BinaryFormatter used for (de)serialization
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
BinaryFormatter is explicitly called out by Microsoft as dangerous and unsafe for untrusted data: deserializing attacker-controlled input with it is a well-known path to remote code execution.
Why it matters
Microsoft's own documentation says BinaryFormatter is dangerous and should not be used to process data from any source you do not fully trust, because deserializing a crafted payload with it can execute arbitrary code. It has been the root cause of numerous real-world remote code execution vulnerabilities in .NET applications, which is why the type is being removed entirely in newer .NET versions.
How to fix it
Replace BinaryFormatter with a safe serializer for the data you actually have: System.Text.Json or Newtonsoft.Json for POCOs, protobuf-net or MessagePack for compact binary formats, or DataContractSerializer with a known allow-list of types if you need XML. If you must keep a legacy binary format temporarily, restrict it to data your own process wrote and never deserialize input that crossed a trust boundary.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo