End-to-end .NET application modernization from any .NET Framework version to .NET 10 using HVE Core RPI methodology, security scanning, and AppCAT tooling
This skill orchestrates the complete end-to-end modernization of .NET Framework applications (any version) to .NET 10 using the HVE Core Research-Plan-Implement (RPI) methodology combined with:
This skill automates the complete modernization lifecycle across 8 phases:
Use this skill when:
Do NOT use this skill for:
dotnet-upgrade tool instead)Establish verified truth about the legacy application before planning changes.
@task-researcher agent (HVE Core)appmod-dotnet-run-assessment (AppCAT CLI)A comprehensive 01-legacy-assessment.md document containing:
Executive Summary
Code Inventory
Stored Procedure Analysis
Dependency Analysis
AppCAT Report Integration
@task-researcher Perform a comprehensive analysis of the .NET application in [PATH].
I need a complete inventory for .NET 10 modernization:
1. **Application Profile**:
- Detect .NET Framework version from project files
- Identify application type (ASP.NET MVC, Web Forms, Web API, WPF, WinForms, Console)
- Database backend and connection string management
2. **Code Analysis**:
- All controllers, services, repositories, models
- Dependency injection container used
- Logging and configuration frameworks
- Async/await usage patterns
3. **Stored Procedure Extraction**:
- List all stored procedures in [DB_SCRIPTS_PATH]
- Extract business rules from T-SQL (return prevention, thresholds, state transitions)
- Map each SP to its consuming C# code
- Identify SPs that can be replaced with LINQ vs. those needing domain models
4. **Dependency Inventory**:
- Parse packages.config or .csproj for all NuGet dependencies
- Flag packages with CVEs
- Flag packages with no .NET 10 equivalent
- Suggest modern replacements
5. **Risk Assessment**:
- Breaking changes from .NET Framework → .NET 10
- Third-party dependencies locked to .NET Framework
- Platform-specific APIs (System.Web, Windows identity, registry access)
Output format: Structured markdown with tables and code samples.
After research completes, run AppCAT:
appmod-dotnet-run-assessment --project-path [PATH] --output-format markdown
Merge both outputs into the final assessment document.
Establish security posture BEFORE modernization to measure improvement.
@sechek.security-scanner agentappmod-dotnet-cve-check (NuGet vulnerability scanning)A 02-security-baseline.md report containing:
Executive Summary
Vulnerability Details
Code Security Issues
NuGet Package CVEs
Risk Prioritization
@sechek.security-scanner Perform a deep security analysis of the .NET application in [PATH].
Focus areas:
1. **NuGet Package CVEs**: Scan packages.config and .csproj for all known vulnerabilities
2. **Connection String Security**: Check Web.config, app.config, and environment variables
3. **SQL Injection Patterns**: Find raw SqlCommand usage with string interpolation
4. **Logging PII**: Detect log statements that may expose sensitive data
5. **Authentication/Authorization**: Check Authorize attributes, role checks, claims usage
6. **Cryptography**: Identify weak hash algorithms (MD5, SHA1) or ECB mode usage
Generate a baseline score (0-100) and detailed finding list with remediation guidance.
Also run NuGet CVE check:
appmod-dotnet-cve-check --project-path [PATH] --include-transitive
Create a phased implementation plan that integrates security fixes into the upgrade path.
@task-planner agent (HVE Core)A 03-modernization-plan.md document containing:
Migration Strategy
Step-by-Step Implementation Plan Each step includes:
Stored Procedure Migration Strategy
Security Remediation Integration
Risk Mitigation
@task-planner Create a phased .NET 10 modernization plan for the application assessed in [ASSESSMENT_PATH].
Incorporate security findings from [SECURITY_BASELINE_PATH].
