Aikido can find known vulnerabilities (CVE) in your .NET dependencies as well as dangerous licenses being used by those dependencies.
How does Aikido find those dependencies and their transitive subdependencies?
Out of the box, Aikido supports the following files for scanning:
It should be noted that .csproj files might not contain exact versions for some of your dependencies. This can cause Aikido to not find the full range of risks in your application.
It's recommended to use lockfiles that contain a version and a hash for each NuGet dependency as well as the subdependencies.
There are other reasons to use lockfiles besides making security scanning easier for Aikido:
Using a lockfile protects you against supply chain attacks via malicious packages. This kind of attack is becoming more popular
Using a lockfiles makes your build more predictable as everyone is using the exact same minor version of packages. Less chance of 'works on my machine'
Faster build times: no need for dependency resolution anymore
How to start using lockfiles in your .NET project?
To create a lock file, you need to add the following lines to your
<!-- Generate the lock file -->
<!-- Restore the exact packages as listed in the lock file -->
<RestoreLockedMode Condition="'$(ContinuousIntegrationBuild)' == 'true'">true</RestoreLockedMode>
After these lines are added, run
This will generate a lockfile (packages.lock.json) that you can commit to the repo. You should never manually edit this file, similar to how you would use a package-lock.json file in NPM in NodeJS world.
To restore using an existing lockfile, run
dotnet.exe restore --locked-mode