Consider NuGet's Native Vulnerability Scanner for Inclusion in SAST for C# / NuGet

Release notes

Problem to solve

The NuGet project is creating built-in security scanning functionality and CVE/GHSA information. This may also simultaneously boost scanning for .NET Framework type projects.

Intended users

• Parker (Product Manager)
• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sam (Security Analyst)
• Rachel (Release Manager)
• Allison (Application Ops)
• Priyanka (Platform Engineer)

User experience goal

The native scanning capability is available as at least one of the NuGet scanners or even the primary one.

Proposal

Use existing NuGet scanning capability to

Further details

"We are announcing the public availability of NuGet’s vulnerability features that you can use to ensure your projects are vulnerability free and if not, to take action to securing your software supply chain."

From: How to Scan NuGet Packages for Security Vulnerabilities

Permissions and Security

Documentation

Availability & Testing

Available Tier

What does success look like, and how can we measure that?

.NET Customers are able to use the native scanning capabilities of the packaging technology NuGet.

What is the type of buyer?

See the above list of Personas - specific to .NET Framework and Core codebases.

Is this a cross-stage feature?

No

Links / references