Skip to content

Enable NuGet Audit for security vulnerability scanning #51470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Enable NuGet Audit for security vulnerability scanning #51470

wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Oct 28, 2025
edited
Loading

NuGet Audit was previously disabled. This re-enables it to detect vulnerable packages during restore.

Changes

  • Added explicit NuGet Audit configuration to Directory.Build.props:
    • NuGetAudit=true - Enable scanning
    • NuGetAuditLevel=low - Report all severity levels
    • NuGetAuditMode=all - Audit direct and transitive dependencies

Current package set has no known vulnerabilities.

Original prompt

This section details on the original issue you should resolve

<issue_title>[release/8.0.4xx] Enable Nuget Audit</issue_title>
<issue_description>Disabled in https://dev.azure.com/dnceng/internal/_git/dotnet-sdk/pullrequest/54678.
We should re enable it and bump some packages</issue_description>

<agent_instructions>It was disabled in directory.build.props. Reenable it and see what it flags.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@marcpopMSFT
Enable NuGet Audit in Directory.Build.props
783d455 
Co-authored-by: marcpopMSFT <12663534+marcpopMSFT@users.noreply.github.com>
Copilot AI changed the title [WIP] Re-enable Nuget Audit and bump packages Enable NuGet Audit for security vulnerability scanning Oct 28, 2025
Copilot finished work on behalf of marcpopMSFT October 28, 2025 18:52
Copilot AI requested a review from marcpopMSFT October 28, 2025 18:52
@marcpopMSFT
Copy link
Member

marcpopMSFT commented Oct 29, 2025

@dkurepa was you're issue specifically about turning audit back on in 8 or is main sufficient?
#51466

@marcpopMSFT
Copy link
Member

marcpopMSFT commented Nov 6, 2025

/backport to release/8.0.4xx

@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025

Started backporting to release/8.0.4xx (link to workflow run)

@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025

@marcpopMSFT backporting to release/8.0.4xx failed, the patch most likely resulted in conflicts. Please backport manually!

git am output 
$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Creating an empty commit: Initial plan
Applying: Enable NuGet Audit in Directory.Build.props
Using index info to reconstruct a base tree...
M	Directory.Build.props
Falling back to patching base and 3-way merge...
Auto-merging Directory.Build.props
CONFLICT (content): Merge conflict in Directory.Build.props
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0002 Enable NuGet Audit in Directory.Build.props
Error: The process '/usr/bin/git' failed with exit code 128

Link to workflow output

Copilot AI mentioned this pull request Nov 7, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcpopMSFT marcpopMSFT Awaiting requested review from marcpopMSFT

At least 1 approving review is required to merge this pull request.

Assignees

@marcpopMSFT marcpopMSFT

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[release/8.0.4xx] Enable Nuget Audit

2 participants

@marcpopMSFT