The plan must cover:
1. **Project File Conversion**
- Convert .csproj to SDK-style
- Replace packages.config with PackageReference
- Update target framework to net10.0
- **Security fix**: Remove packages with CVEs listed in [CVE_LIST]
2. **NuGet Package Modernization**
- Replace Autofac → Microsoft.Extensions.DependencyInjection
- Replace log4net → Serilog 9.x with structured logging
- Replace Entity Framework 6.x → EF Core 10.x
- **Security fix**: Upgrade vulnerable packages to patched versions
3. **Configuration Modernization**
- Migrate Web.config → appsettings.json
- Move secrets to User Secrets (dev) and Azure Key Vault (prod)
- **Security fix**: Remove plaintext connection strings (Critical finding #1, #2)
4. **Startup Modernization**
- Global.asax → Program.cs with minimal hosting
- RouteConfig → endpoint routing
- BundleConfig → webpack or Vite
- **Security fix**: Add security headers middleware, HTTPS redirect
5. **Data Access Modernization**
- DbContext from EF6 → EF Core 10
- Replace stored procedures with:
- LINQ queries (for simple CRUD)
- Domain model methods (for business logic)
- Raw SQL (for complex reporting)
- **Security fix**: Eliminate parameterized SQL injection risks (High findings #3-6)
6. **Async/Await Refactoring**
- Convert all I/O-bound operations to async
- Update controller actions to return Task<IActionResult>
- Update repository interfaces to async signatures
7. **Test Coverage**
- Extract stored procedure business logic to testable C# methods
- Write unit tests covering ALL business rules
- Write integration tests for repository layer
8. **Security Re-Validation**
- Re-run sec-check scan
- Compare before/after scores
- Verify all Critical and High findings resolved
For each step, list:
- Files changed
- Which security findings it resolves (by ID)
- Estimated hours
- Validation steps
Execute the modernization plan, transforming code to .NET 10.
@rpi-agent (HVE Core)/explain, /fix, /tests commandsappmod-dotnet-build-project for validationA complete modernized application in a modernized/ directory containing:
Project Structure (SDK-style)
modernized/
├── src/[AppName]/
│ ├── [AppName].csproj ← SDK-style, net10.0
│ ├── Program.cs ← Minimal hosting
│ ├── appsettings.json ← No secrets
│ ├── appsettings.Development.json
│ ├── Models/
│ ├── Data/
│ │ └── AppDbContext.cs ← EF Core 10
│ ├── Repositories/
│ ├── Services/
│ └── Controllers/
└── tests/[AppName].Tests/
└── [AppName].Tests.csproj
Key Transformations
Configuration:
// Before (Web.config)
<connectionStrings>
<add name="DefaultConnection" connectionString="Server=...;Password=secret" />
</connectionStrings>
// After (Program.cs with User Secrets)
builder.Configuration.AddUserSecrets<Program>();
builder.Services.AddDbContext<AppDbContext>(options =>
options.UseSqlServer(builder.Configuration.GetConnectionString("DefaultConnection")));
Dependency Injection:
// Before (Global.asax with Autofac)
var builder = new ContainerBuilder();
builder.RegisterType<CatalogService>().As<ICatalogService>();
var container = builder.Build();
DependencyResolver.SetResolver(new AutofacDependencyResolver(container));
// After (Program.cs)
builder.Services.AddScoped<ICatalogService, CatalogService>();
Stored Procedure Extraction:
// Before (ADO.NET in service layer)
public void UpdateInventory(int id, int quantity) {
var cmd = new SqlCommand("EXEC sp_UpdateInventory @Id, @Qty", conn);
cmd.Parameters.AddWithValue("@Id", id);
cmd.Parameters.AddWithValue("@Qty", quantity);
cmd.ExecuteNonQuery();
}
// After (Domain model + EF Core)
public class CatalogItem {
public InventoryUpdateResult AdjustStock(int quantityChange) {
// RULE 1: Prevent negative stock
if (AvailableStock + quantityChange < 0)
throw new InvalidOperationException("Insufficient stock");
// RULE 2: Prevent exceeding max threshold
if (AvailableStock + quantityChange > MaxStockThreshold)
throw new InvalidOperationException("Exceeds max threshold");
// RULE 3: Auto-manage OnReorder flag
AvailableStock += quantityChange;
if (AvailableStock < RestockThreshold)
OnReorder = true;
return new InventoryUpdateResult {
NewStock = AvailableStock,
OnReorder = OnReorder
};
}
}
// Usage in service
