npm - @runsec/mcp - Versions diffs - 1.0.1 - Mend

@runsec/mcp 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/dist/index.js +578 -0
package/package.json +43 -0
package/src/rules/data/rule-compliance-map.json +43563 -0
package/src/rules/data/semgrep-rules/README-taint-overlays.md +21 -0
package/src/rules/data/semgrep-rules/advanced-agent-cloud.yaml +802 -0
package/src/rules/data/semgrep-rules/app-logic.yaml +445 -0
package/src/rules/data/semgrep-rules/auth-keycloak.yaml +831 -0
package/src/rules/data/semgrep-rules/browser-agent.yaml +260 -0
package/src/rules/data/semgrep-rules/cloud-secrets.yaml +316 -0
package/src/rules/data/semgrep-rules/csharp-dotnet.yaml +4864 -0
package/src/rules/data/semgrep-rules/desktop-electron-pro.yaml +30 -0
package/src/rules/data/semgrep-rules/desktop-vsto-suite.yaml +2759 -0
package/src/rules/data/semgrep-rules/devops-security.yaml +393 -0
package/src/rules/data/semgrep-rules/domain-access-management.yaml +1023 -0
package/src/rules/data/semgrep-rules/domain-data-privacy.yaml +852 -0
package/src/rules/data/semgrep-rules/domain-input-validation.yaml +2894 -0
package/src/rules/data/semgrep-rules/domain-platform-hardening.yaml +1715 -0
package/src/rules/data/semgrep-rules/ds-ml-security.yaml +2431 -0
package/src/rules/data/semgrep-rules/fastapi-async.yaml +5953 -0
package/src/rules/data/semgrep-rules/frontend-react.yaml +4035 -0
package/src/rules/data/semgrep-rules/frontend-security.yaml +200 -0
package/src/rules/data/semgrep-rules/go-core.yaml +4959 -0
package/src/rules/data/semgrep-rules/hft-cpp-security.yaml +631 -0
package/src/rules/data/semgrep-rules/infra-k8s-helm.yaml +4968 -0
package/src/rules/data/semgrep-rules/integration-security.yaml +2362 -0
package/src/rules/data/semgrep-rules/java-enterprise.yaml +14756 -0
package/src/rules/data/semgrep-rules/java-spring.yaml +397 -0
package/src/rules/data/semgrep-rules/license-compliance.yaml +186 -0
package/src/rules/data/semgrep-rules/mobile-flutter.yaml +37 -0
package/src/rules/data/semgrep-rules/mobile-security.yaml +721 -0
package/src/rules/data/semgrep-rules/nodejs-nestjs.yaml +5164 -0
package/src/rules/data/semgrep-rules/nodejs-security.yaml +326 -0
package/src/rules/data/semgrep-rules/observability.yaml +381 -0
package/src/rules/data/semgrep-rules/php-security.yaml +3601 -0
package/src/rules/data/semgrep-rules/python-backend-pro.yaml +30 -0
package/src/rules/data/semgrep-rules/python-django.yaml +181 -0
package/src/rules/data/semgrep-rules/python-security.yaml +284 -0
package/src/rules/data/semgrep-rules/ru-regulatory.yaml +496 -0
package/src/rules/data/semgrep-rules/ruby-rails.yaml +3078 -0
package/src/rules/data/semgrep-rules/rust-security.yaml +2701 -0

package/src/rules/data/semgrep-rules/csharp-dotnet.yaml ADDED Viewed

@@ -0,0 +1,4864 @@
+rules:
+  - id: runsec.csharp-dotnet.csh-001
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var expr = request.Query["expr"];
+          ...
+          var result = await CSharpScript.EvaluateAsync(expr);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-001\\b'
+    message: |-
+      RunSec Detection [CSH-001]: CWE-94
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-002
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var host = request.Query["host"];
+          ...
+          Process.Start("cmd.exe", "/c ping " + host);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-002\\b'
+    message: |-
+      RunSec Detection [CSH-002]: CWE-78
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-003
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var cmd = request.Query["cmd"];
+          ...
+          Process.Start(new ProcessStartInfo("bash", "-c " + cmd) { UseShellExecute = true });
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-003\\b'
+    message: |-
+      RunSec Detection [CSH-003]: CWE-77
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-004
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var typeName = request.Query["type"];
+          ...
+          var t = Type.GetType(typeName);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-004\\b'
+    message: |-
+      RunSec Detection [CSH-004]: CWE-470
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-005
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var method = request.Query["method"];
+          ...
