{"id":16990022,"url":"https://github.com/tonycknight/pkgchk-cli","last_synced_at":"2026-01-31T03:01:07.371Z","repository":{"id":213541512,"uuid":"734350257","full_name":"tonycknight/pkgchk-cli","owner":"tonycknight","description":"A dotnet tool for package dependency checks.","archived":false,"fork":false,"pushed_at":"2026-01-25T22:06:35.000Z","size":220,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-01-26T14:11:34.771Z","etag":null,"topics":["ci","dotnet","nuget","sca"],"latest_commit_sha":null,"homepage":"","language":"F#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tonycknight.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-12-21T13:16:05.000Z","updated_at":"2026-01-25T21:49:18.000Z","dependencies_parsed_at":null,"dependency_job_id":"869b0d87-70b6-4b6f-a1a8-42bab936f882","html_url":"https://github.com/tonycknight/pkgchk-cli","commit_stats":null,"previous_names":["tonycknight/pkgchk-cli"],"tags_count":93,"template":false,"template_full_name":null,"purl":"pkg:github/tonycknight/pkgchk-cli","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonycknight%2Fpkgchk-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonycknight%2Fpkgchk-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonycknight%2Fpkgchk-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonycknight%2Fpkgchk-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tonycknight","download_url":"https://codeload.github.com/tonycknight/pkgchk-cli/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonycknight%2Fpkgchk-cli/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28927765,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-31T02:59:34.861Z","status":"ssl_error","status_checked_at":"2026-01-31T02:59:05.369Z","response_time":128,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci","dotnet","nuget","sca"],"created_at":"2024-10-14T03:08:46.266Z","updated_at":"2026-01-31T03:01:07.351Z","avatar_url":"https://github.com/tonycknight.png","language":"F#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pkgchk-cli\n\n[![Build \u0026 Release](https://github.com/tonycknight/pkgchk-cli/actions/workflows/build.yml/badge.svg)](https://github.com/tonycknight/pkgchk-cli/actions/workflows/build.yml)\n\n[![Nuget](https://img.shields.io/nuget/v/pkgchk-cli)](https://www.nuget.org/packages/pkgchk-cli/)\n\nA dotnet tool for package dependency checks.\n\n`dotnet list package` is a wonderful tool and with its `--vulnerable` option it is essential for verifying your project's dependencies. It's quick, easy and _free_. If you're not famlilar with it or why you should depend on it (pun intented), [read this blog post](https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packages-for-security-vulnerabilities/).\n\nUnfortunately, integrating it into your CI pipelines isn't as simple as you'd hope: the tool does not return a non-zero return code when vulnerabilities are found (what _every_ pipeline needs), and doesn't produce any reports for things like PR checks. We're left to dig into the build logs and parse the tool's console output to see what's up.\n\nThere are long-lived issues on the Dotnet \u0026 Nuget boards:\n- [Dotnet issue 16852](https://github.com/dotnet/sdk/issues/16852)\n- [Dotnet issue 25091](https://github.com/dotnet/sdk/issues/25091)\n- [Nuget issue 11781](https://github.com/NuGet/Home/issues/11781)\n\nSo until those issues are resolved, `dotnet list package` needs some workarounds in CI pipelines.\n\nThis tool tries to do just that. It wraps `dotnet list package` and interprets the output for vulnerabilities. Anything found will return in a non-zero return code, and you get some nice markdown to make your PRs obvious. And because it's a `dotnet tool`, using it in a CI pipeline is as easy as using it on your dev machine.\n\n## If you want to use this as a Github Action\n\nA Github Action is available - see [pkgchk-action](https://github.com/tonycknight/pkgchk-action).\n\n## What you need to install it\n\n:warning: This tool only works with .Net SDK 7.0.200 or higher. \n\nYou'll need .Net SDK 7.0.200 installed. Any `global.json` files must use .Net SDK 7.0.200 or higher.\n\nIf your SDK is lower than 7.0.200, this tool will not work: you'll get some unexpected results. Sorry about that.\n.Net 7.0.200 introduced JSON output, which `pkgchk-cli` leans on.\n\n## Installing into your repository\n\nIf you want it in your pipelines, you'll need to install a version into your repository.\n\nCreate a tool manifest for your repository:\n\n```dotnet new tool-manifest```\n\nAdd the tool to your repository's toolset:\n\n```dotnet tool install pkgchk-cli```\n\n## Installing onto your machine\n\nIf you want to use it _in every directory_ just add the tool to your global toolset:\n\n```dotnet tool install pkgchk-cli -g```\n\n## How to use it\n\nTo get help:\n\n```pkgchk --help```\n\nTo check for top-level and transitive dependency vulnerabilities:\n\n```pkgchk scan \u003cproject|solution\u003e```\n\nIf there's only one project or solution file in your directory, omit the `\u003cproject|solution\u003e` argument.\n\nTo list dependencies:\n\n```pkgchk list \u003cproject|solution\u003e ```\n\nIf there's only one project or solution file in your directory, omit the `\u003cproject|solution\u003e` argument.\n\nTo list packages with upgrades:\n\n```pkgchk upgrades \u003cproject|solution\u003e ```\n\nIf there's only one project or solution file in your directory, omit the `\u003cproject|solution\u003e` argument.\n\n### Scan vulnerabilities and deprecations\n\n|  |  |  |   |\n| - | - | - | - |\n| `--vulnerable` | Scan for vulnerable packages | `true`/`false` | `true` by default |\n| `--deprecated` | Scan for deprecated packages | `true`/`false` | `false` by default |\n| `--transitive` | Scan for transitive packages, vulnerable, deprecated or otherwise | `true`/`false` | `true` by default |\n| `--output` | The relative or absolute directory for reports. If ommitted, no reports are generated | `string` | None by default |\n| `--severity` | Severity levels to search for, or deprecation reasons. Any number of severties can be given. | `string` | `High`, `Critical`, `Critical Bugs`, `Legacy` |\n| `--included-package` | The name of a package to specifically search for.  