PrimusSaaS.Security
2.2.0
dotnet add package PrimusSaaS.Security --version 2.2.0
NuGet\Install-Package PrimusSaaS.Security -Version 2.2.0
<PackageReference Include="PrimusSaaS.Security" Version="2.2.0" />
<PackageVersion Include="PrimusSaaS.Security" Version="2.2.0" />
<PackageReference Include="PrimusSaaS.Security" />
paket add PrimusSaaS.Security --version 2.2.0
#r "nuget: PrimusSaaS.Security, 2.2.0"
#:package PrimusSaaS.Security@2.2.0
#addin nuget:?package=PrimusSaaS.Security&version=2.2.0
#tool nuget:?package=PrimusSaaS.Security&version=2.2.0
PrimusSaaS.Security
Version: 1.0.0-preview.1
PrimusSaaS.Security is a local-first security scanning module for .NET applications. It includes secret detection, dependency scanning (via a local CVE database), and Roslyn analyzers for common vulnerability patterns.
Status
- Preview release.
- Dependency scanning requires a local CVE database you provide.
- Static analysis runs via Roslyn analyzers at compile time (not via
ScanAsync).
Quick Start
dotnet add package PrimusSaaS.Security --prerelease
using PrimusSaaS.Security;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddPrimusSecurity(options =>
{
options.EnableStaticAnalysis = true;
options.EnableDependencyScanning = true;
options.EnableSecretDetection = true;
options.ComplianceStandards = new[] { "OWASP", "PCI-DSS" };
});
var app = builder.Build();
app.Run();
Data Isolation
The module is designed to run locally and does not make outbound network calls by default. If you enable a cloud provider or add custom integrations, data egress depends on your configuration. Validate your deployment with your own network controls and monitoring.
CVE Database
Dependency scanning uses a local SQLite CVE database. You must provide the database file (cve-database.db) and configure CveDatabasePath.
The repository includes a scaffolding tool at tools/CveAggregator, but it is not production-ready yet. If you need a full CVE pipeline, use your own trusted data source and update process.
Known Limitations
ScanAsyncdoes not run Roslyn analyzers; those run during build/CI.- Dependency scanning is disabled if the CVE database file does not exist.
License
MIT License - see LICENSE file for details.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net9.0
- Microsoft.CodeAnalysis.CSharp (>= 4.8.0)
- Microsoft.CodeAnalysis.CSharp.Workspaces (>= 4.8.0)
- Microsoft.Data.Sqlite (>= 8.0.0)
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 8.0.0)
- Microsoft.Extensions.Logging.Abstractions (>= 8.0.0)
- Microsoft.Extensions.Options (>= 8.0.0)
- NuGet.Versioning (>= 7.0.1)
- PrimusSaaS.Security.Contracts (>= 2.2.0)
NuGet packages (3)
Showing the top 3 NuGet packages that depend on PrimusSaaS.Security:
| Package | Downloads |
|---|---|
|
PrimusSaaS.Security.AI
AI-powered remediation agent for the PrimusSaaS Security scanner. Connects to Azure OpenAI and GitHub Models to generate fix explanations, threat narratives, and enhanced before/after code patches. Includes prompt injection detection to prevent adversarial inputs. |
|
|
PrimusSaaS.Security.Reporting
Security reporting, compliance mapping, and branded HTML/PDF report generation for the Primus Security Suite. Produces SARIF 2.1.0, OWASP Top 10 2021 JSON/Markdown/PDF, CWE/OWASP/PCI-DSS/GDPR compliance scores, and pixel-perfect corporate HTML reports matching the Primus design system. Includes HtmlFormatter, PdfFormatter, SarifFormatter, JsonFormatter, CsvFormatter, ComplianceMapper, and SecurityReportGenerator with full triage/patch-coverage data. |
|
|
PrimusSaaS.Security.Heuristics
Heuristic behavioral analyzer for detecting suspicious runtime patterns. |
GitHub repositories
This package is not used by any popular GitHub repositories.
v2.2.0 (March 2026):
- Phase 7: Token-based code duplication detection (Rabin-Karp sliding window).
EnableDuplicationDetection opt-in, configurable MinBlockTokens, QualityGate.MaxDuplicateBlocks.
DuplicationReport surfaced on ScanResult with DuplicatedPercent metric.
--duplication / --max-duplication CLI flags.
- Phase 8: VS Code extension (primus-security-1.0.0.vsix).
Real-time findings panel, inline diagnostics + severity decorations,
one-click patch apply, rule explain WebviewPanel, scan-on-save.
- Fixed 20 duplicate DiagnosticIds in batch-3 analyzers (now PS0041-PS0062 unique).
- 67-entry rule catalog (was 40) — all 60 analyzers fully documented.
- SARIF properties now include securityRating, overallRating, duplicateBlocks,
duplicationPercent, crossFileTaintFindings, suppressedCount.
- MCP manifest updated to v2.2.0 with accurate tool descriptions.
- 172/173 tests passing (1 PDF skip — environment-only).
v2.1.0 (March 2026):
- 60 Roslyn SAST analyzers (was 13): JWT, CORS, CSRF, unsafe random, stack trace,
EF raw SQL, insecure file upload, LDAP injection, ReDoS, disabled TLS, ECB, and 35+ more.
- 100 secret detection patterns (was 30).
- A–E security ratings on ScanResult (SonarQube Developer Edition parity).
- .primus-suppressions.json persistent triage store with full audit trail.
- CLI --suppressions flag. ReportingService populates QualityGateStatus, TriageSummary.
- Phase 1: Cross-file taint analysis (MethodCallGraph, CrossFileTaintPropagator/Engine).
- All 4 packages build 0 errors on net6–net9. Self-scan verified: PASSED.