Looking to aid developers who rely on external software components, Microsoft has introduced a source code analyzer, Microsoft Application Inspector, to help surface features and other characteristics of source code.

Downloadable from GitHub, the cross-platform command-line tool is designed for scanning components prior to use to assist in determining what the software is or what it does. The data it provides can be useful in reducing the time needed to determine what software components do by examining the source code directly rather than relying on documentation.

Application Inspector is different from traditional static analysis tools in that it does not attempt to identify “good” or “bad” patterns, Microsoft’s documentation states. Rather, the tool reports what it finds against a set of more than 400 rule patterns for feature detection, including features impacting security such as the use of cryptography.

Other key capabilities of Application Inspector include:

A JSON-based rules engine that performs static analysis.

The ability to analyze millions of lines of source code from components built using many languages.

The ability to identify high-risk components and those with unexpected features.

The ability to identify changes to a component’s feature set, version to version, which can indicate anything from a malicious backdoor to an increased attack surface.

The ability to output results in multiple formats including JSON and HTML.

The ability to detect features covering Microsoft Azure, Amazon Web Services, and Google Cloud Platform service APIs and operating system functions such as the file system, security features, and application frameworks.

Microsoft said the Application Inspector differs from other static analysis tools in that is not limited to detecting poor programming practices; it surfaces code characteristics that would be difficult or time-consuming to identify through manual inspection.