Status: Professional-grade security scanner for .NET applications - production-ready tool for automated vulnerability detection in NuGet dependencies.
A comprehensive .NET vulnerability scanner for NuGet packages that helps identify security vulnerabilities in your dependencies.
- π Comprehensive Scanning: Analyzes .NET projects and solutions for vulnerable NuGet packages
- π‘οΈ Multiple Data Sources: Integrates with GitHub Security Advisories and NuGet vulnerability data
- οΏ½ Detailed Reporting: Provides detailed vulnerability reports with severity levels and remediation guidance
- β‘ Fast Performance: Efficient scanning with intelligent caching and parallel processing
- π§ Easy Integration: Simple CLI interface and programmatic API
- π Continuous Monitoring: Supports integration with CI/CD pipelines
- Multiple Data Sources: Integrates with GitHub Security Advisories and NuGet vulnerability databases
- Dependency Analysis: Build complete dependency graphs including transitive dependencies
- Safe Updates: Automatically update vulnerable packages with compatibility testing
- Rollback Support: Create backups before updates and rollback on failure
- Breaking Change Detection: Identify potential breaking changes in package updates
- CI/CD Integration: JSON output and exit codes for easy integration with build pipelines
- Rich CLI Experience: Beautiful, interactive command-line interface with progress indicators
- .NET 8.0 SDK or later
- Windows, macOS, or Linux
git clone https://github.com/wesleyscholl/NuVet.git
cd NuVet
dotnet build
dotnet pack
dotnet tool install --global --add-source ./NuVet.CLI/bin/Debug nuvetdotnet tool install --global nuvet# Scan current directory
nuvet scan .
# Scan specific solution
nuvet scan MyApp.sln
# Scan with minimum severity filter
nuvet scan . --min-severity High
# Output results to JSON file
nuvet scan . --output results.json --json
# Exclude specific packages
nuvet scan . --exclude "Microsoft.*,System.*"# Update all vulnerable packages
nuvet update .
# Dry run to see what would be updated
nuvet update . --dry-run
# Auto-approve all updates
nuvet update . --auto-approve
# Update only critical and high severity vulnerabilities
nuvet update . --min-severity High
# Skip backup creation (not recommended)
nuvet update . --no-backup# Analyze project dependencies
nuvet analyze .
# Show transitive dependencies
nuvet analyze . --show-transitive
# Display as tree format
nuvet analyze . --tree
# Save dependency graph to file
nuvet analyze . --output deps.jsonnuvet scan <path> [options]
Arguments:
<path> Path to solution, project, or directory to scan
Options:
--output <file> Output file path for results (JSON format)
--min-severity <level> Minimum severity level to report [Low|Moderate|High|Critical]
--include-transitive Include transitive dependencies (default: true)
--exclude <packages> Package names to exclude from scan
--json Output results in JSON format
--verbose Enable verbose logging
nuvet update <path> [options]
Arguments:
<path> Path to solution, project, or directory to update
Options:
--dry-run Show what would be updated without making changes
--auto-approve Automatically approve all updates
--min-severity <level> Minimum severity to update [Low|Moderate|High|Critical]
--exclude <packages> Package names to exclude from updates
--no-backup Skip creating backups before updates
--no-validation Skip build validation after updates
--verbose Enable verbose logging
nuvet analyze <path> [options]
Arguments:
<path> Path to solution, project, or directory to analyze
Options:
--output <file> Output file path for dependency graph (JSON format)
--show-transitive Show transitive dependencies
--tree Display dependencies in tree format
--verbose Enable verbose logging
- GitHub Security Advisories: Comprehensive vulnerability database
- NuGet.org Vulnerability Database: Official NuGet security advisories
- Manual Override Support: Configure custom vulnerability sources
- Automatic Backups: All project files are backed up before updates
- Build Validation: Verify projects still build after updates
- Rollback on Failure: Automatically restore backups if updates fail
- Breaking Change Detection: Identify potential breaking changes
- Semantic Versioning Awareness: Respect SemVer update policies
# GitHub Actions example
- name: Scan for vulnerabilities
run: nuvet scan . --json --output vulns.json
- name: Check for critical vulnerabilities
run: |
if nuvet scan . --min-severity Critical --json | jq '.vulnCount > 0'; then
echo "Critical vulnerabilities found!"
exit 1
fiββββββββββββββββββ NuVet - Vulnerability Scanner ββββββββββββββββββ
Scanning: ./MyApp.sln
Min Severity: Low
Include Transitive: True
βββββββββββββββββββββββββ¬ββββββββ
β Metric β Count β
βββββββββββββββββββββββββΌββββββββ€
β Projects Scanned β 5 β
β Packages Analyzed β 127 β
β Vulnerable Packages β 3 β
β Total Vulnerabilities β 8 β
βββββββββββββββββββββββββ΄ββββββββ
ββββββββββββ¬ββββββββ
β Severity β Count β
ββββββββββββΌββββββββ€
β Critical β 2 β
β High β 3 β
β Moderate β 2 β
β Low β 1 β
ββββββββββββ΄ββββββββ
βββββββββββββββββββββββ Vulnerable Packages βββββββββββββββββββββββ
Newtonsoft.Json 12.0.3
Highest Severity: High
Affected Projects: 3
Suggested Updates: 13.0.1, 13.0.2, 13.0.3
β’ High: Improper Handling of Exceptional Conditions
β’ Moderate: Uncontrolled Resource Consumption
{
"solutionPath": "./MyApp.sln",
"scanDate": "2025-01-15T10:30:00Z",
"summary": {
"totalProjects": 5,
"totalPackages": 127,
"vulnerablePackages": 3,
"criticalVulnerabilities": 2,
"highVulnerabilities": 3,
"moderateVulnerabilities": 2,
"lowVulnerabilities": 1
},
"vulnerablePackages": [...]
}- NuVet.Core: Core domain models and services
- NuVet.CLI: Command-line interface
- NuVet.Tests: Comprehensive test suite
- VulnerabilityScanner: Orchestrates vulnerability detection
- DependencyAnalyzer: Builds dependency graphs from project files
- VulnerabilityService: Integrates with vulnerability databases
- PackageUpdater: Safely updates packages with rollback support
- NuGetService: Interfaces with NuGet repositories
- .NET 8.0: Modern .NET platform
- System.CommandLine: Advanced CLI framework
- Spectre.Console: Rich console UI
- NuGet.Protocol: Official NuGet API client
- MSBuild APIs: Project file parsing
- Semantic Versioning: Version comparison and analysis
We welcome contributions! Please see our Contributing Guide for details.
git clone https://github.com/wesleyscholl/NuVet.git
cd NuVet
dotnet restore
dotnet build
dotnet testdotnet test
dotnet test --collect:"XPlat Code Coverage"This project is licensed under the MIT License - see the LICENSE file for details.
- GitHub Security Advisories for vulnerability data
- NuGet team for the excellent NuGet.Protocol APIs
- Spectre.Console for the beautiful CLI experience
- All contributors and users of this project
- dotnet-outdated - Find outdated packages
- Snyk - Commercial vulnerability scanning
- OWASP Dependency Check - Generic dependency scanning
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Documentation: Wiki
Made with β€οΈ for the .NET community