Supply-chain quarantine
Every pushed package version is scanned for known vulnerabilities (via OSV) at push time. A version whose findings meet the configured severity threshold is quarantined — stored but hidden from search and restore — until an admin reviews and releases it. Clean packages are admitted normally.
How it works
Section titled “How it works”- On push, NuGetKeep queries OSV for the package and its direct dependencies.
- If a finding is at or above
NUGETKEEP_VULN_BLOCK_SEVERITY, the version is quarantined (not servable) and an audit entry is written. - Admins see quarantined versions on
/admin/quarantineand can release them after review.
An OSV outage never blocks a push — the scan fails open (deferred) and is re-checked later.
Configuration
Section titled “Configuration”| Variable | Meaning | Default |
|---|---|---|
NUGETKEEP_VULN_BLOCK_SEVERITY | Minimum severity that quarantines (inclusive). | High |
On Community edition the scan gate is disabled (packages are admitted without scanning). Apply an Enterprise license to activate it; see Licensing. If a license lapses, already-quarantined packages stay quarantined.