Enable NuGet Audit for better DevSecOps in .NET

Enable NuGet Audit for better DevSecOps in .NET
March 25, 2024 2 min read BEN ABT Updated Apr 23, 2026

Auditing is becoming increasingly important in the everyday life of a developer; however, until now there was no particularly good way in .NET - even the lock file still has its deficiencies. You had to rely on third-party packages in order to carry out real auditing of your packages and references or use security software such as WhiteSource or Snyk.

Since NuGet 6.8 or .NET 8 (SDK 8.0.100) there is an integrated SDK option.

Enable NuGet Audit

Open your Directory.Build.props file and add the following:

1    <!-- NuGet -->
2    <PropertyGroup>
3        <NuGetAudit>true</NuGetAudit>
4        <NuGetAuditLevel>low</NuGetAuditLevel>
5        <NuGetAuditMode>all</NuGetAuditMode>
6    </PropertyGroup>
  • NuGetAudit enables Audit during the build process.
  • NuGetAuditLevel specifies the minimum severity level of vulnerabilities to report.
  • NuGetAuditMode specifies the mode of the audit.

If you dont have a Directory.Build.props file, you can create one in the root of your project (which is recommended) or add that to all of your projects.

Now, you will see an output like

 1------ Build started: Project: EntityFrameworkDemo.Database.SqlServer.Migrations, Configuration: Debug Any CPU ------
 2------ Build started: Project: EntityFrameworkDemo.Apps.Console, Configuration: Debug Any CPU ------
 3
 4C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1903: Package 'Azure.Identity' 1.7.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-5mfx-4wcx-rv27
 5C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1903: Package 'Microsoft.Data.SqlClient' 5.1.1 has a known high severity vulnerability, https://github.com/advisories/GHSA-98g6-xh36-x2p7
 6C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52
 7C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-8g9c-28fc-mcx2
 8C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52
 9C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-8g9c-28fc-mcx2
10....

NuGet Audit in Visual Studio

If you are using Visual Studio, you can see the audit results in the Error List / Output window. No additional settings are needed. The only requirement is Visual Studio 2022 v17.8 or newer.

CF Turnstile Form View

Author

BEN ABT

BEN ABT

Ben is a Principal Software Engineer at Medialesson.de, with a strong focus on .NET and Microsoft Azure. In his professional role, he designs and builds highly scalable platforms for hybrid and cloud-based scenarios. He also advises companies and C-levels on migrating to the sovereign cloud.

He runs myCSharp.de, the largest and most active German-speaking C# community forum, actively contributes to both his own and external open-source projects and regularly shares his knowledge through his blog, at community events, conferences and as a writer for technical magazines.

Let's Work Together

Looking for an experienced Platform Architect or Engineer for your next project? Whether it's cloud migration, platform modernization or building new solutions from scratch - I'm here to help you succeed.

New Platforms
Modernization
Training & Consulting
Contact Me

Comments

Twitter Facebook LinkedIn WhatsApp
Back Next Blog Post