Use lockfiles like packages.lock.json in your .NET build for better SCA detection with CybeDefend.
.NET projects often rely on NuGet packages. By generating a packages.lock.json
file, you create a stable snapshot of all dependencies—critical for accurate CybeDefend SCA scanning.
Enable Lockfiles in .csproj
You can enable lockfiles in any of these ways:
Option A: Add to your .csproj
file:
Option B: For all projects, create a Directory.Build.props
file in your solution root:
Run dotnet restore
This generates a packages.lock.json
file for each project.
Commit packages.lock.json
Never edit this file manually. Let dotnet restore
handle updates.
Using a lockfile is critical for secure and predictable builds. A lockfile contains a fixed version and a hash for each dependency and sub-dependency in your project.
Lockfiles are never edited manually. They’re generated and updated by your package manager and committed to your repository, ensuring consistent environments for all teammates.
dotnet restore --use-lock-file
dotnet restore --locked-mode
.csproj
or Directory.Packages.props
, then run dotnet restore --force
to update the lockfile.For larger solutions with many projects, use NuGet’s Central Package Management:
Create a Directory.Packages.props
file in your solution root:
In your project files, reference packages without versions:
File Examples |
---|
.deps.json , packages.lock.json , Directory.Packages.props , .csproj |
If your lockfile is missing, SCA scanning might only detect partial or incorrect versions of NuGet packages. Lockfiles ensure precise dependency resolution.
Use Directory.Packages.props (NuGet central package management) for an even cleaner approach to pinned versions across multiple projects.