+          target.GetType().GetMethod(method).Invoke(target, null);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-005\\b'
+    message: |-
+      RunSec Detection [CSH-005]: CWE-74
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-006
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий контролирует ORDER BY через query string; подставляет выражение, ведущее к утечке данных или обходу логики (CWE-89).
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var order = request.Query["order"];
+          ...
+          var sql = $"SELECT * FROM users ORDER BY {order}";
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-006\\b'
+    message: |-
+      RunSec Detection [CSH-006]: CWE-74
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-007
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var code = request.Form["code"];
+          ...
+          CompileAndRun(code);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-007\\b'
+    message: |-
+      RunSec Detection [CSH-007]: CWE-94
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-008
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var js = request.Form["script"];
+          ...
+          engine.Execute(js);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-008\\b'
+    message: |-
+      RunSec Detection [CSH-008]: CWE-95
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-009
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          ...
+          var obj = formatter.Deserialize(stream);
+          ...
+          JsonConvert.DeserializeObject(json, new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.All })
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-009\\b'
+    message: |-
+      RunSec Detection [CSH-009]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-010
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий подсовывает XML с внешней сущностью/DTD; при включённом XmlResolver читает файлы или достаёт секреты (CWE-611 XXE).
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var doc = new XmlDocument();
+          ...
+          doc.XmlResolver = new XmlUrlResolver();
+          doc.Load(reader);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-010\\b'
+    message: |-
+      RunSec Detection [CSH-010]: CWE-611
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-011
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var opts = new CookieOptions { Path = "/" };
+          ...
+          Response.Cookies.Append("session", token, opts);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-011\\b'
+    message: |-
+      RunSec Detection [CSH-011]: CWE-614
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-012
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var defaultConnection = "Server=db;User=sa;Password=SuperSecret123";
+          ...
+          var apiKey = "prod-api-key-12345";
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-012\\b'
+    message: |-
+      RunSec Detection [CSH-012]: CWE-798
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-013
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          ...
+          using (var md5 = MD5.Create())
+          ...
+          using (var sha1 = SHA1.Create())
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-013\\b'
+    message: |-
+      RunSec Detection [CSH-013]: CWE-327
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-014
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var url = Request.Query["redirect"];
+          ...
+          return Redirect(url);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-014\\b'
+    message: |-
+      RunSec Detection [CSH-014]: CWE-601
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-015
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var handler = new HttpClientHandler();
+          ...
+          handler.ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => true;
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-015\\b'
+    message: |-
+      RunSec Detection [CSH-015]: CWE-295
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-016
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          ...
+          var bytes = Encoding.UTF8.GetBytes(password);
+          ...
+          SHA256.Create().ComputeHash(bytes)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-016\\b'
+    message: |-
+      RunSec Detection [CSH-016]: CWE-916
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-017
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          mailItem.HTMLBody = userHtml;
+          worksheet.Cells[row, col].Formula = "=" + userInput;
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-017\\b'
+    message: |-
+      RunSec Detection [CSH-017]: Office Add-in Security
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-018
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          Globals.ThisAddIn.Application.Run(userMacro)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-018\\b'
+    message: |-
+      RunSec Detection [CSH-018]: VSTO hardening
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-019
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          new BinaryFormatter().Deserialize(stream)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-019\\b'
+    message: |-
+      RunSec Detection [CSH-019]: .NET BinaryFormatter ban
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-020
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          dataSet.ReadXml(userStream)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-020\\b'
+    message: |-
+      RunSec Detection [CSH-020]: CWE-611 / XML hardening
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-021
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          [DllImport("user32.dll")] static extern int MessageBox(string text);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-021\\b'
+    message: |-
+      RunSec Detection [CSH-021]: Interop security
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-022
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          Assembly.LoadFrom(pathFromRequest)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-022\\b'
+    message: |-
+      RunSec Detection [CSH-022]: CWE-114
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-023
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Update(UserEntity entity)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-023\\b'
+    message: |-
+      RunSec Detection [CSH-023]: OWASP Mass Assignment
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-024
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          CreateMap<UserDto, UserEntity>();
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-024\\b'
+    message: |-
+      RunSec Detection [CSH-024]: Object mapping security
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-025
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          ValidateIssuer = false; ValidateAudience = false;
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-025\\b'
+    message: |-
+      RunSec Detection [CSH-025]: JWT BCP / ASP.NET Auth
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-026
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          context.Response.Redirect(returnUrl)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-026\\b'
+    message: |-
+      RunSec Detection [CSH-026]: OAuth redirect security
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-027
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var path = Path.Combine(uploadDir, file.FileName);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-027\\b'
+    message: |-
+      RunSec Detection [CSH-027]: OWASP File Upload
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-028
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          return PhysicalFile(basePath + name, ...)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-028\\b'
+    message: |-
+      RunSec Detection [CSH-028]: CWE-22
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-029
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          [HttpPost]
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-029\\b'
+    message: |-
+      RunSec Detection [CSH-029]: OWASP CSRF
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-030
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var opts = new CookieOptions { Secure = false, HttpOnly = false };
+          ...
