pcpm audit
Scan the resolved graph against known vulnerability advisories.
pcpm audit [options]pcpm audit walks pcpm.lock and checks every package against
a vulnerability database. PCPM ships with a built-in database
that is updated on every release; the database is sourced from
the GitHub Advisory Database, filtered to NuGet packages.
What it shows
For each vulnerable package, pcpm audit prints:
× Serilog@3.1.1
GHSA-xxxx-yyyy-zzzz (low) Information disclosure in Sinks.File
Affected: <3.1.2
Fixed in: 3.1.2
Patched: pcpm add Serilog@3.1.2The exit code is non-zero if any vulnerability with severity
high or critical is found.
Options
| Flag | Effect |
|---|---|
--severity <level> | Filter by minimum severity (low, medium, high, critical). |
--json | Output as JSON. |
--update-db | Force a refresh of the bundled database. |
--no-fail | Always exit 0, even if vulnerabilities are found. |
Examples
# Standard audit (used in CI)
pcpm audit
# Only high and critical
pcpm audit --severity high
# Machine-readable for SARIF / GitHub Code Scanning
pcpm audit --json | audit2sarif > pcpm-audit.sarifDatabase
PCPM’s vulnerability database is built from the GitHub Advisory
Database. The pcpm-audit-data package is published separately
and versioned alongside pcpm. To pin a specific snapshot:
dotnet tool install --global pcpm-audit-data --version 2024.06.01This is mostly useful in regulated environments that need reproducible audit results.
See also
pcpm outdated— for version drift, not security.