There aren't a lot of T-SQL security checkers out there, so lets add some rules for T-SQL scripts. Suggestions from Raul:

• Executing any of the dangerous XPs, such as xp_cmdshell
• Changing the configuration to enable dangerous features (i.e. EXEC[UTE] sp_configure ‘xp_cmdshell’, 1)
• Using dynamic SQL (i.e. EXECUTE).
  • The difficult part of this one would be to know if the dynamic SQL is properly escaped to prevent SQLi, so we could simply warn the user
• Enabling some features on DBs such as setting the trustworthy = ON on a DB
• Granting elevated permissions (i.e. GRANT UNSAFE ASSEMBLY … )
• Create a new login (with password) without CHECK_POLICY = ON

I'm a student trying to study this project. I just found a small bug when testing the ruleset. Here it is.

the problem range goes longer than it should be (just one line)
Later I found this is because the regex in ruleset follows the greedy pattern
in this case, /rules/default/security/api/dangerous_api.json,line 50 , change
\bstrcpy\s*\(([^,]+),([^,]+)\) to
\bstrcpy\s*\(([^,]+),([^,]+?)\)
will do
I suppose other regex may have similar problems
I'm new in Github and I'm not sure whether the default ruleset is related to this project and the way to fix this officially, I hope pushing issue here is the right thing to do.
btw, I am planning to make an introduction of DevSkim as part of my coursework. I hope the developers do not mind it :)

Rule DS130821 in certificate.json point to invalid URL in rule_info (https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md)

Currently DevSkim will check node_modules/**/*, logs/, under the kitchen sink, behind the fridge, and likely other dark and suspicious places as well. You get my drift.

It would be nice if we could have a config option (.vscode folder, or user settings) that allows a user to exclude one or more folders from DevSkim's prying eyes.

I've fot this output when changing some workspace settings.

TypeError: Cannot read property 'Symbol(Symbol.iterator)' of undefined
    at validateTextDocument (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/server.js:101:25)
    at documents.onDidOpen (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/server.js:46:5)
    at CallbackList.invoke (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/node_modules/vscode-jsonrpc/lib/events.js:114:39)
    at Emitter.fire (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/node_modules/vscode-jsonrpc/lib/events.js:178:36)
    at connection.onDidOpenTextDocument (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/lib/main.js:151:29)
    at handleNotification (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/node_modules/vscode-jsonrpc/lib/main.js:460:43)
    at processMessageQueue (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/node_modules/vscode-jsonrpc/lib/main.js:232:17)
    at Immediate.<anonymous> (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/node_modules/vscode-jsonrpc/lib/main.js:219:13)
    at runCallback (timers.js:651:20)
    at tryOnImmediate (timers.js:624:5)
TypeError: Cannot read property 'Symbol(Symbol.iterator)' of undefined
    at validateTextDocument (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/server.js:101:25)
    at documents.onDidChangeContent (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/server.js:43:5)
    at CallbackList.invoke (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/node_modules/vscode-jsonrpc/lib/events.js:114:39)
    at Emitter.fire (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/node_modules/vscode-jsonrpc/lib/events.js:178:36)
    at connection.onDidOpenTextDocument (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/lib/main.js:152:38)
    at handleNotification (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/node_modules/vscode-jsonrpc/lib/main.js:460:43)
    at processMessageQueue (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/node_modules/vscode-jsonrpc/lib/main.js:232:17)
    at Immediate.<anonymous> (/Users/fer/.vscode/extensions/MS-DevSkim.vscode-devskim-0.1.3/server/node_modules/vscode-languageserver/node_modules/vscode-jsonrpc/lib/main.js:219:13)
    at runCallback (timers.js:651:20)
    at tryOnImmediate (timers.js:624:5)
[Error - 9:33:24 PM] Notification handler 'workspace/didChangeConfiguration' failed with message: Cannot read property 'Symbol(Symbol.iterator)' of undefined
[Error - 9:34:42 PM] Notification handler 'workspace/didChangeConfiguration' failed with message: Cannot read property 'Symbol(Symbol.iterator)' of undefined
[Error - 9:34:57 PM] Notification handler 'workspace/didChangeConfiguration' failed with message: Cannot read property 'Symbol(Symbol.iterator)' of undefined

