NuGroom

NuGroom - Nuget package inventory and grooming

A command-line tool that connects to Azure DevOps, searches all repositories for C#, Visual Basic and F# project files, extracts PackageReference lines, and provides comprehensive package analysis including multi-feed NuGet package information resolution with PAT authentication.

Features

Repository Scanning — connects to Azure DevOps and discovers all project files across repositories
Local File Scanning — scans local files and folders with --paths, no Azure DevOps required
NuGet Resolution — resolves package metadata from multiple feeds with PAT authentication
Vulnerability Scanning — checks packages against NuGet feed advisories and the OSV.dev database with local caching
Vulnerability-Only Scan — --list-vulnerabilities scans for vulnerabilities and reports only if any are found (CI/CD gate compatible)
Central Package Management — automatic CPM detection, updates, and migration (--migrate-to-cpm)
Automated Updates — creates feature branches and pull requests for outdated packages, or updates local files directly
Package Sync — force a specific package to an exact version across repositories or local files
Version Warnings — configurable warnings for version differences with actionable recommendations
Health Indicators — flags deprecated, outdated, and vulnerable packages
Internal Package Detection — identifies internal packages and their likely source projects
Export — JSON, CSV, and SPDX 3.0.0 SBOM export
Renovate Compatibility — respects ignoreDeps, disabled packageRules, and reviewers
Flexible Filtering — exclude packages, projects, and repositories by prefix, name, or regex
Configuration File — store all settings in JSON with environment variable support for secrets

Quick Start

# Install as a global dotnet tool
dotnet tool install --global NuGroom

# Basic scan
nugroom --organization "https://dev.azure.com/yourorg" --token "your-pat-token"

# Using a config file (recommended)
nugroom --config settings.json

# Dry-run package updates
nugroom --config settings.json --dry-run --update-scope Minor

# Apply updates (creates branches and PRs)
nugroom --config settings.json --update-references --update-scope Patch

# Scan local files (no Azure DevOps needed)
nugroom --paths ./src --paths MyApp.csproj

# Dry-run local updates
nugroom --paths ./src --dry-run --update-scope Minor

# Apply local updates directly to files on disk
nugroom --paths ./src --update-references --update-scope Patch

# Sync one package version across local files
nugroom --paths ./src --sync Newtonsoft.Json 13.0.3

# Migrate local projects to Central Package Management
nugroom --paths ./src --migrate-to-cpm

# Scan only web projects, excluding test projects
nugroom --paths ./src --include-project ".*\.Web\.csproj$" --exclude-project ".*\.Tests\.csproj$"

# Scan local files for vulnerabilities only (exits with code 1 if any found)
nugroom --paths ./src --list-vulnerabilities

# Scan Azure DevOps repos for vulnerabilities only
nugroom --config settings.json --list-vulnerabilities

Prerequisites

.NET 10.0 or later
For Azure DevOps mode: Personal Access Token with Code (Read) permissions
For automatic updates via PRs: PAT with Code (Read & Write) and Pull Request Threads (Read & Write) permissions
For local mode (--paths): no Azure DevOps credentials required

Documentation

Document	Description
Getting Started	Prerequisites, installation, and usage examples
CLI Reference	Complete list of all command line options
Configuration	Config file format, fields, feed authentication, and environment variables
Features	CPM, version warnings, filtering, health indicators, and more
Vulnerability Scanning	NuGet advisories, OSV.dev integration, caching, and configuration
Automated Updates	Package updates, sync, version increment, and PR workflow
Renovate Compatibility	Integration with Renovate configuration
Export Formats	JSON, CSV, and SPDX 3.0.0 SBOM export
Output Examples	Sample console output for common operations
Azure DevOps Pipelines	Installation, pipeline examples, and `System.AccessToken` setup
Troubleshooting	Debugging, security, performance, and known issues

Roadmap

✅ Version warning system with configurable levels
✅ Automated package update recommendations
✅ Automated package updates with branch creation and PR workflow
✅ Renovate compatibility (ignoreDeps, packageRules, reviewers)
✅ Central Package Management (CPM) detection, updates, and migration
✅ Integration with official vulnerability databases (NuGet advisories + OSV.dev)
Graph visualization of internal dependencies
Support for Azure Key Vault credential storage

This site is open source. Improve this page.