dg-code 1.0.0-beta.8

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher.
This is a prerelease version of dg-code. 
dotnet tool install --global dg-code --version 1.0.0-beta.8
This package contains a .NET tool you can call from the shell/command line. 
dotnet new tool-manifest
                    


                            if you are setting up this repo
                        

                    

                
dotnet tool install --local dg-code --version 1.0.0-beta.8
This package contains a .NET tool you can call from the shell/command line. 
#tool dotnet:?package=dg-code&version=1.0.0-beta.8&prerelease
                    


                    

                
nuke :add-package dg-code --version 1.0.0-beta.8

dg-code - IronBox DataGuard Code Analyzer

NuGet

Beta Release: This software is in beta. Features may change and some functionality may be incomplete. Please report issues to support@ironbox.io.

Roslyn-based security analyzer for C#/.NET projects with 400+ rules covering multiple Azure services (Storage, Key Vault, Cosmos DB, SQL, Service Bus, Functions, and more). Collects evidence for compliance workflows. SARIF output for GitHub Actions and Azure DevOps.

Quick Start

# Install
dotnet tool install --global dg-code

# Scan a solution
dg-code scan --path ./MySolution.sln

# Generate SARIF for CI/CD
dg-code scan --path ./src --format sarif --output results.sarif

Features

  • 400+ Security Rules - Covering Azure Storage, Key Vault, Cosmos DB, SQL, Service Bus, Event Hubs, Functions, App Service, Redis, and more
  • Automatic Profiling - Full code profiling runs before analysis to gather context (files, lines, namespaces, dependencies)
  • Privacy-First Telemetry - Anonymous metrics only (counts), enabled by default, easily disabled with --no-telemetry
  • SARIF Output - Industry standard format for GitHub Actions and Azure DevOps integration
  • Baseline Support - Incremental adoption without breaking existing builds
  • Scope Filtering - Target specific Azure services or rule categories
  • Parallel Execution - Fast scanning of large solutions
  • Evidence Collection - Collect findings for compliance workflows

Installation

Install as a .NET global tool:

# Install (use --prerelease during beta)
dotnet tool install --global dg-code --prerelease

Update to latest version:

dotnet tool update --global dg-code

Uninstall:

dotnet tool uninstall --global dg-code

Usage

dg-code --help

Commands

scan - Security Analysis (Primary Command)

Scan C# solutions or projects for security issues. Automatically runs full code profiling before analysis to gather context (code metrics, namespaces, dependencies).

Basic usage:

dg-code scan --path MySolution.sln

SARIF output for CI:

dg-code scan --path ./src --format sarif --output results.sarif

Filter by severity:

dg-code scan --path MySolution.sln --severity warning

Filter by Azure service:

# Scan only Azure Storage issues
dg-code scan --path MySolution.sln --service MSAzureStorage

# Scan multiple services
dg-code scan --path MySolution.sln --service MSAzureStorage,MSAzureCosmosDB

Use with baseline (incremental adoption):

dg-code scan --path MySolution.sln --baseline baseline.json

Disable telemetry:

# Telemetry is enabled by default (anonymous metrics only: lines scanned, findings count)
dg-code scan --path MySolution.sln --no-telemetry

Options:

  • --path - Path to solution (.sln) or project (.csproj) - required
  • --format - Output format: console (default), msbuild, sarif, json
  • --output - Output file path (auto-quiets progress when used with sarif/json)
  • --severity - Minimum severity: hidden, info, warning, error
  • --fail-on - Exit with error on: never, info, warning, error (default)
  • --service - Filter by Azure service (comma-separated)
  • --baseline - Baseline file for incremental adoption
  • --include-snippets - Include source code snippets in findings (default: off)
  • --parallel - Enable parallel execution (default: true)
  • --quiet - Suppress progress output
  • --verbose - Enable verbose output
  • --no-telemetry - Disable anonymous usage telemetry

Telemetry (Privacy-First):

By default, dg-code sends anonymous usage metrics to help improve the tool:

  • CLI version
  • Lines of code scanned (count only)
  • Number of findings by severity (counts only)
  • Analyzer IDs that triggered (with counts)
  • Scan duration

What we never collect: Project names, file names, file paths, code snippets, repository information, scan IDs, or any identifying information. Use --no-telemetry to disable completely.

Output Formats:

  • console - Detailed text report with findings, summary box at end showing totals and telemetry status (default)
  • msbuild - MSBuild/compiler-style output, parseable by grep and CI tools 
    src/MyService.cs(42,15): error DG_0003_00001: Hardcoded connection string detected
src/Config.cs(18,8): warning DG_0016_00005: Missing timeout configuration
  • sarif - SARIF 2.1.0 standard - integrates with GitHub, Azure DevOps, VS Code
  • json - JSON summary with project details

Console Output Example:

================================================================================
SCAN COMPLETE
--------------------------------------------------------------------------------
Total Findings:  12
  Errors:        3
  Warnings:      7
  Info:          2
Projects:        5 analyzed, 0 failed
Execution Time:  3.45s
Telemetry:       Uploaded, anonymized
Exit Code:       2
================================================================================
baseline - Manage Baselines

Create and manage baselines for incremental adoption.

