by microsoft

microsoft / binskim

A binary static analysis tool that provides security and correctness results for Windows Portable Ex...

470 Stars 101 Forks Last release: Not found Other 468 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

BinSkim Binary Analyzer

This repository contains the source code for BinSkim, a Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics.

For Developers

  1. Fork the repository -- Need Help?
  2. Load and compile
    to develop changes for contribution.
  3. Execute BuildAndTest.cmd at the root of the enlistment to validate before submitting a PR.

Submit Pull Requests

  1. Run
    at the root of the enlistment to ensure that all tests pass, release build succeeds, and NuGet packages are created
  2. Submit a Pull Request to the 'develop' branch -- Need Help?

For Users

  1. Download BinSkim from NuGet
  2. Read the User Guide
  3. Find out more about the Static Analysis Results Interchange Format (SARIF) used to output Binskim results

Command-Line Quick Guide

| Argument (short form, long form) | Meaning | | -------------------------------- | ------- | |

| Symbols path value (e.g.

SRV or Cache d:\symbols;Srv http://symweb
) | |
-o, --output
| File path used to write and output analysis using SARIF | |
-v, --verbose
| Emit verbose output. The comprehensive report is designed to provide appropriate evidence for compliance scenarios | |
-r, --recurse
| Recurse into subdirectories when evaluating file specifier arguments | |
-c, --config
| (Default: ‘default’) Path to policy file to be used to configure analysis. Passing value of 'default' (or omitting the argument) invokes built-in settings | |
-q, --quiet
| Do not log results to the console | |
-s, --statistics
| Generate timing and other statistics for analysis session | |
-h, --hashes
| Output hashes of analysis targets when emitting SARIF reports | |
-e, --environment

Log machine environment details of run to output file.

WARNING: This option records potentially sensitive information (such as all environment variable values) to the log file.

| |
-p, --plug-in
| Path to plug-in that will be invoked against all targets in the analysis set. | |
| Table of argument information. | |
| BinSkim version details. | |
value pos. 0
| One or more specifiers to a file, directory, or filter pattern that resolves to one or more binaries to analyze. |


binskim.exe analyze c:\bld\*.dll --recurse --output MyRun.sarif

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.