NuGet Vulnerability Scan

Build extension to run dotnet list package --vulnerable or dotnet list package --deprecated and fail the build on found vulnerabilities or deprecated packages.

NOTE Only works with .NET 5 and later.

How to use

After installing the extension it will be available as a build task to add to your build pipelines.

After adding the task to a build pipeline you have to configure the task by setting the working directory in which to run the scan.

To add the task to a pipeline, the following options exist.

- task: NuGetVulnerabilityScan@1
  inputs:
    type: 'vulnerable'
    path: '${Build.SourcesDirectory}'
    transitive: true
    level: 'high',
    warning: false

Variable	Required	Description
`type`	No	Scan type. Available options are `vulnerable` and `deprecated`, default is `vulnerable`
`path`	Yes	The path where to run the `dotnet list package` command
`transitive`	No	If transitive dependencies should be scanned, default is `false`
`level`	No	Which level a build will break on if vulnerabilities are found. Available options are `low`, `moderate`, `high` and `critical`, default is `high`
`warning`	No	Should findings be treated as warnings, default is `false`

Jonas Stjernström

How to use