# Create baseline from current findings
dg-code baseline create --path MySolution.sln --output baseline.json

# Scan using baseline (only new issues fail build)
dg-code scan --path MySolution.sln --baseline baseline.json
list-services - Discover Available Services
dg-code list-services
list-analyzers - Discover Available Analyzers
dg-code list-analyzers
dg-code list-analyzers --service MSAzureStorage
profile - Code Profiling and Bill of Materials

Generate comprehensive profile reports including code metrics, dependency information, and Bill of Materials.

Basic usage:

dg-code profile --path MySolution.sln

Output formats:

# Human-readable output (default)
dg-code profile --path MySolution.sln

# JSON output for programmatic consumption
dg-code profile --path MySolution.sln --format json

# Markdown report
dg-code profile --path MySolution.sln --format markdown --output profile.md

# HTML report
dg-code profile --path MySolution.sln --format html --output profile.html

Include transitive dependencies:

# Include only direct dependencies (default)
dg-code profile --path MySolution.sln

# Include transitive (indirect) dependencies
dg-code profile --path MySolution.sln --include-transitive

Profile output includes:

  • Code Metrics: Lines of code (with and without comments), file count
  • Framework Info: Target framework, language version
  • Bill of Materials: All package references with versions
  • Namespace Analysis: Namespaces used in the codebase
  • Using Directives: External dependencies referenced

Options:

Option Description
--path, -p Path to solution (.sln) or project (.csproj) file (required)
--format, -f Output format: Human (default), Json, Markdown, or Html
--output, -o Output file path (writes to console if not specified)
--include-transitive, -t Include transitive package dependencies
--verbose, -v Show detailed progress information

CI/CD Integration

GitHub Actions

name: Security Scan

on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '8.0.x'

      - name: Install dg-code
        run: dotnet tool install --global dg-code

      - name: Run Security Scan
        run: dg-code scan --path ./MySolution.sln --format sarif --output results.sarif
        continue-on-error: true

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Azure DevOps

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - task: UseDotNet@2
    inputs:
      version: '8.0.x'

  - script: dotnet tool install --global dg-code
    displayName: 'Install dg-code'

  - script: dg-code scan --path $(Build.SourcesDirectory)/MySolution.sln --format sarif --output $(Build.ArtifactStagingDirectory)/results.sarif
    displayName: 'Run Security Scan'
    continueOnError: true

  - task: PublishBuildArtifacts@1
    inputs:
      pathToPublish: '$(Build.ArtifactStagingDirectory)/results.sarif'
      artifactName: 'SecurityScan'

Supported Azure Services

  • Azure Storage - MSAzureStorage
  • Azure Key Vault - MSAzureKeyVault
  • Azure Cosmos DB - MSAzureCosmosDB
  • Azure SQL - MSAzureSQL
  • Azure MySQL - MSAzureMySQL
  • Azure PostgreSQL - MSAzurePostgreSQL
  • Azure Redis - MSAzureRedis
  • Azure Service Bus - MSAzureServiceBus
  • Azure Event Hubs - MSAzureEventHubs
  • Azure Functions - MSAzureFunctions
  • Azure App Service - MSAzureAppService
  • Azure App Configuration - MSAzureAppConfiguration
  • Azure Identity - MSAzureIdentity
  • Azure Virtual Machines - MSAzureVirtualMachines

Exit Codes

  • 0 - Success (no issues or only informational)
  • 1 - Warnings found
  • 2 - Errors found
  • 3 - Internal failure

Licensing

During beta, all features are free. After 1.0 stable release, a tiered licensing model (Free/Pro/Enterprise) will be introduced. Visit https://www.ironbox.io for details.

Configuration File

Create a dataguard.json file:

{
  "path": "./MySolution.sln",
  "format": "sarif",
  "output": "results.sarif",
  "severity": "warning",
  "failOn": "error",
  "parallel": true,
  "quiet": false,
  "includeSnippets": false
}

Use with:

dg-code scan --config dataguard.json

Requirements

  • .NET 8.0 or .NET 9.0 SDK
  • MSBuild (included with .NET SDK or Visual Studio)

Version

Check installed version:

dg-code --version

Versioning is centralized across all IronBox DataGuard components. Current version: 1.0.0-beta.7

License

Copyright © 2025-2026 IronBox. All rights reserved.

This software is licensed under the IronBox End User License Agreement (EULA). See LICENSE.txt for details.

Support

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
1.0.0-beta.8 0 3/20/2026
1.0.0-beta.7 34 3/19/2026
1.0.0-beta.6 37 3/7/2026
1.0.0-beta.4 40 3/3/2026
1.0.0-beta.3 42 3/3/2026
1.0.0-beta.2 45 3/3/2026

v1.0.0-beta.8:
- ADDED: 18 Azure Health Data Services FHIR security analyzers
- ADDED: 18 Azure Health Data Services DICOM security analyzers
- ADDED: Scope filters for FHIR, DICOM, and HealthDataServices
- CHANGED: Updated CLI help text with FHIR and DICOM examples

See CHANGELOG.md in package for full history.