Overview
NuGet Audit provides warnings during restore when a package with a known vulnerability is used by a project. NuGetAudit 2.0: Elevating Security and Trust in Package Management
Adding Audit Sources to NuGet.Config
Regardless of nuget.org used as a package source, if you wish to use NuGet Audit for vulnerable package reporting during restore, add the following configuration to your NuGet.Config file in your solution directory:
<configuration>
<!-- any existing config, including <packageSources> -->
<auditSources>
<clear />
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
</auditSources>
</configuration>
Make sure to replace any existing <packageSources> configurations as needed.
The restore command automatically runs when you do a common package operation such as loading a project for the first time, adding a new package, updating a package version, or removing a package from your project in your favorite IDE. Your dependencies are checked against a list of known vulnerabilities provided by your audit sources. Auditing package dependencies for security vulnerabilities
You may run the following command to list packages with known vulnerabilities:
dotnet list package --vulnerable
Reference
For more information, refer to the Microsoft Learn documentation.