rorix
Sign In
Back to blog
|Authaz Team

Introducing Rorix: Supply Chain Security for .NET

launchsecurity.net

Introducing Rorix

The .NET ecosystem powers some of the most critical software in the world — banking systems, healthcare platforms, enterprise infrastructure. Yet when it comes to supply chain security tooling, .NET has been an afterthought. Most vulnerability scanners treat NuGet as a secondary concern, bolted on as an extension to tools built primarily for npm or PyPI. We built Rorix to change that.

Why .NET Needs Dedicated Tooling

NuGet packages have a unique dependency resolution model, a distinct versioning scheme, and their own set of supply chain risks. Generic scanners miss transitive dependency vulnerabilities that are specific to how .NET resolves package graphs. They lack context on .NET-specific attack vectors like assembly binding redirects, runtime identifier mismatches, and framework-targeted vulnerabilities that only affect certain TFMs.

Rorix understands all of this natively. It parses .csproj, Directory.Build.props, global.json, and nuget.config files the same way the .NET SDK does. It resolves the full transitive dependency graph for each target framework and runtime combination, then cross-references every package version against the NuGet Advisory Database, GitHub Security Advisories, and the National Vulnerability Database with full CVE, CVSS, and EPSS enrichment.

What's Included

Rorix ships with everything you need to secure your .NET supply chain from development to production:

  • Vulnerability Scanning — real-time analysis of your dependency graph against multiple advisory sources, with severity scoring and exploitability metrics
  • SBOM Generation — produce CycloneDX and SPDX software bills of materials for compliance and auditing
  • License Compliance — define allowlist and blocklist policies for open-source licenses, with automatic enforcement in CI/CD
  • Dependency Graph Visualization — interactive exploration of your full transitive dependency tree, highlighting vulnerable paths
  • Docker Analysis — scan container images for .NET-specific vulnerabilities in base images and application layers
  • Policy Enforcement — codify your security requirements in a .rorix.yml file and enforce them automatically

Getting Started

Install the CLI as a global .NET tool:

dotnet tool install -g Rorix.Cli

Run your first scan:

rorix scan ./MyProject.sln

For CI/CD, add our GitHub Action or Azure DevOps pipeline task to get automatic scanning on every pull request. Check our documentation for setup guides and configuration options.