Multiple `--included-package` options can be given. | None by default |\n| `--excluded-package` | The name of a package to exclude from searches.  Multiple `--excluded-package` options can be given. | None by default |\n| `--no-restore` | Don't automatically restore the project/solution. | n/a | Package restoration is automatic by default |\n| `--trace` | Show working logs | n/a |  |\n\nTo check only for top-level dependency vulnerabilities:\n\n```pkgchk scan \u003cproject|solution\u003e --transitive false```\n\nTo add deprecated packages in a scan:\n\n```pkgchk scan \u003cproject|solution\u003e --deprecated true```\n\nVulnerable packages are automatically searched for. To turn off vulnerable package searches::\n\n```pkgchk scan \u003cproject|solution\u003e --vulnerable false```\n\nTo produce a markdown file, simply give an output folder:\n\n```pkgchk scan \u003cproject|solution\u003e --output ./reports_directory```\n\nProject restores (`dotnet restore`) occur automatically. To suppress restores and speed up scanning, just add `--no-restore`:\n\n```pkgchk scan \u003cproject|solution\u003e --no-restore```\n\nBy default only `High`, `Critical`, `Critical Bugs` and `Legacy` vulnerabilities and deprecations are detected. Specify the vulnerability severities (or deprecation reasons) with ``--severity`` switches, e.g. to just check for `Moderate` issues:\n\n```pkgchk scan \u003cproject|solution\u003e --severity Moderate```\n\n\n### Listing dependencies\n\n|  |  |  |   |\n| - | - | - | - |\n| `--included-package` | The name of a package to specifically search for.  Multiple `--included-package` options can be given. | None by default |\n| `--excluded-package` | The name of a package to exclude from searches.  Multiple `--excluded-package` options can be given. | None by default |\n| `--transitive` | Scan for transitive packages, vulnerable, deprecated or otherwise | `true`/`false` | `true` by default |\n| `--no-restore` | Don't automatically restore the project/solution. | n/a | Package restoration is automatic by default |\n| `--trace` | Show working logs | n/a |  |\n\nTo list top-level dependencies with transitives:\n\n```pkgchk list \u003cproject|solution\u003e ```\n\nTo list top-level dependencies without transitives:\n\n```pkgchk list \u003cproject|solution\u003e --transitive false```\n\n### Finding upgrades\n\n|  |  |  |   |\n| - | - | - | - |\n| `--included-package` | The name of a package to specifically search for.  Multiple `--included-package` parameter can be given. | None by default |\n| `--excluded-package` | The name of a package to exclude from searches.  Multiple `--excluded-package` parameter can be given. | None by default |\n| `--output` | The relative or absolute directory for reports. If ommitted, no reports are generated | `string` | None by default |\n| `--no-restore` | Don't automatically restore the project/solution. | n/a | Package restoration is automatic by default |\n| `--trace` | Show working logs | n/a |  |\n\n### Configuration files\n\nIn some circumstances, you may need to apply a standard list of options, such as excluding specific packages across `scan`, `list`, `upgrade`.\n\nEach command has a `--config` parameter available for the name of a file, for example:\n\n```pkgchk upgrades --config pkgchkconfig.yml```\n\nIf you specify `--config`, all other configurable parameters (see below) will be ignored.\n\nAcceptable formats are YAML:\n\n| | | | \n| - | - | - | \n| `noBanner` | To hide the command line's banner. | |\n| `noRestore` | Equivalent to the `--no-restore` parameter. | |\n| `excludePackages` | An array of package names to exclude, e.g. `excludedPackages: [ Ignored.Package ]` | \n| `includePackages` | An array of package names to include, e.g. `excludedPackages: [ Important.Package ]` | \n| `breakOnUpgrades` | For the `upgrades` command, to return a non-zero return code if package upgrades are found. |\n| `severities` | For the `scan` command, an array of severities, equivalent to the command's `--severity` parameters. | \n| `scanVulnerabilities` | For the `scan` command, equivalent to the commandss `--vulnerable` parametrer. |\n| `scanDeprecations` | For the `scan` command, equivalent to the command's `--deprecated` parameter. |\n| `scanTransitives` | Equivalent to the `--transitive` parameter. |\n\n## Integration within Github actions\n\nIf you want to directly use the tool in Github, simply restore the tool and run, with the same parameters as you'd use from the command line:\n\n```\nname: run SCA\nrun: |\n    dotnet tool restore    \n    pkgchk scan \u003cproject|solution\u003e\n```\n\nAlternatively, if you want better visibility and easier control within GitHub, [see pkgchk-action](https://github.com/marketplace/actions/pkgchk).\n\n## Integration within other CI platforms\n\nMost CI platforms fail on non-zero return codes from steps. \n\nSimply ensure your repository has `pkgchk-cli` in its tools manifest, your CI includes `nuget.org` as a package source and run:\n\n```\ndotnet tool restore\npkgchk scan \u003cproject|solution\u003e\n```\n\n\n## Licence\n\n`pkgchk-cli` is licenced under MIT.\n\n`pkgchk-cli` uses [Spectre.Console](https://spectreconsole.net/) - please check their licence.\n\n`pkgchk-cli` uses [`dotnet list package`](https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-list-package) published by Microsoft.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftonycknight%2Fpkgchk-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftonycknight%2Fpkgchk-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftonycknight%2Fpkgchk-cli/lists"}