Automate ASP.NET Security Analysis - SonarQube & CI/CD

DevSecOps Engineer — ASP.NET Static Security Analysis Pipeline (SonarQube + CI/CD) OVERVIEW We need an experienced Application Security / DevSecOps engineer to design and implement a fully automated static security code-review workflow for our ASP.NET Framework and ASP.NET Core repositories. The primary engine is SonarQube. The focus of this project is security rule engineering and pipeline automation — not general .NET development. TOOL SCOPE - Primary: SonarQube — required. Custom rule development using the SonarQube C# Plugin SDK / Roslyn analyzers. - Complementary (optional): Semgrep, CodeQL, Snyk Code. Experience with Fortify or Checkmarx is a bonus. - Supporting: OWASP Dependency-Check or Dependabot for SCA. GitLeaks / TruffleHog for secrets scanning. VULNERABILITY CLASSES — CUSTOM RULES REQUIRED SQL injection, XSS, CSRF, Auth/authz flaws, Hardcoded secrets, Sensitive data exposure, Unsafe deserialization, Weak cryptography, Insecure file uploads, Dependency misconfigurations, Razor (.cshtml) issues, ASP.NET-specific anti-patterns. DELIVERABLES 1. End-to-end CI/CD integration (GitHub Actions, Azure DevOps, or Jenkins) — every commit and PR triggers a scan; high-severity findings fail the build. 2. Minimum 5 custom security rules (source-to-sink, taint-tracking) targeting the vulnerability classes listed above. 3. Quality gates, severity thresholds, and branch policies tuned to reduce false positives. 4. Baseline suppression strategy so existing findings don't flood day-one builds. 5. Acceptance demo: green build on clean branch → injected flaws cause build failure. 6. Documentation covering installation, rule authoring, upgrades, and day-to-day triage. 7. Knowledge transfer session with the development team. WHAT TO INCLUDE IN YOUR PROPOSAL - Your approach to custom rule authoring (which tools, what methodology) - Examples of rules you have written — or willingness to demo against a sample codebase - CI platform experience (GitHub Actions / Azure DevOps / Jenkins) - How you handle false positive reduction and tuning - Similar projects completed - Estimated timeline to production-ready setup SKILLS: SonarQube, ASP.NET / ASP.NET Core, C# / .NET, Roslyn analyzers, Semgrep, CI/CD, GitHub Actions, Azure DevOps, Jenkins, Application security, SAST, DevSecOps, Documentation