Roslyn-based analyzers use the .NET Compiler SDK (Roslyn APIs) to analyze your project's source code to find issues and suggest corrections. Different analyzers look for different classes of issues, ranging from practices that are likely to cause bugs to security concerns to API compatibility in C# and VB code.
The Roslyn Analyzers build task is included in the Microsoft Security Code Analysis Extension, and is focused on enabling the security analyzers. This page has the steps needed to configure & run the build task as part of your build definition.
1. | You are using the Azure DevOps Build system. |
---|---|
2. | The Microsoft Security Code Analysis Extension installed in your account. |
3. | Your build definiton includes the built-in MSBuild or VSBuild build task to compile C# (or VB) code. This task relies on the input and output of that specific build task to rerun the MSBuild compilation with Roslyn analyzers enabled. |
4. | The build agent running this build task has Visual Studio 2017 v15.5 or later installed (compiler version 2.6.x). |
1. | Open your team project from your Azure DevOps Account. |
---|---|
2. | Navigate to the Build tab under Build and Release |
3. | Select the Build Definition into which you wish to add the Roslyn Analyzers build task.
|
4. | Click + to navigate to the Add Tasks pane. |
5. | Find the Roslyn Analyzers build task either from the list or using the search box and then click Add. |
6. | The Run Roslyn Analyzers build task should now be a part of the Build Definition. |
1. | Click the task
Run Roslyn Analyzers to see the different options available.
|
---|---|
2. | Available options include
|
1. | Roslyn analyzers are compiler-integrated and can only be run as part of CSC.exe compilation. Hence, this task requires replaying/rerunning the compiler command that ran earlier in the build. This is done by querying VSTS for the MSBuild build task logs (there is no other way for the task to reliably get the MSBuild compilation command line from the build definition; we did consider adding a freeform textbox to allow users to enter their commandlines, but it would be hard to keep these up-to-date and in sync with the main build). Custom builds require replaying the entire set of commands, not just compiler commands, and it is not trivial/reliable to enable Roslyn analyzers in these cases. |
---|---|
2. | Roslyn analyzers are integrated with the compiler and requires the compilation to be invoked. This build task is implemented by recompiling C# projects that were already built using only the MSBuild/VSBuild build task, in the same build / build definition, but in this case, with the Analyzers enabled. If this build task runs on the same agent as the original build task, the output of the original MSBuild/VSBuild build task will be overwritten in the 's' sources folder, by the output of this build task. The build output will be the same, but it is advised that you run MSBuild, copy output to the the artifacts staging directory, and then run Roslyn. |
The Private Preview for this extension is now closed. Please visit the Microsoft Security Code Analysis Home Page for information about the public MSCA extension and how to get it. You can also contact us via email at Microsoft Security Code Analysis
Roslyn Analyzers on docs.microsoft.com
The analyzer package installed and used by this build task.