.NET Home

This repository is a starting point to learn about and engage in .NET and .NET open source projects.

This repository is not an official .NET Framework support location, however, we will respond to issues filed here as best we can. Please file .NET Core product issues at dotnet/core and ASP.NET Core product issues at aspnet/home.

You can try out an early access release of the .NET Framework at the .NET Framework Early Access website.

---

Snyk Security Testing Guide

This guide walks you through scanning this .NET repository for security vulnerabilities using Snyk. Follow these steps to perform Software Composition Analysis (SCA) and Static Application Security Testing (SAST), then monitor results in the Snyk dashboard.

Understanding Test vs Monitor

Snyk provides two ways to scan and track vulnerabilities:

Command	Purpose	Dashboard	Continuous Monitoring
snyk test	Run a local scan, view results in terminal	No	No
snyk monitor	Upload scan results to Snyk dashboard	Yes	Yes - alerts on new vulnerabilities
snyk code test	Run SAST scan locally	No	No
snyk code test --report	Upload SAST results to dashboard	Yes	No - snapshot only

Key differences:

• snyk test - Scans your project and displays results locally. Use this for quick checks during development. Results are not saved to the dashboard.

• snyk monitor - Uploads a snapshot of your dependencies to the Snyk dashboard. Snyk will continuously monitor for new vulnerabilities and alert you when new issues are discovered, even after the scan completes. This is only available for SCA (open source) scans.

• snyk code test --report - Uploads SAST results to the dashboard as a point-in-time snapshot. Unlike monitor, there is no continuous monitoring for SAST scans. You must re-run the command to get updated results.

Important: There is no snyk code monitor command. SAST scans use snyk code test --report to upload results to the dashboard, but this creates a snapshot rather than enabling continuous monitoring.

Prerequisites

Before you begin, ensure you have the following installed:

• Git - Download Git
• .NET SDK - Download .NET (required for dotnet restore)
• Snyk CLI - Install via npm: npm install -g snyk
• Snyk Account - Sign up for free

Step 1: Get the Repository

Option A: Clone with Git

git clone https://github.com/varner-tech/dotnetsample.git
cd dotnetsample

Option B: Download ZIP

If you don't have Git installed, download the repository as a ZIP file:

1. Go to https://github.com/varner-tech/dotnetsample
2. Click the green Code button
3. Select Download ZIP
4. Extract the ZIP file and open a terminal in that directory

Step 2: Authenticate with Snyk

Log in to your Snyk account to enable dashboard monitoring:

snyk auth

This opens a browser window. Complete the authentication, then return to your terminal.

Step 3: Restore .NET Dependencies

This step is required before SCA scanning. The dotnet restore command generates the project.assets.json file that Snyk needs to analyze NuGet dependencies.

dotnet restore src/bc-readme-gen/bcreadgen.csproj

Note: If your project has a solution file (.sln) in the root directory, you can simply run dotnet restore without specifying a path.

Step 4: Run SCA Scan (Software Composition Analysis)

Scan all projects for known vulnerabilities in open source dependencies:

snyk test --all-projects

This scans all .NET projects in the repository and displays vulnerabilities locally in your terminal.

Step 5: Monitor in Snyk Dashboard (SCA)

Upload your SCA scan results to the Snyk dashboard for continuous monitoring:

snyk monitor --all-projects --project-name-prefix="sca/"

This creates a project named sca/dotnetsample in the Snyk dashboard.

Step 6: Run SAST Scan (Snyk Code)

Scan your source code for security issues using static analysis:

snyk code test

Step 7: Upload Code Scan to Dashboard

Upload your SAST results to the Snyk dashboard:

snyk code test --report --project-name="sast/dotnetsample"

This creates a project named sast/dotnetsample in the Snyk dashboard.

Note: SCA and SAST scans appear as separate targets in the Snyk dashboard. This is by design—Snyk Open Source (SCA) and Snyk Code (SAST) are different products with different scan types. Use the sca/ and sast/ prefixes to easily identify which scan type each project represents.

---

Command Summary

Task	Command
Clone repository	git clone https://github.com/varner-tech/dotnetsample.git
Authenticate with Snyk	snyk auth
Restore .NET dependencies	dotnet restore src/bc-readme-gen/bcreadgen.csproj
SCA scan (local)	snyk test --all-projects
SCA scan + dashboard	snyk monitor --all-projects --project-name-prefix="sca/"
SAST scan (local)	snyk code test
SAST scan + dashboard	snyk code test --report --project-name="sast/dotnetsample"

---

.NET-Specific Options

Scanning Solution Files

To scan a specific solution file:

snyk test --file=MySolution.sln --all-projects

Understanding Snyk Targets

SCA (Snyk Open Source) and SAST (Snyk Code) scans will appear as separate targets in the Snyk dashboard. This is expected behavior—they are different Snyk products with different scan types.

