Feature Flag Freedom: Using OpenFeature with AWS & Azure

Posted on April 22, 2025April 22, 2025 by Mark Johnson

Introduction

Feature flags have revolutionised how teams deploy and test features, allowing controlled rollouts, A/B testing, and quick toggling of functionality. But teams adopting feature flagging often face vendor lock-in, making it difficult to switch providers or maintain a consistent implementation across their codebase.

I was recently catching up on some talks from Kubecon 2025 on the CNCF YouTube channel and there were some talks around Feature Flags and OpenFeature. Curious about its potential, I decided to take a deeper dive into OpenFeature to understand its advantages.

OpenFeature is a CNCF project that provides a standardised SDK, allowing you to integrate with custom logic or external vendors. OpenFeature abstracts away the complexities of working with different providers, ensuring flexibility, portability, and consistency in how applications manage flags.

The architecture looks like this (taken from their website)

OpenFeature supports multiple feature flag providers, ensuring flexibility across different ecosystems. Some of the current providers include:

Flagd – An open-source remote flag evaluation service.
LaunchDarkly – A popular enterprise feature flag management platform.
Flipt – A lightweight, self-hosted feature flag solution.
GrowthBook – A powerful open-source A/B testing and feature flagging tool.
These are just a few examples, with many more integrations available.

OpenFeature supports creating custom Providers that allow developers to build their own providers for their feature flag management or even connect to providers not currently supported by OpenFeature.

Since OpenFeature provides a consistent API, teams can easily switch providers without modifying their application logic, making feature flag management truly flexible.

These days I use a mix Azure and AWS and wondered how OpenFeature would work with Azure App Configuration and AWS AppConfig, so in this post, we’ll explore:

How OpenFeature eliminates vendor lock-in for feature flags.
Implementing feature flags with OpenFeature and utilising cloud services Azure App Configuration and AWS AppConfig.
How you can use OpenFeature in .NET and Python applications with a couple of basic examples

This post assumes you already have an instance of Azure App Configuration and/or AWS App Config set up. If not, refer to their respective documentation for provisioning.

Let’s dive in and see what it’s all about! 🚀

Getting Started with OpenFeature

Adding OpenFeature to code is fairly simple, the documentation is well structured with clear examples for multiple languages. While OpenFeature supports multiple languages including Go, Java, and Rust—this post will focus on its implementation in .NET and Python

Here’s a basic implementation using OpenFeature in a console application, demonstrating how to register a provider and retrieve flag values

dotnet add package OpenFeature

Following the documentation the basic code in a console app would look something like this in .NET:

using OpenFeature;
using OpenFeature.Model;

 // Register your feature flag provider
 await Api.Instance.SetProviderAsync(new InMemoryProvider());

// Create a new client
FeatureClient client = Api.Instance.GetClient();

// Retrieve and evaluate the flag
var feature1Enabled = await client.GetBooleanValueAsync("feature1", false);
Console.WriteLine(feature1Enabled ? "Flag is Enabled!" : "Flag is Disabled!");

and in Python:

pip install openfeature-sdk

from openfeature import api
from openfeature.provider.in_memory_provider import InMemoryFlag, InMemoryProvider

feature_flags = {
  "feature1": InMemoryFlag("on", {"on": True, "off": False})
}

# Register your feature flag provider
api.set_provider(InMemoryProvider(feature_flags))

# Create a client
client = api.get_client()

# Retrieve and evaluate the flag
feature1_enabled = client.get_boolean_value("feature1", False)
print("Flag is Enabled!" if feature1_enabled else "Flag is Disabled!")

Exploring OpenFeature with Azure App Configuration

With the setup in place, let’s explore how OpenFeature integrates seamlessly with Azure App Configuration to manage feature flags.

The below image shows some sample feature flags defined in Azure App Configuration ready to use for this demo

Azure App Configuration provides centralised configuration management, versioning, and built-in feature flag support, making it a powerful choice for dynamic application settings. To evaluate feature flags within Azure App Configuration, Microsoft recommends using the Feature Management Library, which provides a robust and flexible way to manage flag states.

Let’s add the packages for Azure App Configuration

dotnet add package Microsoft.Extensions.Configuration
dotnet add package Microsoft.Extensions.Configuration.AzureAppConfiguration

After some looking around at the OpenFeature sdk Contrib in GitHub, I found there was already a provider for the FeatureManagement and found a preview version on Nuget, so let’s add that.

dotnet add package OpenFeature.Contrib.Provider.FeatureManagement --version 0.1.0-preview

It is good practice to use Azure Identity for connecting to Azure App Configuration but for this demo we are just going to use the ConnectionString. You can get the connection string from the Azure Portal.

