Start with profiles/brownfield-adoption.editorconfig when introducing the analyzer to an existing codebase. Move to profiles/default.editorconfig once the high-confidence warnings are understood.
- Add the analyzer package without changing build gates.
- Copy
profiles/brownfield-adoption.editorconfiginto the repository or import its severities into the existing.editorconfig. - Review
HCR040,HCR041,HCR060,HCR061,HCR062,HCR063,HCR064,HCR081,HCR082,HCR083, andHCR084first. These are intentionally kept visible in the brownfield profile because they point at retry and request/response-handling risks that can create incidents. - Fix or explicitly suppress existing findings with a reason.
- Move to
profiles/default.editorconfigonce new warnings are actionable for the team. - Use
profiles/strict-ci.editorconfigonly after the current warning baseline is clean.
Prefer fixing high-confidence findings over bulk suppressing them. When a warning is intentionally accepted, keep the suppression close to the code and explain the production reason:
#pragma warning disable HCR041 // Endpoint uses idempotency keys and is safe to retry.
services.AddHttpClient<PaymentsClient>()
.AddStandardResilienceHandler();
#pragma warning restore HCR041For large services, start with HCR041, HCR060, HCR061, HCR062, HCR063, HCR064, HCR081, HCR082, HCR083, and HCR084 in the most critical outbound paths, then work through lifetime and DI findings.
Use the rules index when assigning cleanup work by category or rollout priority.