C# Static Code Analysis: A Developer's Guide

C# and Static Analysis

C# and the .NET platform have strong built-in static analysis support through the Roslyn compiler platform. Unlike many languages where analysis tools are separate from the compiler, Roslyn exposes the compiler's AST and semantic model as a public API — enabling analysis tools to operate with the same depth of understanding as the compiler itself.

This architectural advantage means C# analysis tools are highly accurate and deeply integrated into the development workflow through Visual Studio, Visual Studio Code, and Rider IDE plugins.

Key C# Static Analysis Tools

Roslyn Analyzers

The built-in .NET SDK includes the Microsoft.CodeAnalysis.NetAnalyzers package, which ships with hundreds of analysis rules covering code quality, security, and best practices. These are enabled by default in .NET 5+ projects. Rules cover: API design, globalization, interoperability, maintainability, naming, performance, reliability, security, and usage.

StyleCop Analyzers

Enforces StyleCop coding standards for C#: documentation, layout, maintainability, naming, ordering, readability, and spacing rules. Integrated as Roslyn analyzers, they run in the build pipeline without separate tooling.

SonarQube / SonarCloud

Comprehensive quality and security analysis with a dashboard view. SonarQube C# analysis detects hundreds of bug patterns, security vulnerabilities (including OWASP Top 10), and code smells. The SonarLint Visual Studio extension provides real-time analysis in the IDE.

Security Code Scan

Open-source Roslyn analyzer focused on security vulnerabilities in C# and VB.NET applications. Detects: SQL injection, XSS, path traversal, LDAP injection, CSRF, cryptographic weaknesses, and insecure deserialization. Particularly useful for ASP.NET and ASP.NET Core applications.

Roslynator

A large collection of Roslyn analyzers, refactorings, and fixes. Includes 500+ analyzers covering code quality, style, and simplifications. Many findings come with automatic code fixes.

Common Issues Detected

• SQL injection via string concatenation in SqlCommand or Dapper queries
• XSS via unencoded output in Razor templates
• Insecure deserialization via BinaryFormatter or JavaScriptSerializer
• Hardcoded credentials in connection strings and appsettings
• Cryptographic weaknesses: MD5, SHA1, DES usage
• CSRF protection issues in ASP.NET Core controllers
• Null reference exceptions (with nullable reference types analysis)
• Async/await misuse: async void, deadlocking patterns, ConfigureAwait
• IDisposable resources not properly disposed

Running Static Analysis

.NET CI analysis pipeline:

1. dotnet build -- Roslyn analyzers run as part of compilation with <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
2. dotnet build /p:AnalysisMode=All -- enable all available analyzers
3. dotnet tool run security-scan -- run Security Code Scan
4. Connect to SonarQube: dotnet sonarscanner begin / build / end
5. Configure <CodeAnalysisTreatWarningsAsErrors>true</CodeAnalysisTreatWarningsAsErrors> in project files to fail builds on analysis findings

Nullable Reference Types

C# 8.0 introduced nullable reference types — a compiler feature that distinguishes nullable references (string?) from non-nullable references (string). Enabling nullable analysis in the project file (<Nullable>enable</Nullable>) makes the compiler warn on potential null dereferences. This is one of the most impactful quality improvements available for C# codebases.

Connection to Autonomous Code Governance

Roslyn's rich code fix API means many C# static analysis findings come with suggested fixes built in. Hydra extends this by generating fixes for security findings that Roslyn identifies but doesn't automatically correct — SQL injection, deserialization vulnerabilities, cryptographic weaknesses — verifying them with unit tests and delivering convention-matched PRs that pass the full .NET analysis pipeline.