Let’s add the additional code to use the Feature Manager Provider

using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Configuration.AzureAppConfiguration;
using OpenFeature;
using OpenFeature.Contrib.Providers.FeatureManagement;

IConfigurationRefresher refresher = null;
var builder = new ConfigurationBuilder();
builder.AddAzureAppConfiguration(async options =>
{
    var endpoint = "Endpoint=https://flagsdemo-dev.azconfig.io;Id=xxxxxx;Secret=xxxxxxxxxxxxxxxxxxxx";
    options.Connect(endpoint)
        .ConfigureRefresh(refresh =>
        {
            refresh.Register($".appconfig.featureflag/feature1")
                .SetRefreshInterval(TimeSpan.FromSeconds(30));
        });
    refresher = options.GetRefresher();
});
var config = builder.Build();

// Register your feature flag provider
await Api.Instance.SetProviderAsync(new FeatureManagementProvider(config));

// Create a new client
FeatureClient client = Api.Instance.GetClient();

// Get the flag value
var feature1Enabled = await client.GetBooleanValueAsync("feature1", false);
Console.WriteLine(feature1Enabled ? "Flag is Enabled!" : "Flag is Disabled!");

Running the code gives the same value as previously “Flag is Disabled!”, so let’s enable the flag via the Azure Portal

Using the contrib provider, we encountered an issue where basic feature flags were not being evaluated correctly, consistently returning ‘Flag is Disabled!’ regardless of configuration. After submitting a PR to address this issue, we’ll have to use a workaround and create a new provider, which, in a way, is a great opportunity to showcase just how simple it is to implement a custom provider for feature flag management.

Following the instructions from the OpenFeature documentation we created a provider, implementing the bare minimum and adding the FeatureManagement Library

dotnet add package Microsoft.FeatureManagement

using Microsoft.Extensions.Configuration;
using Microsoft.FeatureManagement;
using OpenFeature;
using OpenFeature.Model;

public class FeatureManagementProvider : FeatureProvider
{
    private readonly FeatureManager _featureManager;

    public FeatureManagementProvider(IConfiguration configuration)
    {
        _featureManager = new FeatureManager(new ConfigurationFeatureDefinitionProvider(configuration), new FeatureManagementOptions());

    }
    public override Metadata GetMetadata()
    {
        return new Metadata("Feature Management Provider");
    }

    public override async Task<ResolutionDetails<bool>> ResolveBooleanValueAsync(string flagKey, bool defaultValue, EvaluationContext? context = null, CancellationToken cancellationToken = default)
    {
        var enabled = await _featureManager.IsEnabledAsync(flagKey, context, cancellationToken);
        return new ResolutionDetails<bool>(flagKey, enabled);
    }

    public override Task<ResolutionDetails<string>> ResolveStringValueAsync(string flagKey, string defaultValue, EvaluationContext? context = null, CancellationToken cancellationToken = default)
    {
        throw new NotImplementedException();
    }

    public override Task<ResolutionDetails<int>> ResolveIntegerValueAsync(string flagKey, int defaultValue, EvaluationContext? context = null,
        CancellationToken cancellationToken = new CancellationToken())
    {
        throw new NotImplementedException();
    }

    public override Task<ResolutionDetails<double>> ResolveDoubleValueAsync(string flagKey, double defaultValue, EvaluationContext? context = null, CancellationToken cancellationToken = default)
    {
        throw new NotImplementedException();
    }

    public override Task<ResolutionDetails<Value>> ResolveStructureValueAsync(string flagKey, Value defaultValue, EvaluationContext? context = null, CancellationToken cancellationToken = default)
    {
        throw new NotImplementedException();
    }
}

Using this new provider the code now returns correctly “Flag is Enabled!” as expected, the code is far from production ready but certainly shows how simple adding a new Provider is.

To make feature flag updates more visible in real time, let’s introduce a refresh interval and a polling mechanism. The refresh interval will be set to 30 seconds, while a loop running every 10 seconds will control when the app sends requests to the Azure App Configuration Service.

using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Configuration.AzureAppConfiguration;
using OpenFeature;

IConfigurationRefresher refresher = null;
var builder = new ConfigurationBuilder();
builder.AddAzureAppConfiguration(async options =>
{
    var endpoint = "Endpoint=https://flagsdemo-dev.azconfig.io;Id=xxxxxx;Secret=xxxxxxxxxxxxxxxxxxxx";
    options.Connect(endpoint)
        .ConfigureRefresh(refresh =>
        {
            refresh.Register($".appconfig.featureflag/feature1")
                .SetRefreshInterval(TimeSpan.FromSeconds(30));
        });
    refresher = options.GetRefresher();
});
var config = builder.Build();

// Register your feature flag provider
await Api.Instance.SetProviderAsync(new FeatureManagementProvider(config));

// Create a new client
FeatureClient client = Api.Instance.GetClient();

// Get the flag value
while (!Console.KeyAvailable)
{
    if (refresher != null)
    {
        await refresher.TryRefreshAsync();
        Console.WriteLine("Configuration refreshed at: " + DateTime.UtcNow);
    }
    var feature1Enabled = await client.GetBooleanValueAsync("feature1", false);
    Console.WriteLine(feature1Enabled ? "Flag is Enabled!" : "Flag is Disabled!");
    Thread.Sleep(TimeSpan.FromSeconds(10));
}
Console.ReadKey();
Console.WriteLine("Application stopped.");

So, if the flag is enabled and then disabled during the run we should see the change

