5/5 - (1 vote)

In the modern development ecosystem, neglecting dependency security isn’t just careless—it’s a guaranteed way to face incidents. Every new NuGet package you introduce may carry vulnerabilities. Automating dependency scans is therefore not merely a “best practice”; it’s the baseline of healthy development hygiene. Without it, you can’t confidently ship a secure product.

This guide shows how to add a mandatory security scanning stage (security-scan) to your .gitlab-ci.yml pipeline using standard tools included in the .NET SDK.

Adding the Security Scan Stage to .gitlab-ci.yml

Here’s a YAML snippet you can directly include in your pipeline configuration:

security-scan:
stage: security-scan
image: mcr.microsoft.com/dotnet/sdk:8.0
before_script:
- dotnet tool install --global dotnet-outdated-tool
script:
# Step 1: Check for known vulnerabilities in packages. This is mandatory.
- echo "Searching for KNOWN vulnerabilities in packages..."
- dotnet list package --vulnerable --include-transitive

# Step 2: Check for outdated packages. Important for maintenance and security.
- echo "Checking for outdated (non-secure) packages..."
- dotnet-outdated
allow_failure: true
only:
- main
- develop
- merge_requests

Step-by-Step Breakdown: Your First Line of Defense

stage: security-scan

The security check runs in a separate stage to highlight its importance. This ensures that vulnerability analysis happens regularly—typically after build and test steps.

image: mcr.microsoft.com/dotnet/sdk:8.0

Using Microsoft’s official .NET SDK image guarantees access to up-to-date CLI tools necessary for reliable scanning and reporting.

before_script

This block sets up the environment for the scan.

dotnet tool install --global dotnet-outdated-tool

installs the dotnet-outdated-tool utility. While the primary scan for vulnerabilities uses a built-in command, this tool helps track outdated packages—an essential aspect of maintaining a clean and secure dependency ecosystem. Neglecting updates often turns into technical debt that may expose you to risks later.

script

This is where the actual security work happens.

  • Step 1: Check for Known Vulnerabilities
    Uses dotnet list package --vulnerable to report any insecure dependencies, including transitive ones.

  • Step 2: Check for Outdated Packages
    Runs dotnet-outdated to highlight dependencies that are no longer current or may contain unfixed issues.

allow_failure: true

This flag lets the pipeline continue even if vulnerabilities are found. It’s a balanced approach for teams just starting with automated security checks—issues are reported but don’t block delivery.
However, if your project handles sensitive data or production-critical workloads, consider setting this to false to prevent merging code that fails security validation.

only

This configuration ensures the scan runs for the main and develop branches, as well as every merge request. Doing so helps you identify risks before they make it into production.

Conclusion

The setup above is not optional—it’s a foundational layer of security for every .NET project. It automatically detects both active threats (vulnerable dependencies) and latent risks (outdated packages that can lead to future vulnerabilities).

Related posts:

  1. Integrating SonarQube into Kubernetes
  2. Kubernetes Security: How to Secure and Monitor Your Cluster
  3. Selecting base images for .NET applications: minimum vulnerabilities, maximum performance
  4. Website security audit – identification of risks and threats