missing-or-broken-authorization is not consistent

[jrmnl]

Describe the bug

Security rule: csharp/dotnet/security/audit/missing-or-broken-authorization.yaml

Description: Anonymous access shouldn't be allowed unless explicit by design. Access
control checks are missing and potentially can be bypassed. This finding violates
the principle of least privilege or deny by default, where access should only
be permitted for a specific set of roles or conforms to a custom policy or users.

Currently, the rule passes if:

1. [AllowAnonymous] is present — anonymous access is explicitly allowed by design.
2. [Authorize(Roles = ...)] or [Authorize(Policy = ...)] — access is explicitly restricted based on roles or policies.
3. [Authorize] — no specific rule is provided, but assumes the user is authenticated by default.

However, if [Authorize(AuthenticationSchemes = "Basic")] is used, it does not pass — even though it is essentially the same as [Authorize], just with an explicit authentication scheme defined.

To Reproduce

using Microsoft.AspNetCore.Mvc;

[Authorize(AuthenticationSchemes = "Basic")]
public class MyController : Controller
{
}

Expected behavior
Either [Authorize(AuthenticationSchemes = "...")] should be treated the same as [Authorize] and pass the rule, or [Authorize] should also not pass (for consistency).

Priority
How important is this to you?

• P0: blocking me from making progress
• P1: this will block me in the near future
• P2: annoying but not blocking me