Let’s see what the Python code looks like for the same setup

We’ll need to install some additional packages for Azure App Configuration and Feature Management

pip install featuremanagement azure-appconfiguration-provider

import asyncio
from openfeature import api
from featureManagementProvider import FeatureManagementProvider
import azure.appconfiguration.provider
from datetime import datetime, timezone
from time import sleep

async def open_feature():
  # Register your feature flag provider
  endpoint = "Endpoint=https://flagsdemo-dev.azconfig.io;Id=xxxxxx;Secret=xxxxxxxxxxxxxxxxxxxx"
  config = azure.appconfiguration.provider.load(connection_string=endpoint,refresh_interval=30, feature_flag_enabled=True, feature_flag_refresh_enabled=True)
  api.set_provider(FeatureManagementProvider(config))
  client = api.get_client()

  # create a client
  client = api.get_client()
  print(f"feature1 is ", await client.get_boolean_value_async("feature1", False))
  while True:
    config.refresh()
    print("Configuration refreshed at: " + datetime.now(timezone.utc).strftime("%m/%d/%Y, %H:%M:%S"))    
    print(f"feature1 is ", await client.get_boolean_value_async("feature1", False))
    sleep(10)

async def main():
    await open_feature()

asyncio.run(main())

As before following the OpenFeature documentation we created a provider with the bare minimum implementation

from typing import Any, List, Optional, Dict, Union

from openfeature.evaluation_context import EvaluationContext
from openfeature.flag_evaluation import FlagResolutionDetails
from openfeature.hook import Hook
from openfeature.provider import AbstractProvider, Metadata
from featuremanagement import FeatureManager

class FeatureManagementProvider(AbstractProvider):

    def __init__(self, configuration: Dict[str, Any]):
       self.feature_manager = FeatureManager(configuration)
    def get_metadata(self) -> Metadata:
        return Metadata(name="FeatureManagement Provider")

    def get_provider_hooks(self) -> List[Hook]:
        return []

    def resolve_boolean_details(
        self,
        flag_key: str,
        default_value: bool,
        evaluation_context: Optional[EvaluationContext] = None,
    ) -> FlagResolutionDetails[bool]:
        enabled = self.feature_manager.is_enabled(flag_key)
        return FlagResolutionDetails(value=enabled)

    def resolve_string_details(
        self,
        flag_key: str,
        default_value: str,
        evaluation_context: Optional[EvaluationContext] = None,
    ) -> FlagResolutionDetails[str]:
        ...

    def resolve_integer_details(
        self,
        flag_key: str,
        default_value: int,
        evaluation_context: Optional[EvaluationContext] = None,
    ) -> FlagResolutionDetails[int]:
        ...

    def resolve_float_details(
        self,
        flag_key: str,
        default_value: float,
        evaluation_context: Optional[EvaluationContext] = None,
    ) -> FlagResolutionDetails[float]:
        ...

    def resolve_object_details(
        self,
        flag_key: str,
        default_value: Union[dict, list],
        evaluation_context: Optional[EvaluationContext] = None,
    ) -> FlagResolutionDetails[Union[dict, list]]:
        ...

Exploring OpenFeature with AWS App Config

One of OpenFeature’s biggest strengths is its flexibility, switching to another provider requires only minor configuration updates. Here’s how to transition from Azure App Configuration to AWS App Config

Below is a screenshot of sample feature flags configured in AWS App Config, ready for use in this demo

in .NET we would need to add a new package

 dotnet add package AWSSDK.AppConfigData

Then remove the ConfigurationBuilder, add the AWS App Config Data Client and set the new provider to use AwsAppConfigProvider

using Amazon.AppConfigData;
using Amazon.Runtime;
using OpenFeature;

var awsClient = new AmazonAppConfigDataClient(new BasicAWSCredentials("xxxxxxxx", "xxxxxxxx"), Amazon.RegionEndpoint.EUWest2);

// Register your feature flag provider
await Api.Instance.SetProviderAsync(new AwsAppConfigProvider(awsClient, "demo-app", "xxxxxx", "demo"));

// Create a new client
FeatureClient client = Api.Instance.GetClient();

// Get the flag value
while (!Console.KeyAvailable)
{
    var feature1Enabled = await client.GetBooleanValueAsync("feature1", false);
    Console.WriteLine(feature1Enabled ? "Flag is Enabled!" : "Flag is Disabled!");
    Thread.Sleep(TimeSpan.FromSeconds(10));
}

Console.ReadKey();
Console.WriteLine("Application stopped.");

and in Python we would need to add a new package

pip install boto3

Before running the Python implementation, set the following environment variables to authenticate with AWS:

export AWS_DEFAULT_REGION=eu-west-2
export AWS_ACCESS_KEY_ID="xxxxxxxxxxxxxx"
export AWS_SECRET_ACCESS_KEY="xxxxxxxxxxxxxx"

and update the provider to use AwsAppConfigProvider

import asyncio
from openfeature import api
from datetime import datetime, timezone
from time import sleep
from awsAppConfigProvider import AwsAppConfigProvider

async def open_feature():
  # Register your feature flag provider
  
  api.set_provider(AwsAppConfigProvider("demo-app", "72ig5p6", "demo"))
  client = api.get_client()

