NuGet Vulnerability Scan

Build extension to run dotnet list package --vulnerable and fail the build on found vulnerabilities.

NOTE Only works with .NET 5 and later.

How to use

After installing the extension it will be available as a build task to add to your build pipelines.

After adding the task to a build pipeline you have to configure the task by setting the working directory in which to scan for vulnerabilities, and the minimum level the task will fail at. The default level is set to High.

To add the task to a pipeline, the following options exist.

- task: NuGetVulnerabilityScan@1
  inputs:
    path: '${Build.SourcesDirectory}'
    transitive: true
    level: 'high'

Variable	Required	Description
`path`	Yes	The path where to run the `dotnet list package` command
`transitive`	No	If transitive dependencies should be scanned, default is `false`
`level`	Yes	Which level a build will break on if found. Available options are `low`, `moderate`, `high` and `critical`

Jonas Stjernström

How to use