Hi, we have a couple of nuget packages which we explicitly do not want engineers to use. Is there any way SonarCloud can be configured to flag and fail the quality gate, when a certain package is referenced in a project?
If not, could the community recommend alternative ways to achieve this?
Hey there.
Giving the Sonar(Source) perspective – SonarCloud does not perform SCA (Software Component Analysis) – and there is no rule to prevent the use of certain Nuget packages. Tools dedicated to SCA may be able to provide you with this functionality!
Hello from the future!
We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.
Please see this announcement for more details.