner?
Add a test secret to Program.cs:
// Test: Scanner should detect this
var testSecret = "sk_live_51H3K2jLkJsadKJHD8923hd";
Rebuild and run - the scanner should flag it!
Security Best Practices
- ✅ Never commit secrets to source control
- ✅ Use environment variables or User Secrets for development
- ✅ Use Azure Key Vault or similar for production
- ✅ Run security scans in your CI/CD pipeline
- ✅ Review scan results regularly and fix issues promptly
- ✅ Keep dependencies updated to avoid known CVEs