+          Response.Cookies.Append("session", token, opts);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-030\\b'
+    message: |-
+      RunSec Detection [CSH-030]: Session management
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-031
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          TypeNameHandling.Auto/All
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-031\\b'
+    message: |-
+      RunSec Detection [CSH-031]: Json.NET hardening
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-032
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          validateRequest="false"
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-032\\b'
+    message: |-
+      RunSec Detection [CSH-032]: ASP.NET config security
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-033
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          SecurityProtocol = SecurityProtocolType.Ssl3
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-033\\b'
+    message: |-
+      RunSec Detection [CSH-033]: TLS hardening
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-034
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var token = new Random().Next();
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-034\\b'
+    message: |-
+      RunSec Detection [CSH-034]: CWE-338
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-035
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          logger.LogInformation("pwd={pwd}", pwd)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-035\\b'
+    message: |-
+      RunSec Detection [CSH-035]: OWASP Logging
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-036
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          "(uid=" + user + ")"
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-036\\b'
+    message: |-
+      RunSec Detection [CSH-036]: CWE-90
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-037
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий подаёт вход, провоцирующий катастрофический backtracking regex; возможен ReDoS (обычно не прямой RCE).
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          new Regex("(a+)+$")
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-037\\b'
+    message: |-
+      RunSec Detection [CSH-037]: ReDoS defense
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-038
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          signedXml.CheckSignature()
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-038\\b'
+    message: |-
+      RunSec Detection [CSH-038]: XMLDSIG security
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-039
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var role = context.RequestHeaders.GetValue("role");
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-039\\b'
+    message: |-
+      RunSec Detection [CSH-039]: gRPC security
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-040
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          Field("ssn").Resolve(ctx => ctx.Source.InternalSsn)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-040\\b'
+    message: |-
+      RunSec Detection [CSH-040]: GraphQL security
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-041
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          FromSqlRaw($"...{id}...")
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-041\\b'
+    message: |-
+      RunSec Detection [CSH-041]: EF Core SQLi
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-042
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          activity.SetTag("user.password", password);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-042\\b'
+    message: |-
+      RunSec Detection [CSH-042]: Observability security
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-043
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          new WebClient().DownloadString(url)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-043\\b'
+    message: |-
+      RunSec Detection [CSH-043]: .NET networking hardening
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-044
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          var svcPass = "hardcoded-service-secret";
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-044\\b'
+    message: |-
+      RunSec Detection [CSH-044]: CWE-798
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-045
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          return await _repo.GetByIdAsync(id);
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-045\\b'
+    message: |-
+      RunSec Detection [CSH-045]: OWASP API1 BOLA
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-046
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          File.Delete(userPath)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-046\\b'
+    message: |-
+      RunSec Detection [CSH-046]: CWE-73
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-047
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          new BinaryFormatter().Deserialize(stream)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-047\\b'
+    message: |-
+      RunSec Detection [CSH-047]: CWE Final Certification
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-048
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          Assembly.LoadFrom(userPath)
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-048\\b'
+    message: |-
+      RunSec Detection [CSH-048]: CWE Final Certification
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-049
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          await _http.GetStringAsync("http://169.254.169.254/latest/meta-data/")
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-049\\b'
+    message: |-
+      RunSec Detection [CSH-049]: CWE-918
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-050
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          WebRequest.CreateHttp("http://metadata.google.internal/computeMetadata/v1/")
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-050\\b'
+    message: |-
+      RunSec Detection [CSH-050]: CWE-918
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-051
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          new RestClient("http://169.254.169.254").Execute(new RestRequest("/latest/meta-data/"))
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-051\\b'
+    message: |-
+      RunSec Detection [CSH-051]: CWE-918
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-052
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input.
