pkgchk-cli 0.3.527

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. 
dotnet tool install --global pkgchk-cli --version 0.3.527
This package contains a .NET tool you can call from the shell/command line. 
dotnet new tool-manifest
                    


                            if you are setting up this repo
                        

                    

                
dotnet tool install --local pkgchk-cli --version 0.3.527
This package contains a .NET tool you can call from the shell/command line. 
#tool dotnet:?package=pkgchk-cli&version=0.3.527
                    


                    

                
nuke :add-package pkgchk-cli --version 0.3.527

pkgchk-cli

Build & Release

Nuget

A dotnet tool for package dependency checks.

dotnet list package is a wonderful tool and with its --vulnerable option it is essential for verifying your project's dependencies. It's quick, easy and free. If you're not famlilar with it or why you should depend on it (pun intented), read this blog post.

Unfortunately, integrating it into your CI pipelines isn't as simple as you'd hope: the tool does not return a non-zero return code when vulnerabilities are found (what every pipeline needs), and doesn't produce any reports for things like PR checks. We're left to dig into the build logs and parse the tool's console output to see what's up.

There are long-lived issues on the Dotnet & Nuget boards:

So until those issues are resolved, dotnet list package needs some workarounds in CI pipelines.

This tool tries to do just that. It wraps dotnet list package and interprets the output for vulnerabilities. Anything found will return in a non-zero return code, and you get some nice markdown to make your PRs obvious. And because it's a dotnet tool, using it in a CI pipeline is as easy as using it on your dev machine.

If you want to use this as a Github Action

A Github Action is available - see pkgchk-action.

What you need to install it

⚠️ This tool only works with .Net SDK 7.0.200 or higher.

You'll need .Net SDK 7.0.200 installed. Any global.json files must use .Net SDK 7.0.200 or higher.

If your SDK is lower than 7.0.200, this tool will not work: you'll get some unexpected results. Sorry about that. .Net 7.0.200 introduced JSON output, which pkgchk-cli leans on.

Installing into your repository

If you want it in your pipelines, you'll need to install a version into your repository.

Create a tool manifest for your repository:

dotnet new tool-manifest

Add the tool to your repository's toolset:

dotnet tool install pkgchk-cli

Installing onto your machine

If you want to use it in every directory just add the tool to your global toolset:

dotnet tool install pkgchk-cli -g

How to use it

To get help:

pkgchk --help

To check for top-level and transitive dependency vulnerabilities:

pkgchk scan <project|solution>

If there's only one project or solution file in your directory, omit the <project|solution> argument.

To list dependencies:

pkgchk list <project|solution>

If there's only one project or solution file in your directory, omit the <project|solution> argument.

Scan vulnerabilities and deprecations
--vulnerable Scan for vulnerable packages true/false true by default
--deprecated Scan for deprecated packages true/false false by default
--transitive Scan for transitive packages, vulnerable, deprecated or otherwise true/false true by default
--output The relative or absolute directory for reports. If ommitted, no reports are generated string None by default
--severity Severity levels to search for, or deprecation reasons. Any number of severties can be given. string High, Critical, Critical Bugs, Legacy
--no-restore Don't automatically restore the project/solution. n/a Package restoration is automatic by default
--trace Show working logs n/a

To check only for top-level dependency vulnerabilities:

pkgchk scan <project|solution> --transitive false

To add deprecated packages in a scan:

pkgchk scan <project|solution> --deprecated true

Vulnerable packages are automatically searched for. To turn off vulnerable package searches::

pkgchk scan <project|solution> --vulnerable false

To produce a markdown file, simply give an output folder:

pkgchk scan <project|solution> --output ./reports_directory

Project restores (dotnet restore) occur automatically. To suppress restores and speed up scanning, just add --no-restore:

pkgchk scan <project|solution> --no-restore

By default only High, Critical, Critical Bugs and Legacy vulnerabilities and deprecations are detected. Specify the vulnerability severities (or deprecation reasons) with --severity switches, e.g. to just check for Moderate issues:

pkgchk scan <project|solution> --severity Moderate

Listing dependencies
--transitive Scan for transitive packages, vulnerable, deprecated or otherwise true/false true by default
--no-restore Don't automatically restore the project/solution. n/a Package restoration is automatic by default
--trace Show working logs n/a

To list top-level dependencies with transitives:

pkgchk list <project|solution>

To list top-level dependencies without transitives:

pkgchk list <project|solution> --transitive false

Integration within Github actions

Simply:

name: run SCA
run: |
    dotnet tool restore    
    pkgchk scan <project|solution>

Integration within other CI platforms

Most CI platforms fail on non-zero return codes from steps.

Simply ensure your repository has pkgchk-cli in its tools manifest, your CI includes nuget.org as a package source and run:

dotnet tool restore
pkgchk scan <project|solution>

Licence

pkgchk-cli is licenced under MIT.

pkgchk-cli uses Spectre.Console - please check their licence.

pkgchk-cli uses dotnet list package published by Microsoft.

