Proj0302: NuGet authentication should be secure

NuGet authentication should use secure, externalized credentials. Storing credentials securely prevents accidental exposure in source control and reduces the risk of unauthorized access.

Using ClearTextPassword is not recommended when authenticating to a NuGet feed. A more secure way is to authenticate through a credential provider. However, when using ClearTextPassword, at least make sure the credentials are defined as either the predefined NuGetPackageSourceCredentials_{name} variable, or an injected environment variable.

Non-compliant 

 <configuration>
  <packageSourceCredentials>
    <SomeKey>
      <add key="Username" value="Admin" />
      <add key="ClearTextPassword" value="33f!!lloppa" />
    </SomeKey>
  </packageSourceCredentials>
</configuration>

Compliant 

 <configuration>
  <packageSourceCredentials>
    <SomeKey>
      <add key="Username" value="Admin" />
      <add key="ClearTextPassword" value="%SOME_PLACEHOLDER%" />
    </SomeKey>
  </packageSourceCredentials>
</configuration>

Edit this page on GitHub.