will477
commented
1 year ago To ensure your build is predictable and secure from known attacks such as Dependency Confusion, knowing what specific feed(s) the packages are coming from is a best practice. For this reason, we have not allowed customization of the feeds used.
It is not a requirement that it be NuGet.Org, but it is a specific and verified feed for each package.
When using the Azure DevOps extension secrets scanner it tries to download the package from nuget.org. This is hard-coded in the extension wrapper as of now.
Is there a way to choose a private artifact feed as source instead of https://api.nuget.org/v3/index.json?