Check NuGet packages for vulnerabilities in you Azure DevOps build pipeline
When working with .NET projects, keeping dependencies secure is crucial. One simple way catch vulnerable NuGet packages early is to integrate a vulnerability scan directly into your Azure DevOps build pipeline. Here's a Bash task you can include in your YAML file:
- task: Bash@3
displayName: check nuget vulnerabilities
inputs:
targetType: 'inline'
script: |
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
dotnet list package --vulnerable | tee build.log
echo "Analyze dotnet list package command log output..."
if grep -q "Critical\|High\|Moderate\|Low" build.log; then
echo -e "${RED}Security vulnerabilities found!${NC}"
exit 1
else
echo -e "${GREEN}No security vulnerabilities found.${NC}"
exit 0
fi
How it works
dotnet list package --vulnerablescans your solution for packages with known vulnerabilities.- Output is saved to
build.logfor inspection. - A
grepchecks the log for severity indicators. - If any vulnerabilities are found, the script fails the build to stop insecure deployments.
This is a very simple security gate that results in fast feedback.
Found this post helpful? Help keep this blog ad-free by buying me a coffee! ☕