+    pattern-either:
+      - pattern: |-
+          await client.GetStringAsync("http://169.254.169.254/metadata/instance")
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-052\\b'
+    message: |-
+      RunSec Detection [CSH-052]: CWE-918
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-053
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Replace == on secrets with CryptographicOperations.FixedTimeEquals or verified KDF APIs only.
+    pattern-either:
+      - pattern: |-
+          return storedHash == computedHash;
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-053\\b'
+    message: |-
+      RunSec Detection [CSH-053]: CWE-613
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-054
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Enable lifetime validation and align clock skew with token issuer SLA.
+    pattern-either:
+      - pattern: |-
+          ValidateLifetime = false
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-054\\b'
+    message: |-
+      RunSec Detection [CSH-054]: CWE-924
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-055
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Avoid TimeSpan.Zero unless IdP mandates; document skew rationale.
+    pattern-either:
+      - pattern: |-
+          ClockSkew = TimeSpan.Zero
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-055\\b'
+    message: |-
+      RunSec Detection [CSH-055]: CWE-613
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-056
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Create temp files under app-controlled dir with explicit ACL, not default shared temp.
+    pattern-either:
+      - pattern: |-
+          var tmp = Path.GetTempFileName();
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-056\\b'
+    message: |-
+      RunSec Detection [CSH-056]: CWE-377
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-057
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Always quote/structure paths with spaces; avoid single-string overloads for untrusted paths.
+    pattern-either:
+      - pattern: |-
+          Process.Start("C:\\Program Files\\Vendor\\tool.exe");
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-057\\b'
+    message: |-
+      RunSec Detection [CSH-057]: CWE-428
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.csh-058
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Quote service binary paths in registry; validate against allowlist.
+    pattern-either:
+      - pattern: |-
+          Registry.SetValue(key, "ImagePath", "C:\\Program Files\\App\\svc.exe");
+      - pattern-regex: 'Vulnerable:\\s*CSH\\-058\\b'
+    message: |-
+      RunSec Detection [CSH-058]: CWE-428
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-101
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-101\\b'
+    message: |-
+      RunSec Detection [DNX-101]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-102
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-102\\b'
+    message: |-
+      RunSec Detection [DNX-102]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-103
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-103\\b'
+    message: |-
+      RunSec Detection [DNX-103]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-104
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-104\\b'
+    message: |-
+      RunSec Detection [DNX-104]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-105
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-105\\b'
+    message: |-
+      RunSec Detection [DNX-105]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-106
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-106\\b'
+    message: |-
+      RunSec Detection [DNX-106]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-107
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-107\\b'
+    message: |-
+      RunSec Detection [DNX-107]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-108
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-108\\b'
+    message: |-
+      RunSec Detection [DNX-108]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-109
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-109\\b'
+    message: |-
+      RunSec Detection [DNX-109]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-110
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-110\\b'
+    message: |-
+      RunSec Detection [DNX-110]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-111
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-111\\b'
+    message: |-
+      RunSec Detection [DNX-111]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-112
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-112\\b'
+    message: |-
+      RunSec Detection [DNX-112]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-113
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-113\\b'
+    message: |-
+      RunSec Detection [DNX-113]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-114
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-114\\b'
+    message: |-
+      RunSec Detection [DNX-114]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-115
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-115\\b'
+    message: |-
+      RunSec Detection [DNX-115]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-116
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-116\\b'
+    message: |-
+      RunSec Detection [DNX-116]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-117
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-117\\b'
+    message: |-
+      RunSec Detection [DNX-117]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-118
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-118\\b'
+    message: |-
+      RunSec Detection [DNX-118]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-119
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-119\\b'
+    message: |-
+      RunSec Detection [DNX-119]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-120
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-120\\b'
+    message: |-
+      RunSec Detection [DNX-120]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-121
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-121\\b'
+    message: |-
+      RunSec Detection [DNX-121]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-122
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-122\\b'
+    message: |-
+      RunSec Detection [DNX-122]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-123
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-123\\b'
+    message: |-
+      RunSec Detection [DNX-123]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-124
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-124\\b'
+    message: |-
+      RunSec Detection [DNX-124]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-125
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-125\\b'
+    message: |-
+      RunSec Detection [DNX-125]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-126
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-126\\b'
+    message: |-
+      RunSec Detection [DNX-126]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-127
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-127\\b'
+    message: |-
+      RunSec Detection [DNX-127]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-128
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-128\\b'
+    message: |-
+      RunSec Detection [DNX-128]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-129
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-129\\b'
+    message: |-
+      RunSec Detection [DNX-129]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-130
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-130\\b'
+    message: |-
+      RunSec Detection [DNX-130]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-131
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-131\\b'
+    message: |-
+      RunSec Detection [DNX-131]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-132
