phylum-dev · cd-work · Nov 19, 2024 · Nov 14, 2024 · Nov 19, 2024 · Nov 19, 2024
@@ -14,13 +14,14 @@ Phylum will block any package or version that violates the policy.
 The following table shows the supported ecosystem registries and the custom
 Phylum registry URLs under which they are hosted:
 
-| Ecosystem | Phylum Registry URL              |
-| --------- | -------------------------------- |
-| Cargo     | <https://cargo.phylum.io/>       |
-| Maven     | <https://maven.phylum.io/>       |
-| NPM       | <https://npm.phylum.io/>         |
-| PyPI      | <https://pypi.phylum.io/simple/> |
-| RubyGems  | <https://rubygems.phylum.io/>    |
+| Ecosystem | Phylum Registry URL                     |
+| --------- | --------------------------------------- |
+| Cargo     | <https://cargo.phylum.io/>              |
+| Maven     | <https://maven.phylum.io/>              |
+| NPM       | <https://npm.phylum.io/>                |
+| NuGet     | <https://nuget.phylum.io/v3/index.json> |
+| PyPI      | <https://pypi.phylum.io/simple/>        |
+| RubyGems  | <https://rubygems.phylum.io/>           |
 
 ## Configuration
 
@@ -40,6 +41,7 @@ registries:
 | Cargo     | [Documentation][Cargo]    |
 | Maven     | [Documentation][Maven]    |
 | NPM       | [Documentation][NPM]      |
+| NuGet     | [Documentation][NuGet]    |
 | PyPI      | [Documentation][PyPI]     |
 | RubyGems  | [Documentation][RubyGems] |
 
@@ -53,5 +55,6 @@ receive those notifications, you can [setup webhooks].
 [Cargo]: ./cargo.md
 [Maven]: ./maven.md
 [NPM]: ./npm.md
+[NuGet]: ./nuget.md
 [PyPI]: ./pypi.md
 [RubyGems]: ./rubygems.md
@@ -0,0 +1,96 @@
+# Phylum NuGet Registry
+
+The Phylum NuGet registry is based on NuGet's [Server API].
+
+[Server API]: https://learn.microsoft.com/en-us/nuget/api/overview
+
+## Configuration
+
+All configuration options will require a Phylum API key, since Phylum requires
+authentication. You can find out how to generate one in our
+[API Keys documentation].
+
+In the following examples, all API keys will be represented as
+`<PHYLUM_API_KEY>`, so make sure to replace them with your generated key.
+
+Additionally, if the default policy is not sufficient, a group can be passed to
+evaluate all packages against the group's policy. To do this, just replace
+`<PHYLUM_ORG>` and `<PHYLUM_GROUP>` with the desired org and group name. The
+supplied API key **must** have access to this group.
+
+If Phylum's default [policy] is sufficient, you can omit the username from the
+authentication details.
+
+[API Keys documentation]: ../knowledge_base/api-keys.md#generate-an-api-key
+[policy]: ../knowledge_base/policy.md
+
+### `dotnet`
+
+To use the Phylum NuGet registry, the original nuget.org registry first needs to
+be disabled:
+
+```sh
+dotnet nuget disable source nuget.org
+```
+
+Once the official registry is disabled, the Phylum source can be added. If
+you're not running Windows, you'll also have to add the
+`--store-password-in-clear-text` flag.
+
+```sh
+dotnet nuget add source https://nuget.phylum.io/v3/index.json \
+    --protocol-version 3 \
+    --name Phylum \
+    --valid-authentication-types basic \
+    --username <PHYLUM_ORG>/<PHYLUM_GROUP> \
+    --password <PHYLUM_API_KEY>
+```
+
+> ⚠️ **WARNING** ⚠️
+>
+> Do not accidentally save your token into your shell history.
+
+A blocked package will show up in `dotnet` output as missing:
+
+```text
+/Demo.csproj : error NU1102: Unable to find package Example.Vulnerable with version (= 1.2.3)
+/Demo.csproj : error NU1102:   - Found 42 version(s) in Phylum [ Nearest version: 2.0.0 ]
+```
+
+If a version range is accepted by the manifest, the package manager will
+automatically attempt to use a version that passes Phylum's policy.
+
+### `nuget`
+
+To use the Phylum NuGet registry, the original nuget.org registry first needs to
+be disabled:
+
+```sh
+nuget sources Disable -Name nuget.org
+```
+
+Once the official registry is disabled, the Phylum source can be added. If
+you're not running Windows, you'll also have to add the
+`--store-password-in-clear-text` flag.
+
+```sh
+nuget sources Add \
+    -Source https://nuget.phylum.io/v3/index.json\
+    -ProtocolVersion 3 \
+    -Name Phylum
+    -UserName <PHYLUM_ORG>/<PHYLUM_GROUP>
+    -Password <PHYLUM_API_KEY>
+```
+
+> ⚠️ **WARNING** ⚠️
+>
+> Do not accidentally save your token into your shell history.
+
+A blocked package will show up in `nuget` output as missing:
+
+```text
+Package 'Example.Vulnerable 1.2.3' is not found in the following primary source(s): 'https://nuget.phylum.io/v3/index.json'. Please verify all your online package sources are available (OR) package id, version are specified correctly.
+```
+
+If a version range is accepted by the manifest, the package manager will
+automatically attempt to use a version that passes Phylum's policy.
@@ -132,6 +132,7 @@ const sidebars = {
         'artifact_repositories/cargo',
         'artifact_repositories/maven',
         'artifact_repositories/npm',
+        'artifact_repositories/nuget',
         'artifact_repositories/pypi',
         'artifact_repositories/rubygems',
         'artifact_repositories/api',