Skip to content
David Knise edited this page Jul 8, 2020 · 3 revisions

Open Source Static Analysis Runner (OSSAR) runs multiple open source security static analysis tools without the added complexity. It leverages the Microsoft Security Code Analysis (MSCA) engine, detailed below.


Microsoft Security Code Analysis (MSCA) is a command line application which integrates static analysis tools into the development cycle. MSCA installs, configures and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). MSCA is data-driven with portable configurations that enable deterministic execution across multiple environments. For tools that output results in or MSCA can convert their results to SARIF, MSCA imports into a normalized file database for seamlessly reporting and responding to results across tools, such as forcing build breaks.

Run locally. Run remotely.

Install Locally

The Microsoft.Security.CodeAnalysis.Cli is available for download from nuget.org.

To easily access it from the command line, add the tools directory of the nuget package to your path. It can then be accessed via it's codename guardian through either the shell or cmd launchers, decided by your operating system.

Basic Commands

Note: [..] blocks indicate optional parameters.

Initialize MSCA in your repo

guardian init

Run MSCA with tools configured by the Microsoft policy (default experience)

guardian run [-p Microsoft]

Run MSCA with tools configured specifically for GitHub

guardian run -p GitHub

Advanced Commands

Each stage of guardian run can be executed independently. To see what commands are available, check the command line help.

See command line help

guardian
guardian help
guardian --help

Interactively configure a tool

guardian configure -t binskim

Run the tool with the custom configuration

guardian run -c binskim
Clone this wiki locally