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-132\\b'
+    message: |-
+      RunSec Detection [DNX-132]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-133
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-133\\b'
+    message: |-
+      RunSec Detection [DNX-133]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-134
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-134\\b'
+    message: |-
+      RunSec Detection [DNX-134]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-135
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-135\\b'
+    message: |-
+      RunSec Detection [DNX-135]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-136
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-136\\b'
+    message: |-
+      RunSec Detection [DNX-136]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-137
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-137\\b'
+    message: |-
+      RunSec Detection [DNX-137]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-138
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-138\\b'
+    message: |-
+      RunSec Detection [DNX-138]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-139
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-139\\b'
+    message: |-
+      RunSec Detection [DNX-139]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-140
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-140\\b'
+    message: |-
+      RunSec Detection [DNX-140]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-141
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-141\\b'
+    message: |-
+      RunSec Detection [DNX-141]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-142
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-142\\b'
+    message: |-
+      RunSec Detection [DNX-142]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-143
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-143\\b'
+    message: |-
+      RunSec Detection [DNX-143]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-144
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-144\\b'
+    message: |-
+      RunSec Detection [DNX-144]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-145
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-145\\b'
+    message: |-
+      RunSec Detection [DNX-145]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-146
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-146\\b'
+    message: |-
+      RunSec Detection [DNX-146]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-147
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-147\\b'
+    message: |-
+      RunSec Detection [DNX-147]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-148
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-148\\b'
+    message: |-
+      RunSec Detection [DNX-148]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-149
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-149\\b'
+    message: |-
+      RunSec Detection [DNX-149]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-150
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-150\\b'
+    message: |-
+      RunSec Detection [DNX-150]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-151
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-151\\b'
+    message: |-
+      RunSec Detection [DNX-151]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-152
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-152\\b'
+    message: |-
+      RunSec Detection [DNX-152]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-153
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-153\\b'
+    message: |-
+      RunSec Detection [DNX-153]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-154
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-154\\b'
+    message: |-
+      RunSec Detection [DNX-154]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-155
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-155\\b'
+    message: |-
+      RunSec Detection [DNX-155]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-156
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-156\\b'
+    message: |-
+      RunSec Detection [DNX-156]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-157
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-157\\b'
+    message: |-
+      RunSec Detection [DNX-157]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-158
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-158\\b'
+    message: |-
+      RunSec Detection [DNX-158]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-159
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-159\\b'
+    message: |-
+      RunSec Detection [DNX-159]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-160
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-160\\b'
+    message: |-
+      RunSec Detection [DNX-160]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-161
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-161\\b'
+    message: |-
+      RunSec Detection [DNX-161]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-162
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-162\\b'
+    message: |-
+      RunSec Detection [DNX-162]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-163
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-163\\b'
+    message: |-
+      RunSec Detection [DNX-163]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-164
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-164\\b'
+    message: |-
+      RunSec Detection [DNX-164]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-165
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-165\\b'
+    message: |-
+      RunSec Detection [DNX-165]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-166
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-166\\b'
+    message: |-
+      RunSec Detection [DNX-166]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-167
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-167\\b'
+    message: |-
+      RunSec Detection [DNX-167]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-168
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-168\\b'
+    message: |-
+      RunSec Detection [DNX-168]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-169
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-169\\b'
+    message: |-
+      RunSec Detection [DNX-169]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-170
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-170\\b'
+    message: |-
+      RunSec Detection [DNX-170]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-171
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-171\\b'
+    message: |-
+      RunSec Detection [DNX-171]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-172
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-172\\b'
+    message: |-
+      RunSec Detection [DNX-172]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-173
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-173\\b'
+    message: |-
+      RunSec Detection [DNX-173]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-174
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-174\\b'
+    message: |-
+      RunSec Detection [DNX-174]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-175
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-175\\b'
+    message: |-
+      RunSec Detection [DNX-175]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-176
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-176\\b'
+    message: |-
+      RunSec Detection [DNX-176]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-177
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-177\\b'
+    message: |-
+      RunSec Detection [DNX-177]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-178
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-178\\b'
+    message: |-
+      RunSec Detection [DNX-178]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-179
