An MSBuildTask that checks for known vulnerabilities. Inspired by OWASP SafeNuGet.
- SafeNuGet hasn't seen a new commit in years and isn't able to keep up with vulnerable packages.
- SafeNuGet doesn't have a license (at all).
- A pure MSBuild task should not use dependencies and cannot get the desired results without them.
- Uses Multiple Sources to check for known vulnerabilities in third-party libraries (NuGet packages)
- OSS Index
- National Vulnerability Database (Optionally Self-Updating)
- Simple installation/configuration: the NuGet Package is all you need.
- Checks dependencies of installed packages based on the target framework.
- Allow breaking the build based on severity of vulnerability.
- Ignore specific vulnerabilities/packages.
- Blacklisting NuGet Packages
- Whitelisting NuGet Packages
- MIT Licensed
Currently NuGetDefense is built only in .Net Core 3.1 so you will need the runtime/SDK installed.
NuGetDefense is a bundled dotnet tool that runs using an MSBuild ExecTask after your project finishes building.
You can sponsor this project on Github and Patreon. The funds will be used to pay for software licenses and cloud/hardware costs that keep my projects running.