I have a dependency on Microsoft.IdentityModel.Tokens and found that in version 5.1.0 there is a serious security issue. Luckily the team already released a patch for it, and also issued a MS Security Notice. However, I found this out by chance as I was checking the changelog on GitHub. Presumably not everyone does this and is aware of this problem with a particular version of the library.

As a feature request, it would be great that this tool would get integration support from Microsoft to warn about insecure dependencies when they exist. Of course this would mean some coordination from Microsoft as the community should not drive this through PRs.

There hasn't been much recent activity. Just wondering what the future holds for DevSkim or if it has been superseded by other projects like https://github.com/dotnet/roslyn-analyzers?

Weird issue with the last two versions of VS. When I open up more than one solution they seem to be in a perpetual state of loading (tests are never found, the sign in drop down does nothing and never shows me logged in, trying to add a new class hangs, etc). I removed DevSkim as that was the last plugin that I installed and the issues went away. So no idea what's causing it.

VS version 15.7.5 and 15.7.6.

Reported via Twitter:
https://twitter.com/anuraj/status/1107515716800933888

Instead of flagging http:, we should probably include the slashes too. That should cut down a bit on the noise.

Is there a plan to have an official docker image for the CLI?

I'm using the VSCode DevSkim extension and I'm having a similar issue as #68

In an angular project I'm seeing my variable with provided typing being flagged as an insecure URL.

constructor(private http: HttpClient)

the http: get's flagged.

• Issue Type: Bug
• Extension Name: vscode-devskim
• Extension Version: 0.2.2
• OS Version: Windows_NT x64 10.0.17763
• VSCode version: 1.31.1

⚠️ We have written the needed data into your clipboard. Please paste! ⚠️

@joshbw Was there a reason for the double-$'s in some of the PHP rule fix-its?
https://github.com/Microsoft/DevSkim/blob/master/rules/default/security/frameworks/php.json#L31

        "fix_its": [
            {
                "name": "Change to $_GET",
                "type": "regex-replace",
                "_comment": "",
                "replacement": "$$_GET",  <-- Should this just be $_GET?
                "pattern": {
                    "pattern": "\\$_REQUEST",
                    "type": "regex",
                    "scopes": [
                        "code"
                    ],
                    "_comment": ""
                }
            },

This is far off, as Rider is only in its first release candidate, but it'd be nice to have.

Our regexes have a bug that don't take into account spaces:

gets(str);
gets (str);

The first gets will trigger a warning, but the second won't. We need to update a bunch of our rules to catch that

The comments definition entry for 'swift' in Resources/comments.json is misspelled:

[
  {
    "language": [
    ...
        "wwift",
    ...
    ],   
    "inline": "//",
    "preffix": "/*",
    "suffix": "*/"
  },
  ...

Resolved by PR #49.

When you run the DevSkim CLI with -f json for JSON output, the full output includes extra information. While this goes to stderr, it would be good to have a way to suppress that entirely.

This is needed specifically for the Flycheck plugin, which doesn't ignore stderr, so the output becomes garbled. flycheck/flycheck#1323

Alternatively, we could wrap the CLI in another script that pipes stderr away, but I think it should be part of the main executable, perhaps as another flag.

This is regarding the message for insecure transport (HTTP)

https://github.com/Microsoft/DevSkim/blob/master/guidance/DS137138.md

This seems to come for any use of the word http, which might be too broad.

For example, in the popular JavaScript framework Angular (v2+), there's a class call Http, which is an Http(s) AJAX client (a wrapper for browser AJAX / fetch functionality).

You'd inject this client in your code in a way a bit like this:

import { Injectable } from '@angular/core';
import { Http } from '@angular/http';

@Injectable()
export class SomeService {
    constructor(private http: Http) {
        // ...
    }
}

however, DevSkim does not like this. It shows the following message for the constructor line above

[Devskim: Finding DS137138]
Insecure URL
Severity: [Moderate]

An HTTP-based URL without TLS was detected.

Fix Guidance: Update to an HTTPS-based URL if possible.

More Info:
https://github.com/Microsoft/DevSkim/blob/master/guidance/DS137138.md

In this case, the constructor line is not creating a URL though. The statement An HTTP-based URL without TLS was detected is incorrect.

Would it make sense to check for http: instead of http here?

Hi whenever I am adding DevSkim extension my CPU and Memory raising by this extension. I killed process it was raising after my screen capture too.

The error on Visual code was.
.vscode\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\devskimWorker.js:136
this.analysisRules = validator.validateRules(this.tempRules, DevSkimWorker.settings.devskim.validateRulesFiles);
^

TypeError: Cannot read property 'devskim' of undefined

It would be nice if you could support Atom as well.

Hey, is VS for mac is planned to be supported? I tried to look for DevSkim on the marketplace but couldn't find it...

If a file contains a comment of the form:

// Some text here /*

The ScopeMatches() and InBetween() functions within TextContainer mistakenly thinks that we're inside of a block comment, and ignores everything in there unless the scope is "ALL".

The Placement of the DevSkim Comments is not Prettier compatible.
Prettier moves the Comment from this:

setTimeout(() => { // DevSkim: reviewed DS172411 on 2019-03-06 by Marvin
<SomeCode>
}

to this:

setTimeout(() => {
// DevSkim: reviewed DS172411 on 2019-03-06 by Marvin
<SomeCode>
}

As a result the warning triggers again.

I'd suggest taking the same aproach as tslint:

// tslint:disable-next-line:bool-param-default
function _onRendered_init_sortable(instance: Blaze.TemplateInstance, isHomepage?: boolean): void {
<SomeCode>
}

Doyensec published a checklist of security guidance at Blackhat, and we should think about including at least some of the rules in DevSkim.

https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf

Looks like DevSkim is incompatable with Visual Studio 2019. When will it be compatable and fully functional? I can't even see DevSkim in search results in Extensions.

Suggestion via e-mail -- have the output default to a single line so it's greppable.

By default, how about:

PATH:LINE - RULE_ID - RISK_RATING - RULE_NAME - LINE(trimmed)

Can also add a --output-format="STRING" option to interpolate the following:

- %FP - full path
- %FR - relative path
- %L - line number
- %R - rule id
- %G - risk rating (Critical, Important, etc.)
- %g - risk rating (1..5)
- %N - rule name
- %S - line (trimmed)
- %T - tags (comma-separated)

Add --group=file as a parameter to get back to the current output scheme.

So far I am happy with the plugin, but most of the time I am ignoring errors for web pages that are mentioned in the xml docu or xml namespace (which btw. kills visual studio 2015). It would be nice if there would be an option to ignore links in the xml docu like:

/// <para tool="javadoc-to-mdoc"> /// <format type="text/html"> /// <a href="http://developer.android.com/reference/android/app/Activity.html#onStop()" target="_blank">[Android Documentation]</a> /// </format> /// </para>

Bg

As title

Review these rules:

1. Should we moved these to the API directory?
2. Add additional guidance around this -- Invoke could be used dangerously, but is also widely used. Can we only detect "dangerous" uses of this?

DevSkim can cause VS to crash with this callstack:

Application: devenv.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.

