DotUtils.BuildChecks 0.0.6-beta

This is a prerelease version of DotUtils.BuildChecks. 
dotnet add package DotUtils.BuildChecks --version 0.0.6-beta
                    


                    

                
NuGet\Install-Package DotUtils.BuildChecks -Version 0.0.6-beta
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="DotUtils.BuildChecks" Version="0.0.6-beta">
  <PrivateAssets>all</PrivateAssets>
  <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference>
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="DotUtils.BuildChecks" Version="0.0.6-beta" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="DotUtils.BuildChecks">
  <PrivateAssets>all</PrivateAssets>
  <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference>
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add DotUtils.BuildChecks --version 0.0.6-beta
                    


                    

                
#r "nuget: DotUtils.BuildChecks, 0.0.6-beta"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#addin nuget:?package=DotUtils.BuildChecks&version=0.0.6-beta&prerelease
                    


                            Install DotUtils.BuildChecks as a Cake Addin
                        

                    

                
#tool nuget:?package=DotUtils.BuildChecks&version=0.0.6-beta&prerelease
                    


                            Install DotUtils.BuildChecks as a Cake Tool

DotUtils Custom BuildChecks

UntrustedLocationCheck

It is strongly recommended not to place MSBuild project files into locations where other logic have write access to the parent folders. That is because MSBuild (more specifically SDK common targets) hierarchically traverses folder structure for auto-importable msbuild logic. This Check flags attempts to build from Downloads folder.

EnvironmentVariableSecretsCheck

The UsedEnvironmentVariablesCheck is a custom MSBuild check that detects sensitive data and secrets in environment variables used during the build process. This check helps identify potential security risks by scanning environment variable values for common secrets, explicit secrets, and usernames. The check automatically monitors environment variable access during the build process.

When a secret is detected, it generates a build warning with the following information:

  • Secret type (SubKind)
  • Secret value (truncated based on verbose settings)
  • Location in build files (file, line, column)

Example Output

warning DU0202: CommonSecret with value: 'APIKey123***' at project.props(12,5)

ImportedProjectsSecretsCheck

The ImportedProjectsSecretsCheck is a custom MSBuild check that scans imported project files for sensitive data and secrets during the build process. This security-focused check examines the content of imported .props and .targets files to identify potential security risks such as common secrets, explicit secrets, and usernames embedded in the project files.

The check automatically scans project files when they are imported during the build process. It respects the configured evaluation scope to determine which imported files should be analyzed.

When a secret is detected, it generates a build warning with the following information:

  • Secret type (CommonSecrets, ExplicitSecrets, or Username)
  • The detected secret value
  • Precise location within the imported file (file path, line, column)

Example Output

warning DU0203: CommonSecret with value: 'SuperSecretToken123' at imported/custom.props(15,8)

Note: The check considers the evaluation scope configuration to determine which imported projects to analyze, helping to focus the security scanning on relevant project files within your build hierarchy.

UnexpectedNugetBuildLogic

TBD

There are no supported framework assets in this package.

Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
0.0.6-beta 74 11/5/2024
0.0.5-beta 60 11/4/2024
0.0.4-beta 59 10/22/2024
0.0.3-beta 60 10/22/2024
0.0.2-beta 123 10/18/2024