public async Task UpdateStockAsync(int id, int quantity) {
var item = await _context.CatalogItems.FindAsync(id);
item.AdjustStock(quantity);
await _context.SaveChangesAsync();
}
Security Enhancements
HTTPS Enforcement:
if (app.Environment.IsProduction()) {
app.UseHsts();
app.UseHttpsRedirection();
}
Security Headers Middleware:
app.Use(async (context, next) => {
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("X-Frame-Options", "DENY");
context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
await next();
});
Structured Logging (No PII):
// Before (log4net)
log.Info($"User {email} logged in from {ipAddress}");
// After (Serilog with redaction)
_logger.LogInformation("User logged in from {IPAddress}",
RedactIPAddress(ipAddress));
Setup: Create new modernized/ directory structure
dotnet new sln -n [AppName]Modernized
dotnet new mvc -n [AppName] -o src/[AppName] -f net10.0
dotnet new xunit -n [AppName].Tests -o tests/[AppName].Tests -f net10.0
dotnet sln add src/[AppName] tests/[AppName].Tests
Migrate Project Files: Use @rpi-agent to convert packages.config to PackageReference
Migrate Configuration: Convert Web.config to appsettings.json, extract secrets
Migrate Startup: Combine Global.asax, RouteConfig, FilterConfig into Program.cs
Migrate Data Access:
Add Security Middleware: HTTPS, headers, logging, health checks
Build and Validate:
appmod-dotnet-build-project --project-path modernized/src/[AppName]
Re-scan the modernized application and prove security improvements.
@sechek.security-scannerappmod-dotnet-cve-checkA 05-security-comparison.md report containing:
Side-by-Side Comparison
| Metric | Before | After | Change |
|---|---|---|---|
| Total Findings | 14 | 1 | -93% |
| Critical | 2 | 0 | -100% |
| High | 4 | 0 | -100% |
| Medium | 5 | 1 | -80% |
| Low | 3 | 0 | -100% |
| Security Score | 38/100 | 92/100 | +142% |
Resolved Findings
Remaining Findings
New Capabilities
@sechek.security-scanner Re-scan the modernized application in [MODERNIZED_PATH].
Use the same scan parameters as the baseline scan.
After scanning, create a comparison report showing:
1. How many findings were resolved
2. Before/after code snippets proving resolution
3. Any new findings introduced (there should be none)
4. Updated security score
Reference the baseline report at [BASELINE_PATH] for comparison.
Also run:
appmod-dotnet-cve-check --project-path modernized/src/[AppName] --compare-to legacy/
Prove business logic preservation through comprehensive unit tests.
appmod-dotnet-run-test/tests commandA complete test suite in tests/[AppName].Tests/ containing:
Domain Model Tests — Unit tests for extracted stored procedure logic
Example:
[Fact]
public void AdjustStock_SaleExceedsStock_ThrowsInvalidOperation()
{
// Arrange: Item has 10 units
var item = new CatalogItem { AvailableStock = 10 };
// Act & Assert: Selling 11 units should throw
var act = () => item.AdjustStock(-11);
act.Should().Throw<InvalidOperationException>()
.WithMessage("Insufficient stock");
}
Repository Tests — Integration tests with EF Core InMemory provider
Service Tests — End-to-end tests orchestrating domain + persistence
Test Mapping Documentation
Generate comprehensive unit tests for the domain models extracted from stored procedures.
For each stored procedure business rule in [ASSESSMENT_PATH], create:
1. A unit test validating the happy path
2. Unit tests for each edge case and validation rule
3. Tests proving error handling matches the original SP behavior
Use:
- xUnit as the test framework
- FluentAssertions for readable assertions
- Moq for mocking dependencies
- EF Core InMemory provider for repository tests
Example test structure:
```csharp
public class CatalogItemInventoryTests
{
[Fact]
public void AdjustStock_ValidRestock_UpdatesStockAndClearsOnReorder() { }
[Fact]
public void AdjustStock_SaleExceedsStock_ThrowsException() { }
[Fact]
public void AdjustStock_StockDropsBelowThreshold_SetsOnReorderTrue() { }
}
Generate test classes for all domain models with extracted business logic.
Run tests:
```bash
appmod-dotnet-run-test --project-path tests/[AppName].Tests --coverage
Create visual documentation showing the before/after transformation.