Exception Info: System.NullReferenceException   at Microsoft.DevSkim.Language.FromFileName(System.String)   at Microsoft.DevSkim.VSExtension.SkimShim.GetLanguageList(System.String, System.String)   at Microsoft.DevSkim.VSExtension.SkimShim.Analyze(System.String, System.String, System.String)   at Microsoft.DevSkim.VSExtension.SkimChecker.DoUpdate()   at Microsoft.DevSkim.VSExtension.SkimChecker.b__17_0()   at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)   at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)   at System.Windows.Threading.DispatcherOperation.InvokeImpl()   at System.Windows.Threading.DispatcherOperation.InvokeInSecurityContext(System.Object)   at MS.Internal.CulturePreservingExecutionContext.CallbackWrapper(System.Object)   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)   at MS.Internal.CulturePreservingExecutionContext.Run(MS.Internal.CulturePreservingExecutionContext, System.Threading.ContextCallback, System.Object)   at System.Windows.Threading.DispatcherOperation.Invoke()   at System.Windows.Threading.Dispatcher.ProcessQueue()   at System.Windows.Threading.Dispatcher.WndProcHook(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)   at MS.Win32.HwndWrapper.WndProc(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)   at MS.Win32.HwndSubclass.DispatcherCallbackOperation(System.Object)   at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)   at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)   at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(System.Windows.Threading.DispatcherPriority, System.TimeSpan, System.Delegate, System.Object, Int32)   at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr, Int32, IntPtr, IntPtr)

See also this report: https://developercommunity.visualstudio.com/content/problem/81337/attempting-to-change-code-style-crashes-visual-stu.html

• Extension Name: vscode-devskim
• Extension Version: 0.2.0
• OS Version: Linux x64 4.13.0-26-generic
• VSCode version: 1.19.2

/home/csoellinger/.vscode/extensions/MS-DevSkim.vscode-devskim-0.2.0/server/devskimWorker.js:136
this.analysisRules = validator.validateRules(this.tempRules, DevSkimWorker.settings.devskim.validateRulesFiles);
^

TypeError: Cannot read property 'devskim' of undefined
    at dir.readFiles (/home/csoellinger/.vscode/extensions/MS-DevSkim.vscode-devskim-0.2.0/server/devskimWorker.js:136:96)
    at done (/home/csoellinger/.vscode/extensions/MS-DevSkim.vscode-devskim-0.2.0/server/node_modules/node-dir/lib/readfiles.js:60:13)
    at next (/home/csoellinger/.vscode/extensions/MS-DevSkim.vscode-devskim-0.2.0/server/node_modules/node-dir/lib/readfiles.js:81:35)
    at /home/csoellinger/.vscode/extensions/MS-DevSkim.vscode-devskim-0.2.0/server/node_modules/node-dir/lib/readfiles.js:92:29
    at done (/home/csoellinger/.vscode/extensions/MS-DevSkim.vscode-devskim-0.2.0/server/node_modules/node-dir/lib/readfiles.js:60:13)
    at next (/home/csoellinger/.vscode/extensions/MS-DevSkim.vscode-devskim-0.2.0/server/node_modules/node-dir/lib/readfiles.js:81:35)
    at /home/csoellinger/.vscode/extensions/MS-DevSkim.vscode-devskim-0.2.0/server/node_modules/node-dir/lib/readfiles.js:92:29
    at done (/home/csoellinger/.vscode/extensions/MS-DevSkim.vscode-devskim-0.2.0/server/node_modules/node-dir/lib/readfiles.js:60:13)
    at next (/home/csoellinger/.vscode/extensions/MS-DevSkim.vscode-devskim-0.2.0/server/node_modules/node-dir/lib/readfiles.js:81:35)
    at /home/csoellinger/.vscode/extensions/MS-DevSkim.vscode-devskim-0.2.0/server/node_modules/node-dir/lib/readfiles.js:92:29

DevSkim issues link to ds126858.md/ instead of https://github.com/Microsoft/DevSkim/blob/master/guidance/DS126858.md or other suitable location.

Using Visual Studio Extension version 0.3.1

Repro steps:

• Click on the help link in the Error List Window
  OR
• Right Click on the issue in the Error List Window
• Select Show error help

With "Microsoft Security Advisory 4021279: Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege" aspnet/Announcements#239 and aspnet/Mvc#6246 the case for this tool is even stronger.

