Check NuGet packages for vulnerabilities in you Azure DevOps build pipeline

When working with .NET projects, keeping dependencies secure is crucial. One simple way catch vulnerable NuGet packages early is to integrate a vulnerability scan directly into your Azure DevOps build pipeline. Here's a Bash task you can include in your YAML file:

  - task: Bash@3
    displayName: check nuget vulnerabilities
    inputs:
      targetType: 'inline'
      script: |
        RED='\033[0;31m'
        GREEN='\033[0;32m'
        NC='\033[0m' # No Color
        dotnet list package --vulnerable | tee build.log
        echo "Analyze dotnet list package command log output..."
        if grep -q "Critical\|High\|Moderate\|Low" build.log; then
          echo -e "${RED}Security vulnerabilities found!${NC}"
          exit 1
        else
          echo -e "${GREEN}No security vulnerabilities found.${NC}"
          exit 0
        fi

How it works

dotnet list package --vulnerable scans your solution for packages with known vulnerabilities.
Output is saved to build.log for inspection.
A grep checks the log for severity indicators.
If any vulnerabilities are found, the script fails the build to stop insecure deployments.

This is a very simple security gate that results in fast feedback.

Found this post helpful? Help keep this blog ad-free by buying me a coffee! ☕