  # create a client
  client = api.get_client()
  print(f"feature1 is ", await client.get_boolean_value_async("feature1", False))
  while True:
    print("Configuration refreshed at: " + datetime.now(timezone.utc).strftime("%m/%d/%Y, %H:%M:%S"))    
    print(f"feature1 is ", await client.get_boolean_value_async("feature1", False))
    sleep(10)

async def main():
    await open_feature()

asyncio.run(main())

As before the code is far from production ready but still demonstrates how easy it is to integrate a new provider with OpenFeature, here’s a minimal AWS App Config provider for both .NET and Python:

in .NET

using Amazon.AppConfigData;
using Amazon.AppConfigData.Model;
using OpenFeature;
using OpenFeature.Model;
using System.Text;
using System.Text.Json;
using System.Text.Json.Serialization;

internal class FeatureFlag
{
    public bool Enabled { get; set; }

    [JsonPropertyName("_variant")]
    public string Variant { get; set; }
}

public sealed class AwsAppConfigProvider : FeatureProvider
{
    private readonly IAmazonAppConfigData _client;
    private readonly StartConfigurationSessionRequest _sessionRequest;

    public AwsAppConfigProvider(IAmazonAppConfigData client, string applicationIdentifier, string configurationProfileIdentifier, string environmentIdentifier)
    {
        ArgumentNullException.ThrowIfNull(client);

        _client = client;
        _sessionRequest = new StartConfigurationSessionRequest
        {
            ApplicationIdentifier = applicationIdentifier,
            ConfigurationProfileIdentifier = configurationProfileIdentifier,
            EnvironmentIdentifier = environmentIdentifier
        };
    }

    public override Metadata? GetMetadata()
    {
        return new Metadata("AWS Config Provider");
    }

    public override async Task<ResolutionDetails<bool>> ResolveBooleanValueAsync(string flagKey, bool defaultValue, EvaluationContext? context = null,
        CancellationToken cancellationToken = new CancellationToken())
    {
        var sessionResponse = await _client.StartConfigurationSessionAsync(_sessionRequest);


        var configRequest = new GetLatestConfigurationRequest
        {
            ConfigurationToken = sessionResponse.InitialConfigurationToken
        };

        var configResponse = await _client.GetLatestConfigurationAsync(configRequest);

        using var memoryStream = configResponse.Configuration;
        var buffer = new byte[memoryStream.Length];
        await memoryStream.ReadExactlyAsync(buffer, 0, buffer.Length, cancellationToken);
        var configData = Encoding.UTF8.GetString(buffer);

        var flags = JsonSerializer.Deserialize<Dictionary<string, FeatureFlag>>(configData, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase }) ?? new Dictionary<string, FeatureFlag>();

        var enabled = flags[flagKey].Enabled;
        return new ResolutionDetails<bool>(flagKey, enabled);
    }

    public override Task<ResolutionDetails<string>> ResolveStringValueAsync(string flagKey, string defaultValue, EvaluationContext? context = null,
        CancellationToken cancellationToken = new CancellationToken())
    {
        throw new NotImplementedException();
    }

    public override Task<ResolutionDetails<int>> ResolveIntegerValueAsync(string flagKey, int defaultValue, EvaluationContext? context = null,
        CancellationToken cancellationToken = new CancellationToken())
    {
        throw new NotImplementedException();
    }

    public override Task<ResolutionDetails<double>> ResolveDoubleValueAsync(string flagKey, double defaultValue, EvaluationContext? context = null,
        CancellationToken cancellationToken = new CancellationToken())
    {
        throw new NotImplementedException();
    }

    public override Task<ResolutionDetails<Value>> ResolveStructureValueAsync(string flagKey, Value defaultValue, EvaluationContext? context = null,
        CancellationToken cancellationToken = new CancellationToken())
    {
        throw new NotImplementedException();
    }
}

in Python

from typing import List, Optional, Union

from openfeature.evaluation_context import EvaluationContext
from openfeature.flag_evaluation import FlagResolutionDetails
from openfeature.hook import Hook
from openfeature.provider import AbstractProvider, Metadata
import boto3
import json
from io import BytesIO

class AwsAppConfigProvider(AbstractProvider):

    def __init__(self, application_identifier: str, configuration_profile_identifier: str, environment_identifier: str):       
       self.client = boto3.client('appconfigdata')
       self.app_id = application_identifier
       self.profile_id = configuration_profile_identifier
       self.env_id = environment_identifier
    def get_metadata(self) -> Metadata:
        return Metadata(name="AWS App Config Provider")

    def get_provider_hooks(self) -> List[Hook]:
        return []

    def resolve_boolean_details(
        self,
        flag_key: str,
        default_value: bool,
        evaluation_context: Optional[EvaluationContext] = None,
    ) -> FlagResolutionDetails[bool]:
        
        response = self.client.start_configuration_session(
            ApplicationIdentifier=self.app_id,
            EnvironmentIdentifier=self.env_id,
            ConfigurationProfileIdentifier=self.profile_id
        )
        
        session_token = response['InitialConfigurationToken']
        config_response = self.client.get_latest_configuration(
            ConfigurationToken=session_token
        )

