Use dotnet list package --vulnerable --include-transitive to detect vulnerable packages

bart-vmware · bart-vmware · commit f34a76c5a31c · 2026-04-28T15:31:10.000+02:00
diff --git a/.github/workflows/scan-vulnerable-dependencies.yml b/.github/workflows/scan-vulnerable-dependencies.yml
@@ -41,4 +41,19 @@ jobs:
         persist-credentials: false
 
     - name: Report vulnerable dependencies
-      run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=true /p:NuGetAuditMode=all /p:NuGetAuditLevel=low --verbosity minimal
+      shell: pwsh
+      run: |
+        $ErrorActionPreference = 'Stop'
+        $PSNativeCommandUseErrorActionPreference = $true
+
+        $output = dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive --format json --output-version 1 2>&1
+        $text = ($output | Out-String).TrimEnd()
+        $json = $text | ConvertFrom-Json
+
+        foreach ($project in $json.projects) {
+          if ($project.frameworks) {
+            Write-Host 'Vulnerable package references were found.'
+            dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive
+            exit 1
+          }
+        }
