An MSBuildTask that checks for known vulnerabilities. Inspired by OWASP SafeNuGet.

Docs

View the full documentation for NuGetDefense here

4.x preview documentation can be found by running dotnet /path/to/NuGetDefense.dll -?

Features

• Uses Multiple Sources to check for known vulnerabilities in third-party libraries (NuGet packages)
  • OSS Index
  • National Vulnerability Database (Optionally Self-Updating)
    • This product uses the NVD API but is not endorsed or certified by the NVD.
  • GitHub Security Advisory Database
• Simple installation/configuration: the NuGet Package is all you need.
• dotnet Global Tool for those who want to run it manually or just in the CI
• Transitive Dependency Checking
  • SDK style projects only (older project format is not supported by the dotnet cli)
  • Uses the versions resolved by the dotnet cli at build
• Project Reference Scanning
  • Scan all projects in a hierarchy by installing NuGet Defense to the top level package
• Allow breaking the build based on severity of vulnerability.
• Ignore specific vulnerabilities/packages.
• Sensitive/Internal Packages filtering
  • Don't send packages that are sensitive/internal to remote vulnerability sources
• Caching to prevent excess calls and hitting rate limits on API's
• Blocklisting NuGet Packages
• Allowlisting NuGet Packages
• MIT Licensed
  • Consumable NuGet packages for bundling NuGetDefense scanners into your own software

Requirements

• NuGetDefense v3.x is built only in .Net 6.0 so you will need the runtime/SDK installed.
• NuGetDefense v4.x is built only in .Net 8.0 so you will need the runtime/SDK installed.

Unsupported Versions

• Official Support follows support for the underlying framework.
• Supporters can request support of unsupported versions (such as v2.x running on .Net 5) but are advised to use a supported runtime (for better overall security)
  • older .Net projects can use 4.x as long as the .Net 8 runtime is installed.

How does it work?

NuGetDefense is a bundled dotnet tool that runs using an MSBuild ExecTask after your project finishes building.

Love it? Support it

You can sponsor this project on Github and Patreon. The funds will be used to pay for software licenses and cloud/hardware costs that keep my projects running.