ApplicationInspector
Application Inspector is a Microsoft-built static analysis tool that scans source code to identify what software does by detecting library calls, APIs, encryption, and framework usage across 12+ programming languages. It uses 400+ rule patterns to characterize code features and security-relevant behaviors without making pass/fail judgments.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | microsoft/ApplicationInspector |
| Owner | microsoft |
| Primary language | C# |
| License | MIT — OSI-approved |
| Stars | 4.4k |
| Forks | 366 |
| Open issues | 27 |
| Latest release | v1.9.55 (2026-01-22) |
| Last updated | 2026-06-24 |
| Source | https://github.com/microsoft/ApplicationInspector |
What ApplicationInspector is
A C# command-line and NuGet-based static analyzer that employs a JSON rules engine to surface code characteristics through pattern matching and regex detection. It generates HTML, JSON, SARIF, and Markdown reports and supports mixed-language projects with file exclusion via glob patterns.
Get the ApplicationInspector source
Clone the repository and explore it locally.
git clone https://github.com/microsoft/ApplicationInspector.gitcd ApplicationInspector# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Install .NET 6.0 SDK or use platform-specific binaries (Windows, Linux, macOS); global NuGet tool installation recommended for CLI workflows.
- Baseline analysis takes seconds to minutes depending on codebase size; performance on multi-million-line repos requires profiling and potential rule subsetting.
- Default output is HTML; JSON/SARIF/Markdown formats available for CI integration; consider post-processing reports for policy enforcement.
- Rules are versioned with releases; evaluate rule currency for your compliance or security baseline requirements, especially for emerging frameworks or languages.
- Multi-language projects are supported, but analyze accuracy varies by language maturity; test on representative samples before production rollout.
When to avoid it — and what to weigh
- Need deep vulnerability detection — Application Inspector characterizes features; it does not identify CVEs, buffer overflows, or logic flaws. Use alongside traditional SAST/SCA tools for security scanning.
- Require real-time cloud integration — This is a local, offline analysis tool. No built-in API upload, SaaS dashboard, or continuous monitoring; suitable for on-premises and airgapped environments only.
- Minimal runtime dependencies — .NET 6.0+ runtime is mandatory for the CLI tool. If your infrastructure cannot support .NET or has strict dependency constraints, consider compiled language alternatives.
- Need industry-standard rule customization UI — Custom rules require JSON editing and manual syntax verification. There is no visual rule builder; teams must understand the rule schema and test via verifyrules command.
License & commercial use
MIT License (permissive, OSI-approved). Source code, binaries, and library packages are all MIT-licensed, allowing commercial use, modification, and distribution with minimal restrictions (retain license notice).
MIT is a permissive OSI license that explicitly permits commercial use and proprietary modification. However, verify that your use case complies with your organization's IP policy and dependency governance; no paid support or SLA is implied by the license.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Application Inspector is itself checked by CodeQL automated scanning. It performs local static analysis without network calls and does not send code to external services. As a pattern-matcher, it is not vulnerable to typical code-execution exploits in analyzed code. Review rule quality and false-negative rates in your threat model; detection accuracy is rule-dependent and may miss obfuscated or novel attack patterns.
Alternatives to consider
Semgrep
Open-source static analysis with broader vulnerability detection, language support, and a visual rule playground. Better for vulnerability-focused SAST; less focused on feature characterization.
SonarQube
Enterprise-grade platform with cloud/on-prem deployment, real-time dashboards, and deep code quality metrics. Requires separate installation and licensing; overkill for lightweight component vetting.
Snyk + Syft
SCA-focused with SBOM generation and supply chain risk. Complements Application Inspector for dependency auditing; not a replacement for feature-level source code analysis.
Build on ApplicationInspector with DEV.co software developers
Install Application Inspector via .NET CLI or download platform binaries to begin characterizing code dependencies and enforcing security policies.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
ApplicationInspector FAQ
Can Application Inspector identify vulnerabilities like SQL injection or XSS?
What languages are supported?
Can I customize or add new detection rules?
Does it require internet or send data to Microsoft?
Custom software development services
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If ApplicationInspector is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Assess your codebase features in minutes.
Install Application Inspector via .NET CLI or download platform binaries to begin characterizing code dependencies and enforcing security policies.