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
0.3.527 35 9/1/2025
0.3.523 71 9/1/2025
0.3.522-preview 37 9/1/2025
0.3.521 59 9/1/2025
0.3.520-preview 37 9/1/2025
0.3.516 163 8/20/2025
0.3.512 236 8/12/2025
0.3.510 158 8/12/2025
0.3.506 154 8/12/2025
0.3.505 151 8/12/2025
0.3.489 1,024 6/21/2025
0.3.487 156 6/21/2025
0.3.486-preview 98 6/21/2025
0.3.485-preview 96 6/21/2025
0.3.484-preview 97 6/21/2025
0.3.480 439 5/19/2025
0.3.477 213 5/19/2025
0.3.476-preview 145 5/19/2025
0.3.465 276 4/26/2025
0.3.464 158 4/26/2025
0.3.463 156 4/26/2025
0.3.458 291 4/12/2025
0.3.456 183 4/12/2025
0.3.453-preview 130 4/12/2025
0.3.447-preview 155 4/8/2025
0.3.446-preview 157 4/8/2025
0.3.445 372 4/8/2025
0.3.442-preview 160 4/8/2025
0.3.440-preview 163 4/7/2025
0.3.438 1,734 3/31/2025
0.3.436 227 3/31/2025
0.3.434 152 3/31/2025
0.3.433-preview 149 3/31/2025
0.3.429 186 3/22/2025
0.3.428-preview 149 3/22/2025
0.3.427 165 3/22/2025
0.3.423 162 3/22/2025
0.3.422-preview 147 3/22/2025
0.3.415 259 3/22/2025
0.3.414-preview 150 3/22/2025
0.3.411-preview 160 3/22/2025
0.3.410 2,046 3/2/2025
0.3.409-preview 114 3/2/2025
0.3.408-preview 95 3/2/2025
0.3.407-preview 98 3/2/2025
0.3.406-preview 104 3/1/2025
0.3.405-preview 97 3/1/2025
0.3.404-preview 98 3/1/2025
0.3.402 242 3/1/2025
0.3.401-preview 98 3/1/2025
0.3.400 109 3/1/2025
0.3.399-preview 93 3/1/2025
0.2.397 287 2/28/2025
0.2.396-preview 94 2/28/2025
0.2.392-preview 95 2/28/2025
0.2.390-preview 87 2/28/2025
0.2.388 1,357 6/13/2024
0.2.386-preview 104 6/13/2024
0.2.385 2,477 3/10/2024
0.2.383-preview 393 3/10/2024
0.2.381-preview 423 3/10/2024
0.2.379-preview 369 3/10/2024
0.2.377-preview 456 3/10/2024
0.2.376-preview 436 3/10/2024
0.2.375 406 3/9/2024
0.2.373-preview 388 3/9/2024
0.2.371-preview 452 3/9/2024
0.2.369-preview 383 3/9/2024
0.2.367-preview 303 3/9/2024
0.2.365-preview 386 3/9/2024
0.2.363-preview 423 3/9/2024
0.2.361-preview 470 3/9/2024
0.2.359-preview 414 3/9/2024
0.2.357-preview 343 3/9/2024
0.2.355-preview 430 3/9/2024
0.2.353-preview 349 3/9/2024
0.2.351-preview 424 3/9/2024
0.2.350 1,660 2/17/2024
0.2.348-preview 587 2/17/2024
0.2.346-preview 548 2/16/2024
0.2.345-preview 543 2/16/2024
0.2.344-preview 518 2/16/2024
0.2.343 1,578 1/31/2024
0.2.341-preview 572 1/31/2024
0.2.339-preview 580 1/31/2024
0.2.338-preview 493 1/31/2024
0.2.337 688 1/30/2024
0.2.332 553 1/29/2024
0.2.331 647 1/28/2024
0.2.326 510 1/28/2024
0.2.313 573 1/26/2024
0.1.273 601 1/25/2024
0.1.264 565 1/24/2024
0.1.259 379 1/24/2024
0.1.250 469 1/22/2024
0.1.241 1,307 1/21/2024
0.1.236 582 1/21/2024
0.1.221 744 1/21/2024
0.1.213 502 1/20/2024
0.1.206 548 1/18/2024
0.1.195 714 1/14/2024
0.1.190 578 1/14/2024
0.1.183 575 1/14/2024
0.1.180 956 1/14/2024
0.1.169 571 1/12/2024
0.1.164 611 1/12/2024
0.1.160 567 1/12/2024
0.1.152 1,015 1/4/2024
0.1.147 889 1/4/2024
0.1.143 623 1/4/2024
0.1.123 576 1/3/2024
0.1.115 743 1/3/2024
0.1.105 719 1/3/2024
0.1.99 573 1/2/2024
0.1.96 704 1/2/2024
0.1.82 647 1/1/2024
0.1.81 995 1/1/2024
0.1.77 767 1/1/2024
0.1.71 724 1/1/2024
0.1.68 794 1/1/2024
0.1.64 706 1/1/2024
0.1.63 877 1/1/2024
0.1.54 713 12/31/2023
0.1.49 700 12/30/2023
0.1.46 610 12/30/2023
0.1.16 689 12/22/2023
0.1.10 1,234 12/21/2023
0.1.9 814 12/21/2023