Skip to content


Trivy supports .NET core and NuGet package managers.

The following scanners are supported.

Artifact SBOM Vulnerability License
.Net Core -

The following table provides an outline of the features Trivy offers.

Package manager File Transitive dependencies Dev dependencies Dependency graph Position
.Net Core *.deps.json Excluded -
NuGet packages.config Excluded - -
NuGet *Packages.props - Excluded - -
NuGet packages.lock.json Included


Trivy parses *.deps.json files. Trivy currently excludes dev dependencies from the report.


Trivy only finds dependency names and versions from packages.config files. To build dependency graph, it is better to use packages.lock.json files.


Trivy parses *Packages.props files. Both legacy Packages.props and modern Directory.Packages.props are supported.

license detection

packages.config files don't have information about the licenses used. Trivy uses *.nuspec files from global packages folder to detect licenses.


The licenseUrl field is deprecated. Trivy doesn't parse this field and only checks the license field (license expression type only).

Currently only the default path and NUGET_PACKAGES environment variable are supported.


Don't forgot to enable lock files in your project.


Please make sure your lock file is up-to-date after modifying dependencies.

license detection

Same as packages.config