Product updates
Sign up for free

Submit a Support ticket Sign in to Support Sign up for free

 

Language & package manager support

See more
  1. Docs Library | Snyk
  2. Snyk Open Source
  3. Language & package manager support

Snyk for .NET

Snyk offers security scanning to test your projects for vulnerabilities, both through your CLI and through different integrations from our UI.

The following describes how to use Snyk to scan your .NET projects:

Features

Note

Features might not be available, depending on your subscription plan.

 

Package managers/Features

CLI support

Git support

License scanning

Remediation

Runtime monitoring

i_icon_nuget.png

NuGet 

✔︎

✔︎

✔︎

    

i_icon_paket.png

Paket

✔︎

 

✔︎

    
 

How it works

Once we’ve built the tree, we can use our vulnerability database to find vulnerabilities in any of the packages anywhere in the dependency tree.

Note

In order to scan your dependencies, you must ensure you have first installed the relevant package manager, and that your project contains the supported manifest files.

The way by which Snyk analyzes and builds the tree varies depending on the language and package manager of the project, as well as the location of your project:

 

Snyk CLI tool for .NET projects

First, build the .NET project by running dotnet restore prior to running snyk test. For more information on building projects, check out Getting started with the CLI.

The following manifest files are supported:

  • project.json

  • packages.config

  • paket.dependencies + paket.lock

  • project.assets.json

Note: In addition *.csproj file may be used if present to collect TargetFramework.

While the manifest files provide some information on dependencies is also necessary to analyze the packages folder and build artifacts to get a full dependency tree. So the project/solution must be fully built before the Snyk scan.

Nuget
Follow the same instructions as Snyk CLI tool for .NET projects
Paket

In order to build the dependency tree, Snyk analyzes the paket.dependencies and paket.lock files.

 
CLI parameters for .NET

This section describes the unique CLI options available when working with .NET-based projects.

Prerequisites

  • Best practice dictates that the project be fully built so the installed packages can be analyzed. While manifest files provide most of the information on which dependencies the project uses--some dependencies may only resolve after the project build is complete. Depending on specific use cases, the packages folder & build artifacts are also analyzed.

  • When running Snyk test, we test the first manifest file we find. If you want to check all of the .NET manifest files included in a single solution--use the --file parameter, similar to the following:

    $ snyk test --file=myApp.sln

    • Ensure you've installed the relevant package manager before you begin using the Snyk CLI tool.

    • Ensure you've included the relevant manifest files supported by Snyk before testing.

    • Install and authenticate the Snyk CLI to start analyzing projects from your local environment. Read more about our CLI in Getting started with the CLI as well.

 
Parameters

Option

Description

--assets-project-name

When monitoring a .NET project using NuGet, the PackageReference key uses the project name that is indicated in the project.assets.json.

--packages-folder

This is the folder in which your dependencies are installed. If you’ve assigned a unique name to this folder, then Snyk can only find it if you enter a custom path. 

Use the absolute or relative path, including the name of the folder where your dependencies reside.

--file=<your_solution>.sln

Test all .NET projects included in the given .sln file

--file=packages.config

Test an individual .NET project.
 
 
 

Git services for .NET projects

.NET projects can be imported from any of the Git services we support.

Once imported, Snyk analyzes your projects based on their supported manifest files and then builds the dependency tree and displays it from our app, similar to the following:

dependency_tree.png
Nuget 

Once you select a project for import, we build the dependency tree based on these manifest files: 

  • For .NET Core, the *.proj files 

  • For .NET Framework, the *.proj file, and packages.config 

A .NET project can target multiple target frameworks. Snyk creates a separate dependency tree for each target framework, displaying each as a separate Snyk project from the interface. In this way, it’s easier to understand why a dependency is being used and also to assess the fix strategy. 

 
Paket

No import support currently.

 
Git settings for .NET

From the Snyk UI, you can configure whether Snyk should scan your entire project, including the build dependencies, or if the build dependencies should be skipped.

Prerequisites

  • A .NET build file is required for the Snyk test so that Snyk can analyze target frameworks for this project.

  • For CLI: When running Snyk test, we check the first file we find for testing. If you want to check all of the .NET manifest files included in a single solution, then use the --file parameter, similar to the following:

    $ snyk test--file=myApp.sln

    • Ensure you've installed the relevant package manager before you begin using the Snyk CLI tool.

    • Ensure you've included the relevant manifest files supported by Snyk before testing.

    • Install and authenticate the Snyk CLI to start analyzing projects from your local environment. Read more about our CLI in Getting started with the CLI as well.

 
Update language preferences

  1. Log in to your account and navigate to the relevant group and organization that you want to manage.

  2. Go to settings cog_icon.pngLanguages and click Edit settings for .NET

    Scan build dependencies - If checked, Snyk scans all development dependencies.