Microsoft Application Inspector is a software source code characterization tool designed to identify coding features of first- or third-party software components based on well-known library/API calls. It helps analyze source code for security and non-security use cases by detecting features such as encryption, file operations, shell commands, cloud APIs, frameworks, and more.
Key Features:
Uses a JSON-based rules engine with hundreds of predefined patterns to detect features in source code.
Supports multiple programming languages, including C, C++, C#, Java, JavaScript, Python, Go, Ruby, and PowerShell.
Generates detailed reports in HTML, JSON, or text formats for easy analysis.
Integrates seamlessly into CI/CD pipelines for automated security compliance checks.
Enables custom rule creation to extend detection capabilities.
Can be installed via winget.
Audience & Benefit:
Ideal for developers, security teams, and organizations looking to understand the behavior of software components. It helps reduce reliance on limited documentation by directly analyzing source code. Benefits include quicker identification of features, compliance verification, and minimizing attack surfaces by identifying necessary or unwanted features in components.
README
Introduction
Microsoft Application Inspector is a software source code characterization tool that helps identify coding features of
first or third party software components based on well-known library/API calls and is helpful in security and
non-security use cases. It uses hundreds of rules and regex patterns to surface interesting characteristics of source
code to aid in determining what the software is or what it does from what file operations it uses, encryption,
shell operations, cloud API's, frameworks and more and has received industry attention as a new and valuable
contribution to OSS
on ZDNet, SecurityWeek
, CSOOnline
, Linux.com/news
, HelpNetSecurity, Twitter and more and was first featured
on Microsoft.com.
Application Inspector is different from traditional static analysis tools in that it doesn't attempt to identify "good"
or "bad" patterns; it simply reports what it finds against a set of over 400 rule patterns for feature detection
including features that impact security such as the use of cryptography and more. This can be extremely helpful in
reducing the time needed to determine what Open Source or other components do by examining the source directly rather
than trusting to limited documentation or recommendations.
The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python,
Objective-C, Go, Ruby, PowerShell
and more and can scan projects with
mixed language files. It supports generating results in HTML, JSON and text output formats with the default being an
HTML report similar to the one shown here.
Microsoft Application Inspector helps you in securing your applications from start to deployment.
Design Choices - Enables you to choose which components meet your needs with a smaller footprint of unnecessary or
unknowns features for keeping your application attack surface smaller as well as help to verify expected ones i.e.
industry standard crypto only.
Identifying Feature Deltas - Detects changes between component versions which can be critical for detecting
injection of backdoors.
Automating Security Compliance Checks - Use to identify components with features that require additional security
scrutiny, approval or SDL compliance as part of your build pipeline or create a repository of metadata regarding all of
your enterprise application.
Contribute
We have a strong default starting base of Rules for feature detection. But there are many feature identification
patterns yet to be defined and we invite you to submit ideas on what you want to see or take a crack at defining a
few. This is a chance to literally impact the open source ecosystem helping provide a tool that everyone can use. See
the Rules section of the wiki for more.
Official Releases
Application Inspector is in GENERAL AUDIENCE release status. Your feedback is important to us. If you're interested in
contributing, please review the CONTRIBUTING.md.
Application Inspector is available as a command line tool or NuGet package and is supported on Windows, Linux, or MacOS.
Platform specific binaries of the ApplicationInspector CLI are available on our
GitHub releases page.
If you use the .NET Core version, you will need to have .NET 6.0 or later installed. See
the JustRunIt.md
or Build.md files for more.
CLI Usage Information
> appinspector --help
ApplicationInspector.CLI 1.8.4-beta+976ee3cdd1
c Microsoft Corporation. All rights reserved.
analyze Inspect source directory/file/compressed file (.tgz|zip)
against defined characteristics
tagdiff Compares unique tag values between two source paths
exporttags Export the list of tags associated with the specified rules.
Does not scan source code.
verifyrules Verify custom rules syntax is valid
packrules Combine multiple rule files into one file for ease in
distribution
help Display more information on a specific command.
version Display version information.
Examples:
Command Help
To get help for a specific command run appinspector --help.
Analyze Command
The Analyze Command is the workhorse of Application Inspector.
Simple Default Analyze
This will produce an output.html of the analysis in the current directory using default arguments and rules.
This will create a json output named data.json of the analysis in the current directory, excluding all files in test
and .git folders using the provided glob patterns.
