NuGet Security Auditing

This rule applies to files matching the patterns above.

# NuGet Security Auditing

## Rule
All .NET projects MUST enable NuGet audit with a minimum severity level of moderate. CI builds MUST fail on known vulnerabilities. Audit results must be reviewed before suppressing any warnings.

## Configuration
```xml
<!-- Directory.Build.props -->
<Project>
  <PropertyGroup>
    <NuGetAudit>true</NuGetAudit>
    <NuGetAuditLevel>moderate</NuGetAuditLevel>
    <NuGetAuditMode>all</NuGetAuditMode>
    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
  </PropertyGroup>
</Project>
```

## Good Examples
```bash
# Run audit during restore
dotnet restore

# Explicit audit check
dotnet list package --vulnerable

# Include transitive dependencies
dotnet list package --vulnerable --include-transitive

# CI pipeline
dotnet restore --locked-mode
dotnet list package --vulnerable --include-transitive
# Fails if any vulnerable packages found
```

```xml
<!-- Suppress specific advisory with documented reason -->
<ItemGroup>
  <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-xxxx">
    <!-- Suppressed: Not exploitable in our usage context. Reviewed 2024-03-01 -->
  </NuGetAuditSuppress>
</ItemGroup>
```

## Bad Examples
```xml
<!-- BAD: Audit disabled -->
<NuGetAudit>false</NuGetAudit>

<!-- BAD: Only checking direct dependencies -->
<NuGetAuditMode>direct</NuGetAuditMode>
<!-- Transitive vulnerabilities are just as dangerous -->

<!-- BAD: Blanket suppression without documentation -->
<NoWarn>NU1904;NU1903;NU1902</NoWarn>
```

## Enforcement
- NuGetAudit enabled in Directory.Build.props (affects all projects)
- CI runs `dotnet list package --vulnerable --include-transitive`
- Dependabot or Renovate for automated security updates
- Quarterly review of audit suppressions