        # Extract the streaming body
        streaming_body = config_response['Configuration']
        config_data = json.load(BytesIO(streaming_body.read()))        
        feature_details = config_data.get(flag_key, {})
        enabled = feature_details.get("enabled", default_value)
        
        return FlagResolutionDetails(value=enabled)

    def resolve_string_details(
        self,
        flag_key: str,
        default_value: str,
        evaluation_context: Optional[EvaluationContext] = None,
    ) -> FlagResolutionDetails[str]:
        ...

    def resolve_integer_details(
        self,
        flag_key: str,
        default_value: int,
        evaluation_context: Optional[EvaluationContext] = None,
    ) -> FlagResolutionDetails[int]:
        ...

    def resolve_float_details(
        self,
        flag_key: str,
        default_value: float,
        evaluation_context: Optional[EvaluationContext] = None,
    ) -> FlagResolutionDetails[float]:
        ...

    def resolve_object_details(
        self,
        flag_key: str,
        default_value: Union[dict, list],
        evaluation_context: Optional[EvaluationContext] = None,
    ) -> FlagResolutionDetails[Union[dict, list]]:
        ...

The code would need to be modified to be production ready but it is enough to get started with an integration.

Conclusion: Feature Flag Freedom Starts Here

In this post, we explored how OpenFeature provides a vendor-neutral approach to feature flags, allowing teams to integrate cloud services like Azure App Configuration and AWS AppConfig without vendor lock-in. By adopting OpenFeature, developers gain flexibility, consistency, and scalability in managing feature flags across different environments and maintain the ability to change providers or create something custom or homegrown.

Beyond simple on/off switches, feature flags can be far more dynamic. Multi-variant flags unlock capabilities like A/B testing, gradual rollouts, and personalised user experiences, and traffic splitting, helping teams deliver smarter, data-driven features. In an future post, we’ll take a deeper look at multi-variant flags with OpenFeature and explore practical use cases. Until then, I encourage you to check out OpenFeature and support its continued development!🚀

DevOps, GitHub Actions, Security

Building Securely with Nuke.Build: Integrating Snyk Scans for .NET Projects

Posted on March 2, 2024April 11, 2024 by Mark Johnson

Introduction

As a .NET developer familiar with crafting CI/CD pipelines in YAML using platforms like Azure Pipelines or GitHub Actions, my recent discovery of Nuke.Build sparked considerable interest. This alternative offers the ability to build pipelines in the familiar C# language, complete with IntelliSense for auto-completion, and the flexibility to run and debug pipelines locally—a notable departure from the constraints of YAML pipelines, which often rely on remote build agents.

While exploring Nuke.Build’s developer-centric features, it became apparent that this tool not only enhances the developer experience but also provides an opportunity to seamlessly integrate security practices into the development workflow. As someone deeply invested in promoting developer-first application security, the prospect of incorporating security scans directly into the development lifecycle resonated strongly with me, aligning perfectly with my desire for rapid feedback on application security.

Given my role as a Snyk Ambassador, it was only natural to explore how I could leverage Snyk’s robust security scanning capabilities within the Nuke.Build pipeline to bolster the security posture of .NET projects.

In this blog post, I’ll demonstrate the creation of a pipeline using Nuke.Build and showcase the addition of Snyk scan capability, along with Software Bill of Materials (SBOM) generation. Through this proactive approach, we’ll highlight the ease of integrating a layer of security within the development lifecycle.

Getting Started

Following the Getting Started Guide on the Nuke.Build website, I swiftly integrated a build project into my solution. For the sake of simplicity, I opted to consolidate the .NET Restore, Build, and Test actions into a single target, along with adding a Clean target.

In Nuke.Build, a “target” refers to individual build steps that can be executed independently or in sequence. By combining multiple actions into a single target, I aimed to streamline the build process and eliminate unnecessary complexity.

The resulting build code looks like this:

using Nuke.Common;
using Nuke.Common.IO;
using Nuke.Common.ProjectModel;
using Nuke.Common.Tools.DotNet;

class Build : NukeBuild
{
    public static int Main() => Execute<Build>(x => x.BuildTestCode);

    [Parameter("Configuration to build - Default is 'Debug' (local) or 'Release' (server)")]
    readonly Configuration Configuration = IsLocalBuild ? Configuration.Debug : Configuration.Release;

    [Solution(GenerateProjects = true)] readonly Solution Solution;

    AbsolutePath SourceDirectory => RootDirectory / "src";
    AbsolutePath TestsDirectory => RootDirectory / "tests";

    Target Clean => _ => _
        .Executes(() =>
        {
            SourceDirectory.GlobDirectories("*/bin", "*/obj").DeleteDirectories();
        });

    Target BuildTestCode => _ => _
        .DependsOn(Clean)
        .Executes(() =>
        {
            DotNetTasks.DotNetRestore(_ => _
                .SetProjectFile(Solution)
            );
            DotNetTasks.DotNetBuild(_ => _
                .EnableNoRestore()
                .SetProjectFile(Solution)
                .SetConfiguration(Configuration)
                .SetProperty("SourceLinkCreate", true)
            );
            DotNetTasks.DotNetTest(_ => _
                .EnableNoRestore()
                .EnableNoBuild()
                .SetConfiguration(Configuration)
                .SetTestAdapterPath(TestsDirectory / "*.Tests")
            );
        });
}

Running nuke from my windows terminal built the solution and ran the tests.