However, if we would adopt this tool, what's the response time and tooling flow for us to get these advisories incorporated asap?

Ideally, our daily CI builds would spot this as soon as a security advisory can be detected by the tool.

What about integrating this tool with SonarQube?
I have no idea regarding the complexity of this task, but it may be worth it.

Example of code analysis tool that can be integrated with SonarQube: https://github.com/RIGS-IT/sonar-xanitizer

The SearchConditions class does not support scope and does not distinguish causing some limitations on what can be done as comments may yield results that are then considered with code scope for the initial pattern. Also, several DevSkim rules have scopes as part of the condition but again the documentation for conditions does not indicate support for it.

DevSkim/rules/default/security/storage/secure_storage.json, rule DS191340 looks exponential. Can you refactor @scovetta

How can I run DevSkim manually? I want to run it also as part of our CI/CD pipeline, and not only on the IDE. Is that possible?

It would be nice if, apart of having these security checks embedded in the IDE, they could run as part of a continuous integration process, like Visual Studio Team Services Build.
That would be really useful to measure and guarantee quality code, and not only rely that the developers will remember to run the tool in their machines...

C:\Users\astainba.vscode-insiders\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\devskimWorker.js:136
this.analysisRules = validator.validateRules(this.tempRules, DevSkimWorker.settings.devskim.validateRulesFiles);
^

TypeError: Cannot read property 'devskim' of undefined
at dir.readFiles (C:\Users\astainba.vscode-insiders\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\devskimWorker.js:136:96)
at done (C:\Users\astainba.vscode-insiders\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\node_modules\node-dir\lib\readfiles.js:60:13)
at next (C:\Users\astainba.vscode-insiders\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\node_modules\node-dir\lib\readfiles.js:81:35)
at C:\Users\astainba.vscode-insiders\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\node_modules\node-dir\lib\readfiles.js:92:29
at done (C:\Users\astainba.vscode-insiders\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\node_modules\node-dir\lib\readfiles.js:60:13)
at next (C:\Users\astainba.vscode-insiders\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\node_modules\node-dir\lib\readfiles.js:81:35)
at C:\Users\astainba.vscode-insiders\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\node_modules\node-dir\lib\readfiles.js:92:29
at done (C:\Users\astainba.vscode-insiders\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\node_modules\node-dir\lib\readfiles.js:60:13)
at next (C:\Users\astainba.vscode-insiders\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\node_modules\node-dir\lib\readfiles.js:81:35)
at C:\Users\astainba.vscode-insiders\extensions\MS-DevSkim.vscode-devskim-0.2.0\server\node_modules\node-dir\lib\readfiles.js:92:29

When trying to install the DevSkim CLI using dpkg under the Windows Subsystem for Linux, you initially get an error that libunwind8 needs to be installed.

$ sudo dpkg -i devskim-0.1.5_amd64.deb
Selecting previously unselected package devskim.
(Reading database ... 31266 files and directories currently installed.)
Preparing to unpack devskim-0.1.5_amd64.deb ...
Unpacking devskim (0.1.5) ...
dpkg: dependency problems prevent configuration of devskim:
 devskim depends on libunwind8; however:
  Package libunwind8 is not installed.

dpkg: error processing package devskim (--install):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 devskim

Running apt-get install libunwind8 fixes this. I'm not sure if you can tag the .deb file to auto-install the dependency.

We should add support for addtional conditions that need to be met, more than just a string/regex match of a given line.

A good reason for this is the following rule:

In HTML, when you have an anchor tag with target="_blank", the called since can access certain properties of the calling site through window.opener.location. To prevent this, add rel="noopener noreferrer" to the anchor tag.

Currently, this rule would be hard to implement with a simple regular expression.