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-179\\b'
+    message: |-
+      RunSec Detection [DNX-179]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-180
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-180\\b'
+    message: |-
+      RunSec Detection [DNX-180]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-181
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-181\\b'
+    message: |-
+      RunSec Detection [DNX-181]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-182
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-182\\b'
+    message: |-
+      RunSec Detection [DNX-182]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-183
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-183\\b'
+    message: |-
+      RunSec Detection [DNX-183]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-184
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-184\\b'
+    message: |-
+      RunSec Detection [DNX-184]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-185
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-185\\b'
+    message: |-
+      RunSec Detection [DNX-185]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-186
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-186\\b'
+    message: |-
+      RunSec Detection [DNX-186]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-187
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-187\\b'
+    message: |-
+      RunSec Detection [DNX-187]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-188
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-188\\b'
+    message: |-
+      RunSec Detection [DNX-188]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-189
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-189\\b'
+    message: |-
+      RunSec Detection [DNX-189]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-190
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-190\\b'
+    message: |-
+      RunSec Detection [DNX-190]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-191
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-191\\b'
+    message: |-
+      RunSec Detection [DNX-191]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-192
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-192\\b'
+    message: |-
+      RunSec Detection [DNX-192]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-193
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-193\\b'
+    message: |-
+      RunSec Detection [DNX-193]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-194
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-194\\b'
+    message: |-
+      RunSec Detection [DNX-194]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-195
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-195\\b'
+    message: |-
+      RunSec Detection [DNX-195]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-196
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-196\\b'
+    message: |-
+      RunSec Detection [DNX-196]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-197
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-197\\b'
+    message: |-
+      RunSec Detection [DNX-197]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-198
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-198\\b'
+    message: |-
+      RunSec Detection [DNX-198]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-199
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-199\\b'
+    message: |-
+      RunSec Detection [DNX-199]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-200
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-200\\b'
+    message: |-
+      RunSec Detection [DNX-200]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-201
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-201\\b'
+    message: |-
+      RunSec Detection [DNX-201]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-202
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-202\\b'
+    message: |-
+      RunSec Detection [DNX-202]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-203
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-203\\b'
+    message: |-
+      RunSec Detection [DNX-203]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-204
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-204\\b'
+    message: |-
+      RunSec Detection [DNX-204]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-205
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-205\\b'
+    message: |-
+      RunSec Detection [DNX-205]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-206
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-206\\b'
+    message: |-
+      RunSec Detection [DNX-206]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-207
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-207\\b'
+    message: |-
+      RunSec Detection [DNX-207]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-208
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-208\\b'
+    message: |-
+      RunSec Detection [DNX-208]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-209
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-209\\b'
+    message: |-
+      RunSec Detection [DNX-209]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-210
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-210\\b'
+    message: |-
+      RunSec Detection [DNX-210]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-211
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-211\\b'
+    message: |-
+      RunSec Detection [DNX-211]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-212
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-212\\b'
+    message: |-
+      RunSec Detection [DNX-212]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-213
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-213\\b'
+    message: |-
+      RunSec Detection [DNX-213]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-214
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-214\\b'
+    message: |-
+      RunSec Detection [DNX-214]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-215
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-215\\b'
+    message: |-
+      RunSec Detection [DNX-215]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-216
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-216\\b'
+    message: |-
+      RunSec Detection [DNX-216]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-217
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-217\\b'
+    message: |-
+      RunSec Detection [DNX-217]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-218
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-218\\b'
+    message: |-
+      RunSec Detection [DNX-218]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-219
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-219\\b'
+    message: |-
+      RunSec Detection [DNX-219]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-220
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-220\\b'
+    message: |-
+      RunSec Detection [DNX-220]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-221
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-221\\b'
+    message: |-
+      RunSec Detection [DNX-221]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-222
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-222\\b'
+    message: |-
+      RunSec Detection [DNX-222]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-223
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-223\\b'
+    message: |-
+      RunSec Detection [DNX-223]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-224
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-224\\b'
+    message: |-
+      RunSec Detection [DNX-224]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-225
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-225\\b'
+    message: |-
+      RunSec Detection [DNX-225]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-226