A 07-architecture-documentation.md document with embedded Mermaid diagrams:
Before/After Architecture Comparison
graph TB
subgraph "Before - .NET Framework 4.7.2"
A[IIS] --> B[ASP.NET MVC]
B --> C[Autofac DI]
C --> D[EF6]
C --> E[ADO.NET]
E --> F[(Stored Procedures)]
D --> F
end
subgraph "After - .NET 10"
G[Kestrel] --> H[ASP.NET Core]
H --> I[Built-in DI]
I --> J[EF Core 10]
J --> K[(Domain Models)]
end
Stored Procedure Migration Flowchart
Data Flow Sequence Diagrams
Dependency Graph
Security Posture Comparison
State Machine Diagrams
Create comprehensive architecture documentation with Mermaid diagrams showing the .NET modernization transformation.
Include:
1. **System Architecture Comparison**: Before/after diagrams showing:
- Web server (IIS → Kestrel)
- Framework (ASP.NET → ASP.NET Core)
- DI container (Autofac → built-in)
- ORM (EF6 → EF Core 10)
- Data access (ADO.NET + SPs → LINQ + domain models)
2. **Stored Procedure Migration Map**: Flowchart showing:
- Each SP name
- Its business purpose
- Target C# implementation (LINQ query, domain method, or raw SQL)
- Complexity score (1-5)
3. **Authentication/Authorization Flow**: If applicable, show changes in auth patterns
4. **Deployment Architecture**:
- Before: IIS on-prem
- After: Azure App Service / Container Apps / AKS options
5. **Data Model**: Entity relationship diagrams for EF Core entities
6. **Security Improvements**: Visual comparison of baseline vs. validation scores
Use Mermaid syntax for all diagrams. Make them renderable in GitHub and VS Code.
Provide actionable deployment options with architecture diagrams and cost estimates.
A 08-deployment-plan.md document containing:
Deployment Options Overview
Architecture Diagrams for Each Option
graph LR
subgraph "Option B: Azure App Service"
A[Azure Front Door] --> B[App Service]
B --> C[Azure SQL Database]
B --> D[Azure Key Vault]
B --> E[Application Insights]
end
Decision Matrix
| Criteria | On-Prem IIS | App Service | Container Apps | AKS |
|---|---|---|---|---|
| Ops Complexity | High | Low | Medium | High |
| Scalability | Manual | Auto | Auto | Auto |
| Cost (monthly) | Variable | $385 | $512 | $889 |
| Skills Required | IIS, Windows | Azure basics | Containers | K8s |
| Time to Deploy | 2 weeks | 3 days | 1 week | 4 weeks |
Migration Phases
Cost Analysis
GitHub Actions CI/CD Pipeline
Rollback Strategy
Create a deployment planning document for the modernized .NET 10 application.
Include:
1. **Four Deployment Options**:
- Detailed architecture diagram for each
- Pros/cons comparison table
- Cost estimates (monthly)
- Deployment complexity rating
2. **Recommended Path**: Start with Azure App Service, evolve to containers/microservices
3. **Phased Migration Timeline**:
- Phase 1: Lift-and-shift to App Service (3 days)
- Phase 2: Containerize (1 week)
- Phase 3: Decompose to microservices (2-3 months)
4. **Infrastructure as Code**: Bicep or Terraform templates for each option
5. **CI/CD Pipeline**: GitHub Actions workflow covering:
- Build and test
- Security scanning (sec-check integration)
- Deploy to dev/staging/prod
- Automated rollback on failure
6. **Monitoring Strategy**:
- Application Insights for telemetry
- Azure Monitor for infrastructure
- Log Analytics for security audit
- Alerts for error rate, latency, availability
7. **Cost Breakdown**:
- Compute costs
- Database costs
- Storage costs
- Networking costs
- Total monthly estimate per option
Use the Azure Pricing Calculator for accurate estimates.
