Major .NET releases tend to get talked about for performance and language features. The supply chain story gets less attention, which is a shame because .NET 8 (GA November 2023) shipped a cluster of improvements that materially change what a defensible .NET supply chain looks like in 2024. This post is the concrete rundown — what changed, why each change matters, and what production teams should adjust to take advantage.
NuGet audit is the headline change
dotnet restore and dotnet build in .NET 8 SDK include NuGet.Audit by default. Every restore now checks the dependency graph against the GitHub Advisory Database and emits warnings (or errors, if configured) for known vulnerabilities.
The practical shape:
dotnet restore
# Restored MyProject.csproj (in 1.2 sec).
# warning NU1901: Package 'Newtonsoft.Json' 12.0.3 has a known critical severity vulnerability, https://github.com/advisories/GHSA-xxxx-xxxx-xxxx
To upgrade warnings to errors:
<PropertyGroup>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<NuGetAuditLevel>moderate</NuGetAuditLevel>
<NuGetAuditMode>all</NuGetAuditMode>
</PropertyGroup>
NuGetAuditMode=all includes transitive dependencies. The default is direct, which misses most real vulnerabilities because vulnerable packages are usually transitive.
This alone, turned on in enterprise projects, surfaces meaningful risk. Teams running the default .NET 8 SDK are already getting some of this benefit without knowing it.
Signed NuGet packages are more enforceable
.NET 8 tightens verification of NuGet package signatures. The signaturevalidationmode setting in NuGet.Config can now be set to require (rejecting unsigned packages) with more useful behavior than earlier versions. Combined with author signing and repository signing enforcement on NuGet.org, .NET 8 projects can realistically enforce "every package must be signed" as a restoration policy.
The configuration:
<config>
<add key="signatureValidationMode" value="require" />
</config>
Where this bites: some older or smaller community packages are unsigned. Enforcing signing surfaces the full list and forces a decision per package. This is net positive for posture but requires a grace period during rollout.
Central Package Management stabilized
CPM existed before .NET 8, but the .NET 8 SDK stabilized the behavior in ways that matter for supply chain. Transitive pinning via CentralPackageTransitivePinningEnabled is more reliable; version-conflict resolution is more predictable; the error messages when conflicts occur are actually readable.
For a multi-project solution, moving to CPM in 2024 gives you a single source of truth for versions, which makes every downstream supply chain activity (SBOM generation, vulnerability triage, license audit) cleaner.
SBOM generation is now realistic
The combination of dotnet list package --include-transitive --format json with third-party generators like CycloneDX/cyclonedx-dotnet produces usable SBOMs from .NET 8 projects. A CI step of:
dotnet CycloneDX MyProject.csproj -o sbom.json -j -t -r
produces a CycloneDX v1.5 SBOM that captures direct and transitive dependencies, licenses, and hashes. Earlier .NET versions had rougher edges in this workflow (missing metadata, incomplete transitive capture). .NET 8 is the version that makes "SBOM on every release" practical as default.
Source Link coverage improved
Source Link, which maps compiled .NET binaries back to source for debugging, had partial coverage in earlier versions. .NET 8 extends it to cover more toolchain scenarios (NativeAOT, WebAssembly). The supply chain relevance: Source Link attaches provenance to binaries in a verifiable way. When a customer or auditor asks "which source commit produced this binary?", Source Link answers it if enabled.
Turn it on:
<PropertyGroup>
<PublishRepositoryUrl>true</PublishRepositoryUrl>
<EmbedUntrackedSources>true</EmbedUntrackedSources>
<IncludeSymbols>true</IncludeSymbols>
<SymbolPackageFormat>snupkg</SymbolPackageFormat>
</PropertyGroup>
Publish with dotnet pack and the resulting .nupkg + .snupkg pair carry source references that any consumer can use to verify provenance.
NativeAOT changes the attack surface
NativeAOT, production-ready in .NET 8, compiles .NET applications to native binaries with no JIT. The supply chain implications:
- Smaller attack surface: no runtime, no JIT, reduced reflection capabilities.
- Build-time trust concentration: all dependencies are AOT-compiled in, so build integrity matters more.
- Source generator importance: NativeAOT leans heavily on source generators; those generators run at build time with full privileges.
NativeAOT is a net positive for deployed posture but increases the importance of build-time supply chain hygiene. If your team is adopting NativeAOT in 2024, revisit your source generator audit practice.
Container improvements for the .NET base images
The official mcr.microsoft.com/dotnet images in the .NET 8 line are smaller, more patchable, and include a chiseled variant for Ubuntu that trims the base OS footprint dramatically. A chiseled .NET 8 runtime image is ~50% smaller than the standard variant and has materially fewer CVEs in the base OS layer.
Move runtime images to chiseled if you can:
FROM mcr.microsoft.com/dotnet/runtime:8.0-jammy-chiseled
What a .NET 8 upgrade checklist should include
- Turn on
NuGetAuditwithMode=alland a chosen audit level. - Decide on signature validation mode (
requirefor new projects,acceptwith plan to tighten for existing). - Adopt CPM if you have not.
- Add SBOM generation to CI.
- Configure Source Link.
- Migrate runtime images to chiseled variants.
- Audit source generators in use.
Each of these is a configuration-level change. None requires refactoring. The combined posture improvement is meaningful.
How Safeguard Helps
Safeguard's .NET support detects .NET 8 features in use (NuGet audit, CPM, signing, Source Link) and surfaces gaps against the full-posture checklist above. The platform ingests CycloneDX SBOMs generated from dotnet CycloneDX and reconciles them with the reachability graph, so a .NET 8 project's supply chain is visible alongside the rest of the portfolio. Policy gates can enforce "require NuGetAudit" or "chiseled base images only" as release conditions. For teams moving to .NET 8 in 2024, Safeguard compresses the adoption checklist into a platform output rather than a per-repo hunt.