DevSkim is a framework of IDE extensions and language analyzers that provide inline security analysis in the dev environment as the developer writes code. The repository contains:
- DevSkim Library (C#/.NET): Core security analysis engine (
./DevSkim-DotNet/) - DevSkim CLI (C#/.NET): Command-line tool (
./DevSkim-DotNet/Microsoft.DevSkim.CLI/) - Visual Studio Extension (C#/.NET): VS extension (
./DevSkim-DotNet/Microsoft.DevSkim.VisualStudio/) - VS Code Plugin (TypeScript): VSCode extension (
./DevSkim-VSCode-Plugin/) - Security Rules: Default rules and guidance (
./rules/default/,./guidance/)
- nuget.config: Contains private feed configuration (
PublicRegistriesFeed) - .npmrc files: VSCode plugin uses
.npmrc.pipelinefor private feeds
Rules for agents:
- You MAY temporarily modify
nuget.configor.npmrcfiles to use public feeds (nuget.org, npmjs.com) when working locally - You MUST NOT commit these changes - always revert them before committing
- Use
git restore nuget.configorgit restore DevSkim-VSCode-Plugin/.npmrc.pipelinebefore creating commits - The private feed configuration must remain in the repository commits
Changelog.md
- This project uses squash merges
- PR gate checks verify
Changelog.mdis updated - Format follows Keep a Changelog
- Use semantic versioning:
[MAJOR.MINOR.PATCH]
When making changes:
- Add a new entry at the top of
Changelog.md(after the header) - Use the next patch version (increment last number by 1)
- Use today's date in YYYY-MM-DD format
- Group changes by type:
### Fix,### Added,### Changed,### Dependencies,### Pipeline, etc. - Write clear, actionable descriptions
Example:
## [1.0.72] - 2026-02-04
### Added
- Added Copilot instructions for repository-specific guidance
### Changed
- Updated build documentationLocation: ./DevSkim-VSCode-Plugin/
Setup:
cd DevSkim-VSCode-Plugin
npm run setup # Install dependencies and build .NET language server
npm run setup:release # Release buildBuild:
npm run compile # Compile TypeScript
npm run build # Full build (setup + compile)
npm run watch # Watch mode for developmentLint:
npm run lint # Run ESLint on TypeScript filesPackage:
npm run pack-ext # Package extension for release
npm run pack-ext:debug # Package extension for debugLocation: ./DevSkim-DotNet/
Build:
cd DevSkim-DotNet
dotnet build Microsoft.DevSkim.sln
dotnet build -c Release Microsoft.DevSkim.slnTest:
cd DevSkim-DotNet
dotnet test Microsoft.DevSkim.Tests/Microsoft.DevSkim.Tests.csprojRun CLI:
cd DevSkim-DotNet/Microsoft.DevSkim.CLI
dotnet run -- analyze --source-code <path>Build:
cd DevSkim-DotNet/Microsoft.DevSkim.LanguageServer
dotnet publish -c Debug -f net8.0 -o ../../DevSkim-VSCode-Plugin/devskimBinaries
dotnet publish -c Release -f net8.0 -o ../../DevSkim-VSCode-Plugin/devskimBinaries- Follow standard C# naming conventions
- Use meaningful variable and method names
- Add XML documentation comments for public APIs
- Security-focused: prioritize secure defaults
- Use ESLint configuration in
DevSkim-VSCode-Plugin/.eslintrc.js - Follow TypeScript best practices
- Use type annotations
- Avoid
anytypes when possible
- Rules are JSON files in
./rules/default/ - Each rule has corresponding guidance in
./guidance/ - Follow existing rule patterns when adding new rules
- Create JSON rule in
./rules/default/ - Create guidance markdown in
./guidance/with rule ID - Test rule with DevSkim CLI
- Update tests if applicable
- Update Changelog.md
- For .NET: Use
dotnet add packageor edit.csprojfiles - For npm: Use
npm installor editpackage.json - Document in Changelog.md under
### Dependencies
- VS Code plugin: Use F5 in VS Code to launch Extension Development Host
- .NET projects: Use Visual Studio or
dotnet run - Language Server: Attach debugger to running process
- Changes are made on feature branches
- PRs target the
mainbranch - PRs require:
- Changelog.md update
- Passing CI/CD checks
- Code review approval
- Merges use squash merge strategy