This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit


Jump to: navigation, search

What is FxCop?

FxCop is a free code analysis tool developed by Microsoft, use to analyze MSIL (Microsoft Intermediate Language) generated from any managed language (including C# and VB.NET).

FxCop is a standalone .NET 2.0 application, downloadable from the locations referenced below. A modified version of the FxCop codebase is integrated into Microsoft Visual Studio 2005 and 2008. While the rulebase for each is mostly the same, there are notable differences between the two (see the Rules comparison spreadsheet below), and the compiled format for custom rules is different; thus, one cannot generally develop custom rules that can be used natively in both contexts.


Tool, Documentation and Community

Custom Rules and other third-party Enhancements

Similar Tools for .NET code analysis

  • Agent Smith Plugin - "Agent Smith is C# code style validation plugin for ReSharper (Visual Studio plugin)."
  • Agent Johnson Plugin - "Plugin for JetBrains ReSharper", performing limited code analysis, refactoring and fixups on C# code.
  • Smokey (Google Code) - tool similar to FxCop for analysing managed code; has 220 separate rules.
  • Phoenix - an SDK from MS Research labelled as "...the software optimization and analysis framework that is the basis for all future Microsoft® compiler technologies. The Phoenix framework is an extensible system that can be adapted to read and write binaries and Microsoft Intermediate Language assemblies and represent the input files in an Intermediate Representation, which can be analyzed and manipulated by applications by using the Phoenix API."
  • Gendarme - "Gendarme is a extensible rule-based tool to find problems in .NET applications and libraries. Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET) and looks for common problems with the code, problems that compiler do not typically check or have not historically checked."
  • md-codeanalysis - "MonoDevelop.CodeAnalysis is an addin that integrates both Gendarme and Smokey into MonoDevelop."