Adding Security Scans

With the basic pipeline set up to build the code and run the tests, the next step is to integrate the Snyk scan into the pipeline. While Nuke supports a variety of CLI tools, unfortunately, Snyk is not among them.

To begin, you’ll need to create a free account on the Snyk platform if you haven’t already done so. Once registered, you can then install Snyk CLI using npm. If you have Node.js installed locally, you can install it by running:

npm install snyk@latest -g

Given that the Snyk CLI isn’t directly supported by Nuke, I turned to the Nuke documentation to explore possible solutions for running the CLI. Two options caught my attention: PowerShellTasks and DockerTasks.

To execute the necessary tasks for the Snyk scan, a few steps are required. These include authorizing a connection to Snyk, performing an open-source scan, potentially conducting a code scan, and generating a Software Bill of Materials (SBOM).

Let’s delve into each of these tasks using PowerShellTasks in Nuke. Firstly, let’s tackle authorization. The CLI command for authorization is:

snyk auth

Running this command typically opens a web browser to the Snyk platform, allowing you to authorize access. However, this method isn’t suitable for automated builds on a remote agent. Instead, we need to provide credentials. If you’re using a free account, your user will have an API Token available, which you can find on your account settings page under “API Token.” For enterprise accounts, you can create a service account specifically for this purpose.

To incorporate the Snyk Token into our application, let’s add a parameter to the code:

[Parameter("Snyk Token to interact with the API")] readonly string SnykToken;

Next, we’ll create a new target to execute the authorization command using PowerShellTasks and pass in the Snyk Token:

Target SnykAuth => _ => _
    .DependsOn(BuildTestCode)
    .Executes(() =>
    {          
        PowerShellTasks.PowerShell(_ => _
            .SetCommand("npm install snyk@latest -g")
        );
        PowerShellTasks.PowerShell(_ => _
            .SetCommand($"snyk auth {SnykToken}")
        );
    });

NOTE: This assumes that the build agent does not have the Snyk CLI installed

With authorization complete, our next task is to add a target for the Snyk Open Source scan, ensuring it depends on the Snyk Auth target:

 Target SnykTest => _ => _
    .DependsOn(SnykAuth)
    .Executes(() =>
    {
        // Snyk Test
        PowerShellTasks.PowerShell(_ => _
          .SetCommand("snyk test --all-projects --exclude=build")
        );
    });

Including the --all-projects flag ensures that all projects are scanned, which is good practice for .NET projects. Additionally, I’ve added an exclusion for the build project to focus the scan on application issues. I typically rely on Snyk Monitor attached to my GitHub Repo to detect issues in the entire repository, leaving this scan to concentrate solely on the application being deployed.

Finally, we need to update the Execute method to include the Snyk Test:

public static int Main() => Execute<Build>(x => x.BuildTestCode, x => x.SnykTest);

Running nuke again from the Windows terminal now prompts for Snyk authentication

Once authenticated

In order to prevent this we need to pass the API token value to nuke. It’s a good idea to set an environment variable for your API token e.g. with PowerShell

$env:snykApiToken = "<your api token>"
# or using the Snyk CLI
$env:snykApiToken = snyk config get api
# Run nuke passing in the parameter
nuke --snykToken $snykApiToken

Upon executing the scan, it promptly identified several issues:

Subsequently, the Snyk Test failed, flagging vulnerabilities in the code and failing SnykTest:

To control whether the build fails based on the severity of vulnerabilities found, we can add another parameter:

 [Parameter("Snyk Severity Threshold (critical, high, medium or low)")] readonly string SnykSeverityThreshold = "high";

Ensure that the value has been set before using it. Note that the threshold must be in lowercase.

Target SnykTest => _ => _
    .DependsOn(SnykAuth)
    .Requires(() => SnykSeverityThreshold)
    .Executes(() =>
    {
        // Snyk Test
        PowerShellTasks.PowerShell(_ => _
          .SetCommand($"snyk test --all-projects --exclude=build --severity-threshold={SnykSeverityThreshold.ToLowerInvariant()}")
        );
    });

Now, let’s address running Snyk Code for a SAST scan, which will also need a parameter to control the severity threshold:

[Parameter("Snyk Code Severity Threshold (high, medium or low)")] readonly string SnykCodeSeverityThreshold = "high";

We’ll create another target for the Code test:

Target SnykCodeTest => _ => _
    .DependsOn(SnykAuth)
    .Requires(() => SnykCodeSeverityThreshold)
    .Executes(() =>
    {
        PowerShellTasks.PowerShell(_ => _
            .SetCommand($"snyk code test --all-projects --exclude=build --severity-threshold={SnykCodeSeverityThreshold.ToLowerInvariant()}")
        );
    });

