-
Notifications
You must be signed in to change notification settings - Fork 114
IDE Extensions
As a developer, you may unknowingly introduce security issues while coding. DevSkim is a tool that flags these issues and calls attention to them with errors or warnings, depending on the severity. When you mouse over the issue, DevSkim shows a description of the problem and how to address it, along with a link to more information.
For some issues, one or more safe alternatives are available in the Quick Fix menu, allowing you to fix the issue with just a few mouse clicks. For issues where the alternative has different parameters than the unsafe API that is called out, DevSkim provides additional guidance. For example, when DevSkim replaces gets() with fgets(), it cues that you need to provide the size of the buffer.
DevSkim has built-in functionality to suppress any of its warnings, either permanently or for a period of time. Permanent suppressions are useful for scenarios where, for whatever reason, the flagged code should not be changed. Timed suppressions are useful for scenarios where the code should change, but the developer does not want to change it immediately.
In both cases, DevSkim will insert a comment after the code to notify the developer (and anyone reviewing the code) that the usage should be ignored. For timed suppressions, DevSkim will also indicate when it should next alert the developer of the issue. Users can add additional comments after the suppression to describe why the issue is being suppressed.
To suppress a warning, simply click on the Quick Fix menu when hovering over the warning, or right click the warning in the Problems window, and select Suppress <Rule ID>. You can choose to suppress the warning permanently or for a specified period of time. Alternatively, you can add a suppression comment manually by following the format:
// DevSkim: ignore <Rule ID> for <duration> because <reason>.