Dashboard structure:

• Open Source target: Contains sca/projectname (dependency vulnerabilities)
• Snyk Code target: Contains sast/projectname (code vulnerabilities)

Use clear naming prefixes to easily identify scan types:

For SCA scans:

snyk monitor --all-projects --project-name-prefix="sca/"

For SAST scans:

snyk code test --report --project-name="sast/projectname"

Key flags:

• --project-name-prefix - Adds prefix for SCA projects (used with --all-projects)
• --project-name - Sets exact name for SAST scans

---

Troubleshooting

"Could not detect supported target files"

Cause: The project.assets.json file is missing.

Solution: Run dotnet restore before scanning:

dotnet restore src/bc-readme-gen/bcreadgen.csproj
snyk test --all-projects

Scanning a Fresh Clone

When scanning a repository you've just cloned, always restore dependencies first:

git clone https://github.com/varner-tech/dotnetsample.git
cd dotnetsample
dotnet restore src/bc-readme-gen/bcreadgen.csproj
snyk test --all-projects

Authentication Issues

If you receive authentication errors, re-authenticate:

snyk auth

Verbose Output for Debugging

Add -d for debug output to troubleshoot issues:

snyk test --all-projects -d

---

Organizing Projects with Collections

Since SCA and SAST scans appear as separate targets in the Snyk dashboard, you can use Project Collections to organize and group them together for easier management.

What are Project Collections?

Project Collections allow you to aggregate and organize Projects from multiple targets into a single view. This is especially useful when:

• You have SCA and SAST scans from the same repository appearing as separate targets
• You want to group projects by team, application, or business unit
• You need to perform bulk actions across multiple projects

Creating a Collection

1. Go to your Projects page in the Snyk dashboard
2. Select the Collections tab
3. Click Create collection
4. Enter a name for your collection (e.g., "dotnetsample - All Scans")
5. Add projects from both your SCA and SAST targets to the collection

Benefits of Collections

• Unified View: See all related projects (SCA + SAST) in one place
• Bulk Actions: Delete, activate, or deactivate multiple projects at once
• Reporting: Generate reports across all projects in a collection
• Team Collaboration: Share saved views with your organization

Automated Collections (Early Access)

Snyk can automatically group projects by repository URL. When enabled:

• Projects from the same repo (even from different integrations like SCM and CLI) are grouped together
• Automated collections are identified by a different icon and named by repo URL
• This helps manage duplicate targets from different scan sources

To enable Automated Collections:

1. Go to Organization Settings
2. Find the Automated Collections option
3. Enable the feature

Note: Automated Collections is an Early Access feature available to Enterprise customers. It currently supports GitHub, GitHub Enterprise, GitLab, Bitbucket Cloud, and Azure integrations. CLI-based scans and SAST scans uploaded via snyk code test --report are not automatically grouped.

Resources

• Project Collections Documentation
• Snyk API for Collections

---

In this repository

• .NET Framework Release Notes
• .NET Framework Documentation
• .NET Open Source Developer Projects
• .NET Open Source Consumer Projects
• Free Services & Tools for Open Source .NET Projects

Please contribute to this repository via pull requests

Finding .NET Open Source Projects

Here are some excellent community-maintained lists of projects:

• Awesome .NET!
• ASP.NET Core Library and Framework Support

There are many projects that you can use and contribute to, some of which are listed below. Please do contribute to these projects!

.NET Core

• .NET Core (dotnet/core)
• .NET Core docs (dotnet/docs)
• ASP.NET Core (dotnet/aspnetcore)
• ASP.NET Core docs (dotnet/AspNetCore.Docs)
• Roslyn Compiler Platform (dotnet/roslyn)
• EntityFramework (dotnet/efcore)
• WPF (dotnet/wpf)
• Windows Forms (dotnet/winforms)

.NET Framework

• .NET Framework docs (dotnet/docs)
• .NET Framework source code - read-only subset (microsoft/referencesource)

Xamarin

• Xamarin iOS + macOS (xamarin-macios)
• Xamarin Android (xamarin/xamarin-android)
• Xamarin Forms (xamarin/Xamarin.Forms)
• Mono Project

Community

Here is a short list of projects to check out:

• .NET for Apache Spark
• Orleans
• Exceptionless
• Glimpse
• JSON.NET
• MonoGame
• MVVM Cross
• ReactiveUI

There are additional templates available for dotnet new. For more information, see Available templates for dotnet new

.NET Foundation

Many .NET open source projects are part of the .NET Foundation. Microsoft has contributed many projects, including ASP.NET Core and .NET Core. You may want to consider joining the .NET Foundation.

Check out the .NET Foundation Forums to see what others are talking about, or start a new discussion to ask a question or make a point.

License

This repository is licensed with the MIT license.