Update the Execute method to include the code test:

public static int Main() => Execute<Build>(x => x.BuildTestCode, x => x.SnykTest, x => x.SnykCodeTest);

With the severity set for both scans, SnykTest continues to find high vulnerabilities, while SnykCodeTest passes:

To generate an SBOM (Software Bill of Materials) using Snyk and publish it as a build artifact, let’s add an output path:

AbsolutePath OutputDirectory => RootDirectory / "outputs";

And include a Produces entry to ensure the artifact is generated and stored in the specified directory:

Target GenerateSbom => _ => _
   .DependsOn(SnykAuth)
   .Produces(OutputDirectory / "*.json")
   .Executes(() =>
   {
       OutputDirectory.CreateOrCleanDirectory();
       PowerShellTasks.PowerShell(_ => _
           .SetCommand($"snyk sbom --all-projects --format spdx2.3+json --json-file-output={OutputDirectory / "sbom.json"}")
       );
   });

Lastly, update the Execute method to include the generation of the SBOM:

public static int Main() => Execute<Build>(x => x.BuildTestCode, x => x.SnykTest, x => x.SnykCodeTest, x => x.GenerateSbom);

Now, when executing Nuke, the SBOM will be generated and stored in the specified directory, ready to be published as a build artifact.

Earlier, I mentioned that PowerShellTasks and DockerTasks were both viable options for integrating the Snyk CLI into the Nuke build. Here’s how you can achieve the same tasks using DockerTasks:

using Nuke.Common.Tools.Docker;
...
  Target SnykTest => _ => _
     .DependsOn(BuildTestCode)
     .Requires(() => SnykToken, () => SnykSeverityThreshold)
     .Executes(() =>
     {
         // Snyk Test
         DockerTasks.DockerRun(_ => _
             .EnableRm()
             .SetVolume($"{RootDirectory}:/app")
             .SetEnv($"SNYK_TOKEN={SnykToken}")
             .SetImage("snyk/snyk:dotnet")
             .SetCommand($"snyk test --all-projects --exclude=build --severity-threshold={SnykSeverityThreshold.ToLowerInvariant()}")
         );
     });
 Target SnykCodeTest => _ => _
     .DependsOn(BuildTestCode)
     .Requires(() => SnykToken, () => SnykCodeSeverityThreshold)
     .Executes(() =>
     {
         DockerTasks.DockerRun(_ => _
             .EnableRm()
             .SetVolume($"{RootDirectory}:/app")
             .SetEnv($"SNYK_TOKEN={SnykToken}")
             .SetImage("snyk/snyk:dotnet")
             .SetCommand($"snyk code test --all-projects --exclude=build --severity-threshold={SnykCodeSeverityThreshold.ToLowerInvariant()}")
         );
     });
 Target GenerateSbom => _ => _
     .DependsOn(BuildTestCode)
     .Produces(OutputDirectory / "*.json")
     .Requires(() => SnykToken)
     .Executes(() =>
     {
         OutputDirectory.CreateOrCleanDirectory();
         DockerTasks.DockerRun(_ => _
             .EnableRm()
             .SetVolume($"{RootDirectory}:/app")
             .SetEnv($"SNYK_TOKEN={SnykToken}")
             .SetImage("snyk/snyk:dotnet")
             .SetCommand($"snyk sbom --all-projects --format spdx2.3+json --json-file-output={OutputDirectory.Name}/sbom.json")
         );
     });

NOTE: Snyk Auth is not required as a separate task as that is done inside the snyk container

Automating Nuke.Build with GitHub Actions: Generating YAML

Nuke comes with another useful feature: the ability to see a plan, which shows which targets are being executed and when. Simply running nuke --plan provides an HTML output of the plan:

With everything configured for local execution, it’s time to think about running this in a pipeline. Nuke supports various CI platforms, but for this demonstration, I’ll be using GitHub Actions. Nuke provides attributes to automatically generate the file to run the code:

using Nuke.Common.CI.GitHubActions;

[GitHubActions(
    "continuous",
    GitHubActionsImage.UbuntuLatest,
    On = new[] { GitHubActionsTrigger.Push },
    ImportSecrets = new[] { nameof(SnykOrgId), nameof(SnykToken), nameof(SnykSeverityThreshold), nameof(SnykCodeSeverityThreshold) },
    InvokedTargets = new[] { nameof(BuildTestCode), nameof(SnykTest), nameof(SnykCodeTest), nameof(GenerateSbom) })]
class Build : NukeBuild
...

