Gate-1: Source Code and Secret Scanning
This gate runs before you even review your pull request. It scans all files in your repository for credentials, tokens, and other configuration data that contains sensitive information.
Niotechone Software Solution Pvt. Ltd. sets up secret scanning so the pipeline fails immediately when any credentials match a predefined list of patterns. There are no exceptions made for “this is only a test key”. Clients of a .NET application development company often discover secrets left in commits that got deleted months ago.
Gate-2: Dependency and Composition Analysis
This gate executes when building your application. It scans each and every NuGet package your app depends upon, including packages of transitive dependencies that your code never touches.
Imagine a .NET application development company writing perfect code but pulling in a logging utility package that depended on an old version of the JSON parser known to be vulnerable to remote code execution attacks. Gate number two will catch this automatically.
Gate-3: Runtime and Dynamic Scanning
This step happens right after your application is deployed into a staging environment. While static analysis deals with your code, runtime/dynamic analysis interacts with your actual application.
However, many ASP.NET Core development company teams avoid dynamic scanning because “unit tests cover everything.” They do not. Unit tests verify expected behavior. Dynamic scans identify unexpected behavior exploited by attackers.