We could implement this with an embedded function, but since DevSkim is cross-platform, we'd need a way for all engines to interpret the code. I took a look at some JS interpreters for Python, but they're all either very incomplete or require per-platform binaries. We can still go down this route, but I had another idea that might get us part of the way there.

Here's a new rule I added:

[    {
        "id": "DS610000",
        "name": "HTML Link Missing noopener or noreferrer",
        "tags": [
            "API.DangerousAPI"
        ],
        "applies_to": [
        ],
        "severity": "moderate",
        "description": "When you use target=\"_blank\", you should also use rel=\"noopener noreferrer\". See <a href=\"https://mathiasbynens.github.io/rel-noopener\">https://mathiasbynens.github.io/rel-noopener</a> for more information.",
        "replacement": "",
        "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS610000.md",
        "patterns": [
            {
                "pattern": "target.*_blank",
                "type": "regex-word",
                "conditions": [
                    {
                        "name": "line-match-any",
                        "value": ["noopener", "noreferrer"],
                        "invert": true
                    }
                ]
            }
        ],
        "fix_it": []
    }
]

Each condition object has a name (the name of the function to run), the data passed to that function, and whether it's expected to return true or false.

In Python, line-match-all is mapped to:

def _line_match_all(line, targets):
    logger.debug('_line_match_all({0}, {1})'.format(line, targets))
            
    line = line.lower()
    return all([t.lower() in line for t in targets])

So each engine would need to implement the same set of functions, but I think the full set might end up being rather small.

Thoughts?

• Issue Type: Bug
• Extension Name: vscode-devskim
• Extension Version: 0.2.2
• OS Version: Windows_NT x64 10.0.17763
• VSCode version: 1.31.1

⚠️ We have written the needed data into your clipboard. Please paste! ⚠️

The DevSkim extension for VS Code behaves as expected. But the DevSkim CLI still reports the finding.

To reproduce create a js file with these two lines in it...

var s = "http://www.example.com/";
var s = "http://www.example.com/"; //Devskim: ignore DS137138 

You can see the VS Code extension has identified the http in the first line but not the second...

Then running the DevSkim CLI gives this result...

I have VS Code. I have installed the extension but I have no idea how to actually use this tool and I am having a hard time finding any documentation that explains how to actually use this tool through VS code.

Bogus rule defined in default/security/cryptography/hash_algorithm.json

{
    "id": "ddddddd",
    "name": "XXX",
    "active": true,
    "tags": [
        "Cryptography.BannedHashAlgorithm"
    ],
    "severity": "critical",
    "description": "A weak or broken hash algorithm was detected.",
    "replacement": "Consider switching to use SHA-256 or SHA-512 instead.",
    "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS126858.md",
    "patterns": [
        {
            "pattern": "XXXXX",
            "subtype": ["string"],
            "type": "regex"
        }
    ]
},

I primarily write PowerShell, and some of the rules do not translate well and create a flood of false positives. It would be nice to be able to disable Rules in an array in the extension settings. Something like this would be helpful

"devskim.disableRulesLanguage": {
    "PowerShell":  [
        "DS104456",
        "DS176209"
    ]
},
"devskim.disableRules": [
    "DS176209"
]

I am not sure if part of this would be an issue for the main repository or this one.

Devskim markdown file is empty and provides no information at all on why it's bitching about using a builtin function.

If the idea is that you should try not to define your own functions that use the verb 'invoke', it should say so, and the detection method should be updated to not complain when you're using a cmdlet built by microsoft.

When I was poking around I found ExitCode.IssuesExists which leads me to believe that, at least at some point, it was intended for the DevSkim CLI to exit with a non-zero exit code when issues are found. Currently it exits with ExitCode.NoIssues.

What is the intended behaviour? ExitCode.IssuesExists would certainly help with automation, CI/CD pipelines, etc. I'm happy to submit a pull request which changes this.

The CLI expects only a path - if you pass a single file, you get an exception / process crash.

See microsoft/sarif-visualstudio-extension#45 for details.