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-226\\b'
+    message: |-
+      RunSec Detection [DNX-226]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-227
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-227\\b'
+    message: |-
+      RunSec Detection [DNX-227]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-228
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-228\\b'
+    message: |-
+      RunSec Detection [DNX-228]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-229
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-229\\b'
+    message: |-
+      RunSec Detection [DNX-229]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-230
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-230\\b'
+    message: |-
+      RunSec Detection [DNX-230]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-231
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-231\\b'
+    message: |-
+      RunSec Detection [DNX-231]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-232
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-232\\b'
+    message: |-
+      RunSec Detection [DNX-232]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-233
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-233\\b'
+    message: |-
+      RunSec Detection [DNX-233]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-234
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-234\\b'
+    message: |-
+      RunSec Detection [DNX-234]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-235
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-235\\b'
+    message: |-
+      RunSec Detection [DNX-235]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-236
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-236\\b'
+    message: |-
+      RunSec Detection [DNX-236]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-237
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-237\\b'
+    message: |-
+      RunSec Detection [DNX-237]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-238
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-238\\b'
+    message: |-
+      RunSec Detection [DNX-238]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-239
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-239\\b'
+    message: |-
+      RunSec Detection [DNX-239]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-240
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-240\\b'
+    message: |-
+      RunSec Detection [DNX-240]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-241
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-241\\b'
+    message: |-
+      RunSec Detection [DNX-241]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-242
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-242\\b'
+    message: |-
+      RunSec Detection [DNX-242]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-243
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-243\\b'
+    message: |-
+      RunSec Detection [DNX-243]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-244
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-244\\b'
+    message: |-
+      RunSec Detection [DNX-244]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-245
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-245\\b'
+    message: |-
+      RunSec Detection [DNX-245]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-246
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-246\\b'
+    message: |-
+      RunSec Detection [DNX-246]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-247
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-247\\b'
+    message: |-
+      RunSec Detection [DNX-247]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-248
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-248\\b'
+    message: |-
+      RunSec Detection [DNX-248]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-249
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-249\\b'
+    message: |-
+      RunSec Detection [DNX-249]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-250
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-250\\b'
+    message: |-
+      RunSec Detection [DNX-250]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-251
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-251\\b'
+    message: |-
+      RunSec Detection [DNX-251]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-252
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-252\\b'
+    message: |-
+      RunSec Detection [DNX-252]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-253
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-253\\b'
+    message: |-
+      RunSec Detection [DNX-253]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-254
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-254\\b'
+    message: |-
+      RunSec Detection [DNX-254]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-255
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-255\\b'
+    message: |-
+      RunSec Detection [DNX-255]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-256
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-256\\b'
+    message: |-
+      RunSec Detection [DNX-256]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-257
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-257\\b'
+    message: |-
+      RunSec Detection [DNX-257]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-258
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-258\\b'
+    message: |-
+      RunSec Detection [DNX-258]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-259
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-259\\b'
+    message: |-
+      RunSec Detection [DNX-259]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-260
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-260\\b'
+    message: |-
+      RunSec Detection [DNX-260]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-261
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-261\\b'
+    message: |-
+      RunSec Detection [DNX-261]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-262
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-262\\b'
+    message: |-
+      RunSec Detection [DNX-262]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-263
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-263\\b'
+    message: |-
+      RunSec Detection [DNX-263]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-264
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-264\\b'
+    message: |-
+      RunSec Detection [DNX-264]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-265
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-265\\b'
+    message: |-
+      RunSec Detection [DNX-265]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-266
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-266\\b'
+    message: |-
+      RunSec Detection [DNX-266]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-267
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-267\\b'
+    message: |-
+      RunSec Detection [DNX-267]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-268
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-268\\b'
+    message: |-
+      RunSec Detection [DNX-268]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-269
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-269\\b'
+    message: |-
+      RunSec Detection [DNX-269]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-270
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-270\\b'
+    message: |-
+      RunSec Detection [DNX-270]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-271
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-271\\b'
+    message: |-
+      RunSec Detection [DNX-271]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-272
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-272\\b'
+    message: |-
+      RunSec Detection [DNX-272]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-273
