Share via


SecAnnotate.exe (.NET Security Annotator Tool)

The .NET Security Annotator tool (SecAnnotate.exe) is a command-line application that identifies the SecurityCritical and SecuritySafeCritical portions of one or more assemblies.

A Visual Studio extension, Security Annotator, provides a graphical user interface to SecAnnotate.exe and enables you to run the tool from Visual Studio.

This tool is automatically installed with Visual Studio and with the Windows SDK. To run the tool, we recommend that you use the Visual Studio Command Prompt or the Windows SDK Command Prompt (CMD Shell). These utilities enable you to run the tool easily, without navigating to the installation folder. For more information, see Visual Studio and Windows SDK Command Prompts.

  • If you have Visual Studio installed on your computer: On the taskbar, click Start, click All Programs, click Visual Studio, click Visual Studio Tools, and then click Visual Studio Command Prompt.

    -or-

    If you have the Windows SDK installed on your computer: On the taskbar, click Start, click All Programs, click the folder for the Windows SDK, and then click Command Prompt (or CMD Shell).

  • At the command prompt, type the following, where parameters are described in the following section, and assemblies consist of one or more assembly names separated by blanks:

SecAnnotate.exe [parameters] [assemblies]

Parameters

Option

Description

/a

or

/showstatistics

Shows statistics about the use of transparency in assemblies that are being analyzed.

/d:directory

or

/referencedir:directory

Specifies a directory to search for dependent assemblies during annotation.

/i

or

/includesignatures

Includes extended signature information in the annotation report file.

/n

or

/nogac

Suppresses searching for referenced assemblies in the global assembly cache.

/o:output.xml

or

/out:output.xml

Specifies the output annotation file.

/p:maxpasses

or

/maximumpasses:maxpasses

Specifies the maximum number of annotation passes to make on assemblies before stopping the generation of new annotations.

/q

or

/quiet

Specifies quiet mode, in which the annotator does not output status messages; it outputs only error information.

/r:assembly

or

/referenceassembly:assembly

Includes the specified assembly when resolving dependent assemblies during annotation. Reference assemblies are given priority over assemblies that are found in the reference path.

/s:rulename

or

/suppressrule:rulename

Suppresses running the specified transparency rule on the input assemblies.

/t

or

/forcetransparent

Forces the Annotator tool to treat all assemblies that do not have any transparency annotations as if they were entirely transparent.

/v

or

/verify

Verifies only that an assembly's annotations are correct; does not attempt to make multiple passes to find all required annotations if the assembly does not verify.

/x

or

/verbose

Specifies verbose output while annotating.

/y:directory

or

/symbolpath:directory

Includes the specified directory when searching for symbol files during annotation.

Remarks

Parameters and assemblies may also be provided in a response file that is specified on the command line and prefixed with an at sign (@). Each line in the response file should contain a single parameter or assembly name.

For more information about the .NET Security Annotator, see the entry Using SecAnnotate to Analyze Your Assemblies for Transparency Violations in the .NET Security blog.