igbuend/application-inspector
skills/application-inspector/SKILL.md
Run Microsoft Application Inspector for technology profiling and security feature detection. Use when analyzing technology stack, finding crypto/auth patterns, detecting sensitive API usage, or creating security posture reports.
$ install --global
skillsauthnpx skillsauth add igbuend/grimbard application-inspectorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:15 PM75.1s1 file scanned
SKILL.md
- name:
- application-inspector
- description:
- Run Microsoft Application Inspector for technology profiling and security feature detection. Use when analyzing technology stack, finding crypto/auth patterns, detecting sensitive API usage, or creating security posture reports.
Microsoft Application Inspector
When to Use Application Inspector
Ideal scenarios:
- Technology stack profiling and discovery
- Identifying security-relevant code patterns (authentication, cryptography, logging)
- Pre-audit reconnaissance to understand codebase capabilities
- Detecting use of sensitive APIs and security controls
- Creating software composition reports
- Finding data handling patterns (PII, credentials, encryption)
Complements other tools:
- Use before Semgrep/CodeQL for context on what security patterns exist
- Combine with SARIF Issue Reporter for detailed findings analysis
- Use alongside SCA tools to understand both dependencies and implementation
When NOT to Use
Do NOT use this skill for:
- Finding specific vulnerabilities (use Semgrep, CodeQL, or SAST tools)
- Dependency vulnerability scanning (use OSV-Scanner or Depscan)
- Secrets detection (use Gitleaks)
- IaC security analysis (use KICS)
- Deep data flow analysis
Installation
# .NET tool (recommended)
dotnet tool install --global Microsoft.CST.ApplicationInspector.CLI
# Update
dotnet tool update --global Microsoft.CST.ApplicationInspector.CLI
# Verify
appinspector --version
# Docker
docker pull mcr.microsoft.com/app-inspector
docker run -v ${PWD}:/app mcr.microsoft.com/app-inspector analyze -s /app -f sarif -o /app/results.sarif
Core Workflow
1. Quick Analysis
# Analyze directory with default rules
appinspector analyze -s /path/to/code -f html -o report.html
# Text summary
appinspector analyze -s /path/to/code -f text
# JSON output
appinspector analyze -s /path/to/code -f json -o results.json
2. SARIF Output
# Generate SARIF report
appinspector analyze -s /path/to/code \
--output-file-format sarif \
--output-file-path results.sarif
# With custom rules
appinspector analyze -s /path/to/code \
-r /path/to/custom-rules \
--output-file-format sarif \
--output-file-path results.sarif
# Single-threaded for stability
appinspector analyze -s /path/to/code \
--single-threaded \
--file-timeout 500000 \
--output-file-format sarif \
--output-file-path results.sarif
3. Security-Focused Analysis
# Focus on security features
appinspector analyze -s /path/to/code \
-t "Authentication,Cryptography,Authorization" \
-f json -o security-features.json
# Exclude test files
appinspector analyze -s /path/to/code \
-e "test,tests,spec,__pycache__" \
-f sarif -o results.sarif
Understanding Output
Tag Categories
Application Inspector detects patterns across categories:
| Category | Examples | |----------|----------| | Authentication | OAuth, JWT, Session management, Password handling | | Cryptography | AES, RSA, Hashing, Key derivation, Random generation | | Authorization | RBAC, ACL, Permission checks, Policy enforcement | | Data.PII | Email, SSN, Credit card, Phone numbers | | Data.Credentials | API keys, Passwords, Tokens, Certificates | | CloudServices | AWS, Azure, GCP API usage | | Framework | Express, Django, Spring, ASP.NET | | Database | SQL, NoSQL, ORM usage |
Severity Levels
- Critical: High-risk patterns (hardcoded secrets, weak crypto)
- Important: Security-relevant code requiring review
- Moderate: Potentially sensitive functionality
- ManualReview: Patterns requiring human analysis
- BestPractice: Recommended patterns found
Custom Rules
Rule Structure
{
"name": "Detect hardcoded API keys",
"id": "DS123456",
"description": "Identifies potential hardcoded API keys",
"tags": [
"Data.Credentials.APIKey"
],
"severity": "Critical",
"patterns": [
{
"pattern": "api[_-]?key\\s*=\\s*['\"][a-zA-Z0-9]{20,}['\"]",
"type": "regex",
"confidence": "High",
"scopes": [
"code"
]
}
]
}
Rule File Format
Create custom-rules.json:
[
{
"name": "AWS Access Key",
"id": "DS001",
"tags": ["Data.Credentials.AWS"],
"severity": "Critical",
"patterns": [
{
"pattern": "AKIA[0-9A-Z]{16}",
"type": "regex",
