A dotnet tool for package dependency checks.
dotnet list package is a wonderful tool and with its --vulnerable option it is essential for verifying your project's dependencies. It's quick, easy and free. If you're not famlilar with it or why you should depend on it (pun intented), read this blog post.
Unfortunately, integrating it into your CI pipelines isn't as simple as you'd hope: the tool does not return a non-zero return code when vulnerabilities are found (what every pipeline needs), and doesn't produce any reports for things like PR checks. We're left to dig into the build logs and parse the tool's console output to see what's up.
There are long-lived issues on the Dotnet & Nuget boards:
So until those issues are resolved, dotnet list package needs some workarounds in CI pipelines.
This tool tries to do just that. It wraps dotnet list package and interprets the output for vulnerabilities. Anything found will return in a non-zero return code, and you get some nice markdown to make your PRs obvious. And because it's a dotnet tool, using it in a CI pipeline is as easy as using it on your dev machine.
A Github Action is available - see pkgchk-action.
You'll need .Net SDK 7.0.200 installed. Any global.json files must use .Net SDK 7.0.200 or higher.
If your SDK is lower than 7.0.200, this tool will not work: you'll get some unexpected results. Sorry about that.
.Net 7.0.200 introduced JSON output, which pkgchk-cli leans on.
If you want it in your pipelines, you'll need to install a version into your repository.
Create a tool manifest for your repository:
dotnet new tool-manifest
Add the tool to your repository's toolset:
dotnet tool install pkgchk-cli
If you want to use it in every directory just add the tool to your global toolset:
dotnet tool install pkgchk-cli -g
To get help:
pkgchk --help
To check for top-level and transitive dependency vulnerabilities:
pkgchk scan <project|solution>
If there's only one project or solution file in your directory, omit the <project|solution> argument.
To list dependencies:
pkgchk list <project|solution>
If there's only one project or solution file in your directory, omit the <project|solution> argument.
To list packages with upgrades:
pkgchk upgrades <project|solution>
If there's only one project or solution file in your directory, omit the <project|solution> argument.
--vulnerable |
Scan for vulnerable packages | true/false |
true by default |
--deprecated |
Scan for deprecated packages | true/false |
false by default |
--transitive |
Scan for transitive packages, vulnerable, deprecated or otherwise | true/false |
true by default |
--output |
The relative or absolute directory for reports. If ommitted, no reports are generated | string |
None by default |
--severity |
Severity levels to search for, or deprecation reasons. Any number of severties can be given. | string |
High, Critical, Critical Bugs, Legacy |
--included-package |
The name of a package to specifically search for. Multiple --included-package options can be given. |
None by default | |
--excluded-package |
The name of a package to exclude from searches. Multiple --excluded-package options can be given. |
None by default | |
--no-restore |
Don't automatically restore the project/solution. | n/a | Package restoration is automatic by default |
--trace |
Show working logs | n/a |
To check only for top-level dependency vulnerabilities:
pkgchk scan <project|solution> --transitive false
To add deprecated packages in a scan:
pkgchk scan <project|solution> --deprecated true
Vulnerable packages are automatically searched for. To turn off vulnerable package searches::
pkgchk scan <project|solution> --vulnerable false
To produce a markdown file, simply give an output folder:
pkgchk scan <project|solution> --output ./reports_directory
Project restores (dotnet restore) occur automatically. To suppress restores and speed up scanning, just add --no-restore:
pkgchk scan <project|solution> --no-restore
By default only High, Critical, Critical Bugs and Legacy vulnerabilities and deprecations are detected. Specify the vulnerability severities (or deprecation reasons) with --severity switches, e.g. to just check for Moderate issues:
pkgchk scan <project|solution> --severity Moderate
--included-package |
The name of a package to specifically search for. Multiple --included-package options can be given. |
None by default | |
--excluded-package |
The name of a package to exclude from searches. Multiple --excluded-package options can be given. |
None by default | |
--transitive |
Scan for transitive packages, vulnerable, deprecated or otherwise | true/false |
true by default |
--no-restore |
Don't automatically restore the project/solution. | n/a | Package restoration is automatic by default |
--trace |
Show working logs | n/a |
To list top-level dependencies with transitives:
pkgchk list <project|solution>
To list top-level dependencies without transitives:
pkgchk list <project|solution> --transitive false
--included-package |
The name of a package to specifically search for. Multiple --included-package parameter can be given. |
None by default | |
--excluded-package |
The name of a package to exclude from searches. Multiple --excluded-package parameter can be given. |
None by default | |
--output |
The relative or absolute directory for reports. If ommitted, no reports are generated | string |
None by default |
--no-restore |
Don't automatically restore the project/solution. | n/a | Package restoration is automatic by default |
--trace |
Show working logs | n/a |
In some circumstances, you may need to apply a standard list of options, such as excluding specific packages across scan, list, upgrade.
Each command has a --config parameter available for the name of a file, for example:
pkgchk upgrades --config pkgchkconfig.yml
If you specify --config, all other configurable parameters (see below) will be ignored.
Acceptable formats are YAML:
noBanner |
To hide the command line's banner. | |
noRestore |
Equivalent to the --no-restore parameter. |
|
excludePackages |
An array of package names to exclude, e.g. excludedPackages: [ Ignored.Package ] |
|
includePackages |
An array of package names to include, e.g. excludedPackages: [ Important.Package ] |
|
breakOnUpgrades |
For the upgrades command, to return a non-zero return code if package upgrades are found. |
|
severities |
For the scan command, an array of severities, equivalent to the command's --severity parameters. |
|
scanVulnerabilities |
For the scan command, equivalent to the commandss --vulnerable parametrer. |
|
scanDeprecations |
For the scan command, equivalent to the command's --deprecated parameter. |
|
scanTransitives |
Equivalent to the --transitive parameter. |
If you want to directly use the tool in Github, simply restore the tool and run, with the same parameters as you'd use from the command line:
name: run SCA
run: |
dotnet tool restore
pkgchk scan <project|solution>
Alternatively, if you want better visibility and easier control within GitHub, see pkgchk-action.
Most CI platforms fail on non-zero return codes from steps.
Simply ensure your repository has pkgchk-cli in its tools manifest, your CI includes nuget.org as a package source and run:
dotnet tool restore
pkgchk scan <project|solution>
pkgchk-cli is licenced under MIT.
pkgchk-cli uses Spectre.Console - please check their licence.
pkgchk-cli uses dotnet list package published by Microsoft.