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-273\\b'
+    message: |-
+      RunSec Detection [DNX-273]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-274
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-274\\b'
+    message: |-
+      RunSec Detection [DNX-274]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-275
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-275\\b'
+    message: |-
+      RunSec Detection [DNX-275]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-276
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-276\\b'
+    message: |-
+      RunSec Detection [DNX-276]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-277
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-277\\b'
+    message: |-
+      RunSec Detection [DNX-277]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-278
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-278\\b'
+    message: |-
+      RunSec Detection [DNX-278]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-279
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-279\\b'
+    message: |-
+      RunSec Detection [DNX-279]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-280
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-280\\b'
+    message: |-
+      RunSec Detection [DNX-280]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-281
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-281\\b'
+    message: |-
+      RunSec Detection [DNX-281]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-282
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-282\\b'
+    message: |-
+      RunSec Detection [DNX-282]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-283
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-283\\b'
+    message: |-
+      RunSec Detection [DNX-283]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-284
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-284\\b'
+    message: |-
+      RunSec Detection [DNX-284]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-285
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-285\\b'
+    message: |-
+      RunSec Detection [DNX-285]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-286
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-286\\b'
+    message: |-
+      RunSec Detection [DNX-286]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-287
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-287\\b'
+    message: |-
+      RunSec Detection [DNX-287]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-288
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-288\\b'
+    message: |-
+      RunSec Detection [DNX-288]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-289
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-289\\b'
+    message: |-
+      RunSec Detection [DNX-289]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-290
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-290\\b'
+    message: |-
+      RunSec Detection [DNX-290]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-291
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-291\\b'
+    message: |-
+      RunSec Detection [DNX-291]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-292
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-292\\b'
+    message: |-
+      RunSec Detection [DNX-292]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-293
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-293\\b'
+    message: |-
+      RunSec Detection [DNX-293]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-294
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-294\\b'
+    message: |-
+      RunSec Detection [DNX-294]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-295
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-295\\b'
+    message: |-
+      RunSec Detection [DNX-295]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-296
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-296\\b'
+    message: |-
+      RunSec Detection [DNX-296]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-297
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-297\\b'
+    message: |-
+      RunSec Detection [DNX-297]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-298
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-298\\b'
+    message: |-
+      RunSec Detection [DNX-298]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-299
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-299\\b'
+    message: |-
+      RunSec Detection [DNX-299]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-300
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-300\\b'
+    message: |-
+      RunSec Detection [DNX-300]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-301
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-301\\b'
+    message: |-
+      RunSec Detection [DNX-301]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-302
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-302\\b'
+    message: |-
+      RunSec Detection [DNX-302]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-303
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-303\\b'
+    message: |-
+      RunSec Detection [DNX-303]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-304
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-304\\b'
+    message: |-
+      RunSec Detection [DNX-304]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-305
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-305\\b'
+    message: |-
+      RunSec Detection [DNX-305]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-306
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Object IDs are enumerable and expose cross-tenant records.
+      fix_template: |-
+        Autofix: enforce owner-scoped query predicates for object retrieval.
+    pattern-either:
+      - pattern: |-
+          return _db.Orders.First(o => o.Id == id);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-306\\b'
+    message: |-
+      RunSec Detection [DNX-306]: CWE-639
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-307
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Raw SQL construction enables arbitrary SQL fragments.
+      fix_template: |-
+        Autofix: replace raw concatenation with interpolated parameterized APIs.
+    pattern-either:
+      - pattern: |-
+          _db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-307\\b'
+    message: |-
+      RunSec Detection [DNX-307]: CWE-89
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-308
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Deserialization gadgets can trigger remote code execution.
+      fix_template: |-
+        Autofix: remove BinaryFormatter and migrate to typed safe serializer.
+    pattern-either:
+      - pattern: |-
+          var obj = new BinaryFormatter().Deserialize(stream);
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-308\\b'
+    message: |-
+      RunSec Detection [DNX-308]: CWE-502
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-309
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Model binder can set protected privilege and billing fields.
+      fix_template: |-
+        Autofix: replace entity binding with DTO allowlist mapping.
+    pattern-either:
+      - pattern: |-
+          public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-309\\b'
+    message: |-
+      RunSec Detection [DNX-309]: CWE-915
+    languages:
+      - csharp
+    severity: WARNING
+  - id: runsec.csharp-dotnet.dnx-310
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Concurrent mutation causes state races and authorization bypass windows.
+      fix_template: |-
+        Autofix: guard shared mutable cache writes with synchronization lock.
+    pattern-either:
+      - pattern: |-
+          _cache[key] = value;
+      - pattern-regex: 'Vulnerable:\\s*DNX\\-310\\b'
+    message: |-
+      RunSec Detection [DNX-310]: CWE-662
+    languages:
+      - csharp
+    severity: WARNING