Skip to main content

Core Security

caution

This module is in preview. Static analysis runs via Roslyn analyzers at build time. Dependency scanning requires a local CVE database that you provide.

Overview

Core Security provides local-first scanning for .NET applications:

  • Secret detection and content scanning.
  • Dependency vulnerability scanning when a local CVE database is present.
  • Roslyn analyzers for common OWASP patterns (runs at build/CI time, not via ScanAsync).
  • Optional policy validation against scan results.

No external network calls are made by default. Any outbound integration depends on how you configure your own app.

Integration Guide

Step 1: Install the package

dotnet add package PrimusSaaS.Security

Step 2: Configure Program.cs

using PrimusSaaS.Security;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddPrimusSecurity(options =>
    builder.Configuration.GetSection("PrimusSecurity").Bind(options));

var app = builder.Build();

Step 3: Configure appsettings.json

{
  "PrimusSecurity": {
    "EnableStaticAnalysis": true,
    "EnableDependencyScanning": true,
    "EnableSecretDetection": true,
    "EnablePolicyValidation": true,
    "ComplianceStandards": [ "OWASP", "PCI-DSS" ],
    "DataPath": "./SecurityData",
    "FindingsPath": "./SecurityFindings",
    "ReportsPath": "./SecurityReports",
    "CveDatabasePath": "./SecurityData/cve-database.db",
    "PoliciesPath": "./SecurityData/Policies",
    "FailOnCritical": false,
    "IntegrateWithLogging": false,
    "IntegrateWithNotifications": false
  }
}
How to get configuration values
  • CveDatabasePath should point to a local CVE database file.
  • PoliciesPath is a local directory that contains your policy rules.
  • DataPath, FindingsPath, and ReportsPath are local filesystem paths.
  • ComplianceStandards is used for internal mapping only and does not certify compliance.

Step 4: Configure endpoint

Map the built-in security endpoints:

app.MapPrimusSecurityEndpoints();
app.Run();

This exposes:

  • POST /api/security/scan
  • POST /api/security/detect-secrets
  • GET /api/security/status

Step 5: Test the endpoint

curl http://localhost:5000/api/security/status
curl -X POST http://localhost:5000/api/security/scan \
  -H "Content-Type: application/json" \
  -d '{ "path": "./" }'