With the release of Anchore Enterprise 2.3, we are happy to share that you can now scan for vulnerabilities in NuGet packages inside your container images.

This new language package support is made possible by the addition of the GitHub Security Advisories data source into Anchore. You can read more about GHSA and how to enable the feed source in Anchore in a previous post.

Viewing NuGet Feeds

Once you have successfully configured the GitHub Security Advisories feeds in your Anchore installation, you can view the status of the feeds synchronization via the Anchore CLI by running the `anchore-cli system feeds list` command, or by navigating to the ‘System’ view in the Anchore Enterprise UI (see below).

feed sync view nuget packages

Viewing NuGet packages

With NuGet, just as with any identified package (OS and non-OS), Anchore provides the name, version, location, origin, and license of each identified package easily accessible via the API or UI in Anchore Enterprise (see below).
viewing NuGet packages in Anchore
This data is also accessible via the Anchore CLI by running: `anchore-cli image content mcr.microsoft.com/dotnet/core/sdk:2.1.805-nanoserver-1809 nuget`

Viewing Compliance and Vulnerabilities

Anchore also provides detailed compliance reports driven through policy. Anchore policies allow users to specify which checks to perform on what images and how the results should be interpreted. A policy is expressed as a policy bundle, which is made up of a set of rules that are used to perform an evaluation on a container image. The rules can define checks against an image for things such as security vulnerabilities, package whitelist and blacklists, configuration file contents, presence of credentials in an image, image manifest changes, exposed ports, and more.

In the example below, we can see that Medium severity vulnerabilities have been identified in NuGet packages present in the container image. The policy rule definition has been created to associate a WARN action when vulnerabilities of Medium severity are flagged.

vulnerability status NuGet packages
Finally, to find out more information surrounding the nature of these GHSAs, Anchore users can simply click on the link which, in this case, will take them to the GitHub Security Advisories page where a description of the issue is described in more detail (example).
NuGet packages in GitHub
At Anchore, we strive to provide comprehensive, actionable vulnerability identification that enables development without compromising security. The addition of NuGet package support allows users to find vulnerabilities in their .NET applications more quickly, highlighting the value of shifting security further to the left.

As always, you can view our documentation and installation guides for more information