Skip to main content
Version: Current

Security Scanner - Quick Start

Get security scanning working in your .NET API in under 5 minutes with automatic vulnerability detection.

Complete Data Isolation

Primus Security Scanner runs entirely within your application. No code, secrets, or data are ever transmitted to Primus servers. All security analysis happens locally on your machine.


1. Install Package

dotnet add package PrimusSaaS.Security

2. Add Using Statement

using PrimusSaaS.Security;

3. Register in Program.cs

Minimal setup (all features enabled):

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddPrimusSecurity(options =>
{
options.EnableStaticAnalysis = true;
options.EnableDependencyScanning = true;
options.EnableSecretDetection = true;
options.ComplianceStandards = new[] { "OWASP", "PCI-DSS" };
options.CveDatabasePath = "./SecurityData/cve-database.db";
});

var app = builder.Build();

app.UseHttpsRedirection();

// Verify security on startup
var report = PrimusSecurityExtensions.VerifyDataIsolation();
if (!report.IsFullyIsolated)
{
Console.WriteLine("⚠️ Security issues found!");
Console.WriteLine($"Module Version: {report.ModuleVersion}");
Console.WriteLine($"Scan Timestamp: {report.Timestamp}");
}
else
{
Console.WriteLine("✅ Security validation passed!");
}

// Optional: Security status endpoint (dev only)
app.MapGet("/security-status", () =>
{
var scanReport = PrimusSecurityExtensions.VerifyDataIsolation();
return new
{
IsSecure = scanReport.IsFullyIsolated,
ModuleVersion = scanReport.ModuleVersion,
ScanTimestamp = scanReport.Timestamp
};
})
.RequireHost("localhost");

app.MapGet("/api/health", () => "OK");

app.Run();
CVE Database Required for Dependency Scanning

The configuration above includes CveDatabasePath for dependency scanning. The CVE database is optional and only needed if you want to scan NuGet/NPM packages for vulnerabilities.

Don't have the CVE database yet? See CVE Database Setup Guide →

Alternative: Without CVE Database (Recommended for Getting Started)

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddPrimusSecurity(options =>
{
options.EnableStaticAnalysis = true;
options.EnableSecretDetection = true;
options.EnableDependencyScanning = false; // ❌ Disabled (no CVE database needed)
options.ComplianceStandards = new[] { "OWASP", "PCI-DSS" };
// Don't set CveDatabasePath
});

var app = builder.Build();

// ... rest of configuration same as above

4. Run Your API

# Start your API
dotnet run

# Check console output for security scan results

Console output:

⚠️ Security issues found!
Module Version: 2.0.0.0
Scan Timestamp: 1/24/2026 3:33:23 AM

5. Test Security Status

# Check security status via API
curl http://localhost:5000/security-status

Response:

{
"isSecure": false,
"moduleVersion": "2.0.0",
"scanTimestamp": "2026-01-24T03:33:23Z"
}

That's It!

You now have security scanning working. Your API:

  • ✅ Scans code for SQL injection, XSS, and other vulnerabilities
  • ✅ Checks NuGet packages for known CVEs
  • ✅ Detects hardcoded secrets (API keys, passwords, tokens)
  • ✅ Validates OWASP & PCI-DSS compliance
  • ✅ Reports issues on startup and via API endpoint

What Gets Scanned?

✅ Static Analysis

Detects code vulnerabilities:

// ❌ SQL Injection
var query = "SELECT * FROM Users WHERE id = '" + userId + "'";

// ❌ Weak Cryptography
using var md5 = MD5.Create();

// ❌ Path Traversal
var path = Path.Combine("./uploads", userInput);

✅ Secret Detection

Finds hardcoded secrets:

// ❌ Hardcoded API keys
var apiKey = "sk_live_51H3K2jLkJ...";

// ❌ Database passwords
var connString = "Server=...;Password=Admin123!";

// ❌ AWS credentials
var awsKey = "AKIAIOSFODNN7EXAMPLE";

✅ Dependency Scanning

Checks for vulnerable packages:

⚠️ Newtonsoft.Json v10.0.1 - CVE-2024-1234
Recommended: Update to v13.0.3

Configuration Options

OptionDefaultDescription
EnableStaticAnalysisfalseScan code for vulnerabilities
EnableDependencyScanningfalseCheck NuGet packages for CVEs
EnableSecretDetectionfalseFind hardcoded secrets
ComplianceStandards[]Validate against standards (OWASP, PCI-DSS)
CveDatabasePathnullPath to CVE database file

Common Security Issues Found

1. Hardcoded Secrets in appsettings.json

❌ Bad:

{
"ApiKeys": {
"StripeKey": "sk_test_51ABCDEF..."
}
}

✅ Good:

// Use environment variables
var stripeKey = Environment.GetEnvironmentVariable("STRIPE_KEY");

// Or User Secrets (development)
dotnet user-secrets set "ApiKeys:StripeKey" "sk_test_51ABCDEF..."

2. SQL Injection Vulnerabilities

❌ Bad:

var query = "SELECT * FROM Users WHERE id = '" + userId + "'";

✅ Good:

var query = "SELECT * FROM Users WHERE id = @userId";
command.Parameters.AddWithValue("@userId", userId);

3. Weak Cryptography

❌ Bad:

using var md5 = MD5.Create(); // Weak!

✅ Good:

using var sha256 = SHA256.Create(); // Strong

Next Steps

Want to...See Guide
Set up CVE databaseCVE Database Setup →
Fix hardcoded secretsSecure Configuration Guide →
Understand all scan resultsSecurity Report Details →
Configure for CI/CDPipeline Integration →
Add authenticationIdentity Validator →

Troubleshooting

Security scan always passes?

Make sure you have:

  1. ✅ Called builder.Services.AddPrimusSecurity() before builder.Build()
  2. ✅ Enabled at least one scanning option (EnableStaticAnalysis, etc.)
  3. ✅ Rebuilt your project after adding the package

Want to test the scanner?

Add a test secret to Program.cs:

// Test: Scanner should detect this
var testSecret = "sk_live_51H3K2jLkJsadKJHD8923hd";

Rebuild and run - the scanner should flag it!


Security Best Practices

  1. Never commit secrets to source control
  2. Use environment variables or User Secrets for development
  3. Use Azure Key Vault or similar for production
  4. Run security scans in your CI/CD pipeline
  5. Review scan results regularly and fix issues promptly
  6. Keep dependencies updated to avoid known CVEs