Here's a full end-to-end invocation example for a typical .NET Framework 4.7.2 application:
appmod-dotnet-install-appcat
@task-researcher Analyze the .NET application in ./legacy/MyApp/src/
Create a comprehensive assessment covering:
- Application type and .NET Framework version
- All controllers, services, models
- All stored procedures in ./legacy/MyApp/database/StoredProcedures/
- NuGet dependencies from packages.config
- Recommended upgrade path to .NET 10
Save output to ./docs/01-legacy-assessment.md
After Copilot completes:
appmod-dotnet-run-assessment --project-path ./legacy/MyApp/src/MyApp.Web/ --output ./docs/appcat-report.md
Merge both reports into 01-legacy-assessment.md.
@sechek.security-scanner Deep scan the ./legacy/MyApp/src/ application.
Focus on:
- NuGet package CVEs
- Connection string exposure in Web.config
- SQL injection patterns
- Logging PII
Generate a security score and save to ./docs/02-security-baseline.md
Also run:
appmod-dotnet-cve-check --project-path ./legacy/MyApp/src/MyApp.Web/ --include-transitive
@task-planner Create a phased .NET 10 upgrade plan referencing:
- Assessment: ./docs/01-legacy-assessment.md
- Security baseline: ./docs/02-security-baseline.md
Each step must:
- Describe what changes
- List which security findings it resolves
- Include validation criteria
Save to ./docs/03-modernization-plan.md
@rpi-agent Execute the modernization plan in ./docs/03-modernization-plan.md
Create a new ./modernized/ directory with a .NET 10 application that:
1. Uses SDK-style project files
2. Replaces all stored procedures with C# domain models or LINQ queries
3. Uses built-in DI instead of Autofac
4. Uses EF Core 10 instead of EF6
5. Removes all secrets from source code (use User Secrets)
6. Adds security headers middleware
7. Includes health check endpoints
Verify the build succeeds:
After code generation:
appmod-dotnet-build-project --project-path ./modernized/src/MyApp/
@sechek.security-scanner Re-scan ./modernized/src/ and compare to baseline.
Create a comparison report in ./docs/05-security-comparison.md showing:
- How many findings were resolved
- Before/after code snippets
- New security score
Also:
appmod-dotnet-cve-check --project-path ./modernized/src/MyApp/ --compare-to ./legacy/MyApp/src/MyApp.Web/
Generate a complete test suite in ./modernized/tests/MyApp.Tests/ covering:
- All business rules extracted from stored procedures
- Repository layer integration tests
- Service layer orchestration tests
Use xUnit, FluentAssertions, and EF Core InMemory.
Run tests:
appmod-dotnet-run-test --project-path ./modernized/tests/MyApp.Tests/ --coverage
Create comprehensive architecture documentation with Mermaid diagrams in ./docs/07-architecture-documentation.md showing:
- Before/after system architecture
- Stored procedure migration map
- Data flow comparisons
- Security posture improvement
Create a deployment planning document in ./docs/08-deployment-plan.md with:
- Four deployment options (IIS, App Service, Container Apps, AKS)
- Architecture diagrams for each
- Cost estimates
- Phased migration timeline
- CI/CD pipeline template
Solution: Run appmod-dotnet-install-appcat before assessment phase.
Solution: Ensure sec-check tools are installed:
# Check available scanners
cd sec-check
python -m agentsec.cli --list-skills
# Install missing tools (example for Trivy)
choco install trivy # Windows
brew install trivy # macOS/Linux
Solution: Run diagnostics:
appmod-dotnet-build-project --project-path ./modernized/src/MyApp/ --verbose
Common issues:
Solution:
Solution:
Track these metrics to measure modernization success:
| Metric | Target | How to Measure |
|---|---|---|
| Security Score Improvement | +50 points | Compare Phase 2 vs Phase 5 reports |
| CVE Reduction | 90%+ resolved | Count baseline CVEs vs. post-migration |
| Test Coverage | >80% | Run appmod-dotnet-run-test --coverage |
| Build Time Reduction | 30-50% faster | Compare legacy vs. modernized build times |
| Stored Procedures Eliminated | 100% | Count SPs in legacy vs. modernized |
| Code Quality Score | Improved | Use SonarQube or CodeQL analysis |
| Deployment Automation | <10 min deploy | CI/CD pipeline execution time |
| Version | Date | Changes |
|---|---|---|
| 1.0.0 | 2026-03-05 | Initial release with full 8-phase workflow |
🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.