BlendInteractive.Umbraco.SecurityDashboard 1.0.2

Prefix Reserved
dotnet add package BlendInteractive.Umbraco.SecurityDashboard --version 1.0.2
                    
NuGet\Install-Package BlendInteractive.Umbraco.SecurityDashboard -Version 1.0.2
                    
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="BlendInteractive.Umbraco.SecurityDashboard" Version="1.0.2" />
                    
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="BlendInteractive.Umbraco.SecurityDashboard" Version="1.0.2" />
                    
Directory.Packages.props
<PackageReference Include="BlendInteractive.Umbraco.SecurityDashboard" />
                    
Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add BlendInteractive.Umbraco.SecurityDashboard --version 1.0.2
                    
#r "nuget: BlendInteractive.Umbraco.SecurityDashboard, 1.0.2"
                    
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package BlendInteractive.Umbraco.SecurityDashboard@1.0.2
                    
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=BlendInteractive.Umbraco.SecurityDashboard&version=1.0.2
                    
Install as a Cake Addin
#tool nuget:?package=BlendInteractive.Umbraco.SecurityDashboard&version=1.0.2
                    
Install as a Cake Tool

Umbraco Security Dashboard Shield

Umbraco Security Dashboard

Centralized security posture management for Umbraco CMS

NuGet NuGet Downloads License


What Is It

If you maintain a lot of Umbraco installs, managing your security health can be a big task. When a new advisory is released, you suddenly have a lot of work to do.

The Umbraco Security Dashboard helps by providing regular automatic checks of the running code against the Github Vulnerability Database for Umbraco packages and allows you to report the security health status of the instance to a central location via webhook.

The system also provides checks against common vulnerability exposure points to help you understand which advisories your instance is actually susceptible to. For instance, if the advisory reports an exposure in the Content Delivery API, but you have it disabled, then that exposure is mitigated. This helps you triage your efforts to focus on the instances where you're actually exposed.

Security Dashboard Screenshot

Prerequisites

  • Umbraco v17.3.0 or later
  • .NET 10

Installing

To add the package to your project, install it with NuGet:

dotnet add package BlendInteractive.Umbraco.SecurityDashboard

This will add a 'Security Health' tab in the 'Settings' section of your Backoffice.

Central Management

The dashboard view in the admin is helpful, but it's better to have a system to automate and report on the security health of your instance. Whenever a check is run, the result can be published via webhook. There are many ways to use this, but the docs folder contains an example of an n8n flow that publishes all updates to a sample Google Sheet. Tools like n8n or Zapier should provide an easy way to set up an automated workflow that fits with your environment.

Configuration

All settings live under the Umbraco:SecurityDashboard key in appsettings.json.

"Umbraco": {
  "SecurityDashboard": {
    "AdditionalPackageIds": [],
    "Webhook": {
      "SiteUrl": "https://yoursite.com",
      "EndpointUrl": "https://your-webhook-endpoint.com/hook",
      "Secret": "your-secret",
      "TimeoutSeconds": 10
    }
  }
}

AdditionalPackageIds

A list of non-Umbraco NuGet package IDs to include in vulnerability checks. Versions are detected automatically from the runtime dependency graph.

"AdditionalPackageIds": [ "Serilog", "Newtonsoft.Json" ]

Webhook

When configured, the dashboard posts the scan result to an external endpoint after every check, making it easy to aggregate security status across multiple Umbraco instances.

Property Description
SiteUrl The public URL of this Umbraco instance. Included in the webhook payload to identify the source. This is simply an identifying string since the web context isn't available in the scheduled check.
EndpointUrl The URL to POST the result to. Leave empty to disable webhook notifications.
Secret Shared secret included in the request header for payload verification.
TimeoutSeconds HTTP timeout for the webhook request. Defaults to 10.

ScanSchedule

Controls when vulnerability scans run. By default, scans run daily at 4:00 AM (server local time).

Property Description Default
Frequency Daily, Weekly, or Disabled Daily
Hour Hour of day (0–23) for the scan to run 4
Minute Minute (0–59) for the scan to run 0
DayOfWeek Day for weekly scans (MondaySunday) Monday

Daily at 2:30 AM:

"ScanSchedule": {
  "Frequency": "Daily",
  "Hour": 2,
  "Minute": 30
}

Weekly on Monday at 3:00 AM:

"ScanSchedule": {
  "Frequency": "Weekly",
  "DayOfWeek": "Monday",
  "Hour": 3,
  "Minute": 0
}

Disabled (no automatic scans):

"ScanSchedule": {
  "Frequency": "Disabled"
}

When Disabled, the background job is not registered and the startup check is skipped entirely. The dashboard displays a prominent warning. This is useful for development or staging environments where you do not want background scans running.

Development overrides

The Development subsection contains settings that are only applied when the application is running in the Development environment. They are silently ignored in all other environments.

This is helpful for testing and development of your vulnerability management scripts when there are no active vulnerabilities, or for the development of the Security Dashboard Package itself.

"Umbraco": {
  "SecurityDashboard": {
    "Development": {
      "PackageVersionOverrides": {
        "Umbraco.Cms": "17.1.1"
      },
      "ExposureCheckOverrides": {
        "GHSA-xxxx-yyyy-zzzz": [ "Content Delivery API" ]
      }
    }
  }
}

PackageVersionOverrides — substitute the detected version of any NuGet package with a fixed value. Useful for testing how the dashboard behaves against a specific advisory without actually downgrading the package.

ExposureCheckOverrides — force one or more exposure checks to run for a specific advisory, regardless of whether the corresponding keyword appears in the advisory description. The key is the GHSA ID (e.g. GHSA-xxxx-yyyy-zzzz) and the value is a list of exposure check keywords (e.g. "Content Delivery API", "Non-Admin Backoffice Users"). Useful for manually exercising exposure checks against a chosen advisory during development.

Contributing

Extending ExposureChecks

Exposure checks determine whether your instance is actually susceptible to a given advisory. The package ships with two built-in checks, but you can add your own.

1. Implement IExposureCheck:

using Umbraco.SecurityDashboard.Services.Exposure;

public class PublicRegistrationExposureCheck : IExposureCheck
{
    // Must match a keyword that appears in advisory descriptions.
    // The evaluator only runs this check when the keyword is found.
    public string Keyword => "Member Registration";

    public Task<ExposureVerdict> CheckAsync(CancellationToken cancellationToken = default)
    {
        // Return Vulnerable, Mitigated, or NotAffected
        bool registrationOpen = /* your logic here */ true;
        var verdict = registrationOpen ? ExposureVerdict.Vulnerable : ExposureVerdict.Mitigated;
        return Task.FromResult(verdict);
    }
}

2. Register it in your composer or Program.cs:

builder.AddExposureCheck<PublicRegistrationExposureCheck>();

The check runs only when the Keyword appears in the advisory text, so it doesn't add overhead for unrelated advisories. If the check throws, the evaluator logs the exception and treats the result as Vulnerable.

Built-in checks:

Keyword What it checks
Content Delivery API Whether the Umbraco Delivery API is enabled
Non-Admin Backoffice Users Whether any non-admin backoffice users exist

Spec-Kit

This project uses Spec-Kit for structured AI-assisted feature development. Feature specifications live in specs/ and drive the implementation workflow.

# Review the current feature plan
cat specs/007-audit-log/plan.md

# Run the implementation agent against the active plan
/speckit-implement

Each spec directory contains a plan.md with the feature design and a tasks.md with the implementation checklist. Completed specs are kept for reference.

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.0.2 104 6/10/2026
1.0.1 104 6/4/2026
1.0.0 107 6/3/2026