NuGet Vulnerability Scan

Features

Scans the NuGet dependencies of the found project files via dotnet list ${projectPath} package --vulnerable --include-transitive. The task fails, if any of the found projects contains warnings of one of the following levels:

• Critical
• High
• Moderate

NEW:

• Failing task if no projects found
• Parallelizing check for performance

NET Framework

As the project structure changed between the NET Framework and NET Core, this task doesn't work out of the box with NET Framework projects. But you can use the script from Bas Litjten and the description here to prepare a csproj-file, which can then be used by the vulnerability scan task.

Configuration

Path to project(s)

A glob pattern to the respective projects.

Include transitive dependencies

Defines wheter the scan also checks the transitive dependencies.

Threshold for failure

Defines the threshold, when the task should fail.

Contributing

If you have any questions, fixes or enhancements, please create a pull request or an issue. Github

History

Please see the commit history.

License

This software is released under MIT License.