Overview

The .NET Core List Packages Check task validates NuGet packages in your .NET projects by running dotnet list package commands during your build pipeline. It helps identify security vulnerabilities, deprecated packages, and outdated dependencies before they reach production.

In a CI environment this task can be helpful to detect included NuGet packages that might pose an issue.

Depending on configuration this can block the build pipeline whether you choose it or not.

Prerequisites

This extension supports Azure DevOps Server 2019 and Azure Devops Online.

Video

A comprehensive video demonstration of this extension is available at https://l.samayas.eu/8HKbSI5zmc?P=AMP

How to use

After installing the extension, add the .NET Core List Packages Check task to a new or existing build definition.

Once you've added the .NET Core List Packages Check you should have the following:

Once you've added the task to your Build pipeline you need to configure your individual task.

Inside your task configuration you have 2 distinct blocks that are important:

• The Scope Coverage determines what is scanned.
• The Scan Type determines what type of scan is executed.

Scope Coverage

Under the Scope Coverage in essence you define on what the task is executed.

• Solution scans the whole solution in the source folder of your pipeline.
• Project scans only the specified project in your source folder of your pipeline.

When having selected the Project scope an extra field will be available to enter the specified project.

The underlying command only supports solution or project and you can't have multiple projects scanned.

Scan Type

In the Scan Type you determine what type of scan is executed

• Vulnerabilities: Detects packages with known security vulnerabilities.
• Depricated: Finds packages that have been deprecated by their authors.
• OutDated: Identifies packages with newer versions available.

Each of these scan types are distinct and if you need a multitude you need to add this task multiple times.

Enable Transitive Package Checks

• When enabled (default), scans both direct and transitive (indirect) dependencies.
• When disabled, only scans packages directly referenced in your project files

Build Behavior

The task affects your pipeline outcome based on what it finds:

• Direct Issues Found : Build fails with an error message and references the log files.
• Transitive Issues Found : Build succeeds with warnings (SucceedWithIssues status).
• **No Issues Found: Build continues normally with a success message.

Output Artifacts

All scan results are saved to the pipeline workspace under nuget-audit:

Depending on wheter the Transitive scan is enabled or not this task will generate 2 or 4 files as output

• direct.log : Human-readable output for direct package scan
• direct.json : JSON output for direct package scan
• include-transitive.log : Human-readable output including transitive packages (when enabled)
• include-transitive.json : JSON output including transitive packages (when enabled)

If you choose to afterwards this can be added as an artifact on the build.

Target

The goal of this add-in is to detect potential issues with included Nuget packages.

Version History

Version 1.0 Initial Version