Skip to content


Trivy supports .NET core and NuGet package managers.

The following scanners are supported.

Artifact SBOM Vulnerability License
.Net Core -
NuGet -

The following table provides an outline of the features Trivy offers.

Package manager File Transitive dependencies Dev dependencies Dependency graph Position
.Net Core *.deps.json Excluded -
NuGet packages.config Excluded - -
NuGet packages.lock.json Included


Trivy parses *.deps.json files. Trivy currently excludes dev dependencies from the report.


Trivy only finds dependency names and versions from packages.config files. To build dependency graph, it is better to use packages.lock.json files.


Don't forgot to enable lock files in your project.


Please make sure your lock file is up-to-date after modifying dependencies.