"confidence": "High"
}
]
}
]
Use with:
appinspector analyze -s /code -r custom-rules.json -f sarif -o results.sarif
Verification Commands
# Verify rules
appinspector verify-rules -r /path/to/rules
# Test specific rule
appinspector verify-rules -r custom-rules.json
# List default rules
appinspector exportrules -o default-rules.json
CI/CD Integration (GitHub Actions)
name: Application Inspector
on:
push:
branches: [main]
pull_request:
schedule:
- cron: '0 0 1 * *'
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.0'
- name: Install Application Inspector
run: dotnet tool install --global Microsoft.CST.ApplicationInspector.CLI
- name: Run Analysis
run: |
appinspector analyze \
-s ${{ github.workspace }} \
--output-file-format sarif \
--output-file-path results.sarif \
--single-threaded \
--disable-archive-crawling
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: application-inspector
- name: Upload Results
uses: actions/upload-artifact@v4
if: always()
with:
name: application-inspector-results
path: results.sarif
Configuration
Performance Options
# Single-threaded (more stable)
appinspector analyze -s /code --single-threaded
# Increase timeout for large files
appinspector analyze -s /code --file-timeout 500000
# Disable archive scanning (faster)
appinspector analyze -s /code --disable-archive-crawling
# Process only specific languages
appinspector analyze -s /code -l "javascript,typescript,python"
Exclusions
# Exclude paths
appinspector analyze -s /code \
-e "node_modules,vendor,dist,build,__pycache__"
# Exclude file patterns
appinspector analyze -s /code \
-e "*.min.js,*.test.js,*.spec.ts"
Common Use Cases
1. Pre-Audit Technology Discovery
# Generate comprehensive technology report
appinspector analyze -s /code -f html -o tech-report.html
# Review report to understand:
# - What frameworks are used
# - What crypto libraries are present
# - How authentication is implemented
# - What cloud services are integrated
2. Security Feature Inventory
# Find all security-relevant patterns
appinspector analyze -s /code \
-t "Authentication,Authorization,Cryptography,Data.Credentials" \
-f json -o security-inventory.json
3. Compliance Scanning
# Detect PII handling
appinspector analyze -s /code \
-t "Data.PII" \
-f sarif -o pii-report.sarif
# Find credential usage
appinspector analyze -s /code \
-t "Data.Credentials" \
-f sarif -o credentials-report.sarif
Interpreting Results
SARIF Structure
Application Inspector SARIF includes:
- Rules: Each detected pattern/tag
- Results: Specific code locations matching patterns
- Properties: Confidence, severity, tags
- Locations: File path, line number, code snippet
Filter by Severity
# Use SARIF tools to filter
pip install sarif-tools
# Extract critical findings only
sarif summary results.sarif --level error
# Filter by tag
sarif filter --level error --rule-id "DS.*Credentials.*" results.sarif
Limitations
- Not a vulnerability scanner: Identifies patterns, not exploits
- False positives: Regex-based detection can flag legitimate code
- Performance: Large codebases may require single-threaded mode
- Language coverage: Better for common languages (JS, Python, C#, Java)
- No data flow: Can't track how data moves through application
Rationalizations to Reject
| Shortcut | Why It's Wrong | |----------|----------------| | "AppInspector found crypto, so it's secure" | Finding crypto usage doesn't mean it's implemented correctly; manual review required | | "No credentials found = code is clean" | Pattern-based detection misses obfuscated or dynamically constructed secrets | | "High confidence = definite issue" | High confidence means pattern match strength, not security impact | | "Skip single-threaded mode for speed" | Multi-threaded can crash on complex codebases; stability > speed | | "HTML report is enough" | SARIF output enables integration with other tools and automated workflows |
References
- Repository: https://github.com/microsoft/ApplicationInspector
- Documentation: https://github.com/microsoft/ApplicationInspector/wiki
- Default Rules: https://github.com/microsoft/ApplicationInspector/tree/main/AppInspector/rules
- SARIF Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
Related Skills
igbuend/xss-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.
4SKILL.mdUpdated Apr 5, 2026
igbuend/xpath-injection-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-password-hashing-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-encryption-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
4SKILL.mdUpdated Apr 5, 2026