Skip to content
/ jwt-analyzer Public

A .NET CLI tool that performs static analysis on C# source code to detect insecure or misconfigured JWT authentication patterns.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

feliceiorillo/jwt-analyzer

BranchesTags

Repository files navigation

JWT Analyzer

A .NET 10 CLI tool that performs static analysis on C# source code to detect insecure or misconfigured JWT authentication.

Features

  • Dual Analysis Modes: Roslyn-based semantic analysis + regex pattern matching
  • Recursive Scanning: Scans all .cs files in a directory, excluding bin/, obj/, .git/, etc.
  • Semantic Analysis: Uses Microsoft.CodeAnalysis for accurate detection of JWT misconfigurations
  • Regex Fallback: Lightweight pattern matching for quick scans
  • Multiple Output Formats: Console, Markdown, and JSON reporting
  • Security Scoring: 0-100 score based on findings severity
  • CI/CD Integration: Configurable exit codes for build pipelines

Installation

Build the project:

dotnet build -c Release

Usage

jwt-analyzer <path> [options]

Arguments

  • <path> - Path to scan for C# source files

Options

  • --format <format> - Output format: console, md, json (default: console)
  • --fail-on <level> - Exit with code 1 if findings >= level: none, medium, high, critical (default: none)
  • --output <file> - Write report to file instead of console
  • --mode <mode> - Analysis mode: regex, semantic, hybrid (default: hybrid)

Analysis Modes

  • regex - Fast regex-based pattern matching (legacy mode)
  • semantic - Roslyn-based semantic analysis (accurate, slower)
  • hybrid - Both semantic and regex analysis (recommended)

Examples

Scan current directory with semantic analysis:

jwt-analyzer . --mode semantic

Generate markdown report with hybrid analysis:

jwt-analyzer ./src --format md --output report.md --mode hybrid

Fail build on high severity issues (regex only for speed):

jwt-analyzer ./src --fail-on high --mode regex

Generate JSON report for CI with full semantic analysis:

jwt-analyzer ./src --format json --output results.json --fail-on medium --mode semantic

Detection Rules

CRITICAL Severity (-25 points each)

Rule ID Description Semantic Regex
JWT001 ValidateIssuer = false - Accepts tokens from any issuer ? ?
JWT002 ValidateAudience = false - Accepts tokens for any audience ? ?
JWT003 SecurityAlgorithms.None - Allows unsigned tokens ?
JWT004 alg = "none" - Creates unsigned tokens ?

HIGH Severity (-10 points each)

Rule ID Description Semantic Regex
JWT005 RequireExpirationTime = false - Accepts tokens without expiration ? ?
JWT006 ValidateLifetime = false - Accepts expired tokens ? ?
JWT007 ClockSkew > 5 minutes - Excessive time tolerance ? ?
JWT008 Hardcoded symmetric signing key in source code ? ?

MEDIUM Severity (-5 points each)

Rule ID Description Semantic Regex
JWT009 Hardcoded ValidIssuer value ?
JWT010 Hardcoded ValidAudience value ?
JWT011 Manual JWT parsing without validation ?

Semantic Analysis

The semantic analyzer uses Microsoft.CodeAnalysis (Roslyn) to:

  • Parse syntax trees for accurate code structure analysis
  • Build semantic models to understand type information
  • Detect JWT configurations in TokenValidationParameters and JwtBearerOptions
  • Avoid false positives by understanding code context
  • Analyze initialization patterns including object initializers and property assignments

Benefits over Regex

  • More accurate detection of configuration issues
  • Understands C# syntax and semantics
  • Fewer false positives
  • Can detect issues across method boundaries
  • Type-aware analysis

Security Score

The security score starts at 100 and decreases based on findings:

  • CRITICAL: -25 points
  • HIGH: -10 points
  • MEDIUM: -5 points

Score is clamped between 0-100.

Exit Codes

  • 0 - Success (or findings below --fail-on threshold)
  • 1 - Failure (findings >= --fail-on threshold, or error)

Architecture

jwt-analyzer/
??? CLI/              # Command-line parsing
??? Scanning/         # Source file discovery
??? Rules/            # Regex-based JWT security rules
??? Semantic/         # Roslyn-based semantic analysis
?   ??? SemanticAnalyzer.cs
?   ??? SemanticRuleEngine.cs
?   ??? Rules/        # Semantic JWT security rules
??? Engine/           # Rule execution engine
??? Reporting/        # Output formatters
??? Models/           # Core data structures

Example Output

Console Format

Running semantic analysis...
Running regex analysis...
??????????????????????????????????????????????????????????????????????
?           JWT Security Analysis Report                             ?
??????????????????????????????????????????????????????????????????????

Files Scanned: 15
Total Findings: 3

[CRITICAL] 1 finding(s)
[HIGH] 1 finding(s)
[MEDIUM] 1 finding(s)

Security Score: 60/100

????????????????????????????????????????????????????????????????????
Findings:
????????????????????????????????????????????????????????????????????

[CRITICAL] JWT001
  File: src/Auth/JwtConfig.cs:42
  CRITICAL: ValidateIssuer is set to false. This allows tokens from any issuer...

Performance Considerations

  • Regex mode: Fast, suitable for large codebases, may have false positives
  • Semantic mode: Slower, very accurate, recommended for critical analysis
  • Hybrid mode: Best of both worlds, deduplicates findings

Limitations

  • Semantic analysis requires valid C# syntax (but not full compilation)
  • Some rules only available in regex mode (e.g., JWT003, JWT004, JWT009-011)
  • No auto-fix capabilities
  • No runtime validation

License

MIT

About

A .NET CLI tool that performs static analysis on C# source code to detect insecure or misconfigured JWT authentication patterns.

Topics

security jwt csharp authentication dotnet static-analysis ci-cd authorization dotnet-cli devsecops jwt-security security-tool token-security

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

jwt-analyzer v0.1.0 – Roslyn Semantic Analysis Latest
Dec 25, 2025

Packages

No packages published

Languages