To pass in the parameters for GitHub Actions, we’ll need to designate the token as a Secret:

[Parameter("Snyk Token to interact with the API")][Secret] readonly string SnykToken;

Next, let’s remove the default values for the threshold parameters:

[Parameter("Snyk Severity Threshold (critical, high, medium or low)")] readonly string SnykSeverityThreshold;
[Parameter("Snyk Code Severity Threshold (high, medium or low)")] readonly string SnykCodeSeverityThreshold;

We’ll then add the values from the .nuke/parameters.json file:

{
  "$schema": "./build.schema.json",
  "Solution": "Useful.Extensions.sln",
  "SnykSeverityThreshold": "high",
  "SnykCodeSeverityThreshold": "high"
}

Running Nuke again produces the following auto-generated output for GitHub Actions YAML in the folder .github/workflows/continuous.yml:

# ------------------------------------------------------------------------------
# <auto-generated>
#
#     This code was generated.
#
#     - To turn off auto-generation set:
#
#         [GitHubActions (AutoGenerate = false)]
#
#     - To trigger manual generation invoke:
#
#         nuke --generate-configuration GitHubActions_continuous --host GitHubActions
#
# </auto-generated>
# ------------------------------------------------------------------------------

name: continuous

on: [push]

jobs:
  ubuntu-latest:
    name: ubuntu-latest
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: 'Cache: .nuke/temp, ~/.nuget/packages'
        uses: actions/cache@v3
        with:
          path: |
            .nuke/temp
            ~/.nuget/packages
          key: ${{ runner.os }}-${{ hashFiles('**/global.json', '**/*.csproj', '**/Directory.Packages.props') }}
      - name: 'Run: BuildTestCode, SnykTest, SnykCodeTest, GenerateSbom'
        run: ./build.cmd BuildTestCode SnykTest SnykCodeTest GenerateSbom
        env:
          SnykToken: ${{ secrets.SNYK_TOKEN }}
          SnykSeverityThreshold: ${{ secrets.SNYK_SEVERITY_THRESHOLD }}
          SnykCodeSeverityThreshold: ${{ secrets.SNYK_CODE_SEVERITY_THRESHOLD }}
      - name: 'Publish: outputs'
        uses: actions/upload-artifact@v3
        with:
          name: outputs
          path: outputs

This YAML file is automatically generated by Nuke and is ready to be used in your GitHub Actions workflow. It sets up the necessary steps to run your build, including caching dependencies, executing targets, and publishing artifacts.

NOTE: When I first committed the nuke build files, GitHub Actions gave me a permission denied error when running build.cmd. Running these commands and committing them got over that problem

git update-index --chmod=+x .\build.cmd
git update-index --chmod=+x .\build.sh

Here is the output of the GitHub Actions run for this pipeline

After fixing the vulnerabilities in my code, the workflow successfully passed:

Here’s the full C# source code for both PowerShell and Docker versions:

using Nuke.Common;
using Nuke.Common.CI.GitHubActions;
using Nuke.Common.IO;
using Nuke.Common.ProjectModel;
using Nuke.Common.Tools.DotNet;
using Nuke.Common.Tools.PowerShell;

[GitHubActions(
    "continuous",
    GitHubActionsImage.UbuntuLatest,
    On = new[] { GitHubActionsTrigger.Push },
    ImportSecrets = new[] { nameof(SnykToken), nameof(SnykSeverityThreshold), nameof(SnykCodeSeverityThreshold) },
    InvokedTargets = new[] { nameof(BuildTestCode), nameof(SnykTest), nameof(SnykCodeTest), nameof(GenerateSbom) })]
class Build : NukeBuild
{
    public static int Main() => Execute<Build>(x => x.BuildTestCode, x => x.SnykTest, x => x.SnykCodeTest, x => x.GenerateSbom);

    [Parameter("Configuration to build - Default is 'Debug' (local) or 'Release' (server)")]
    readonly Configuration Configuration = IsLocalBuild ? Configuration.Debug : Configuration.Release;

    [Parameter("Snyk Token to interact with the API")][Secret] readonly string SnykToken;
    [Parameter("Snyk Severity Threshold (critical, high, medium or low)")] readonly string SnykSeverityThreshold;
    [Parameter("Snyk Code Severity Threshold (high, medium or low)")] readonly string SnykCodeSeverityThreshold;

    [Solution(GenerateProjects = true)] readonly Solution Solution;

    AbsolutePath SourceDirectory => RootDirectory / "src";
    AbsolutePath TestsDirectory => RootDirectory / "tests";
    AbsolutePath OutputDirectory => RootDirectory / "outputs";

    Target Clean => _ => _
        .Executes(() =>
        {
            SourceDirectory.GlobDirectories("*/bin", "*/obj").DeleteDirectories();
        });

    Target BuildTestCode => _ => _
        .DependsOn(Clean)
        .Executes(() =>
        {
            DotNetTasks.DotNetRestore(_ => _
                .SetProjectFile(Solution)
            );
            DotNetTasks.DotNetBuild(_ => _
                .EnableNoRestore()
                .SetProjectFile(Solution)
                .SetConfiguration(Configuration)
                .SetProperty("SourceLinkCreate", true)
            );
            DotNetTasks.DotNetTest(_ => _
                .EnableNoRestore()
                .EnableNoBuild()
                .SetConfiguration(Configuration)
                .SetTestAdapterPath(TestsDirectory / "*.Tests")
            );
        });
    Target SnykAuth => _ => _
     .DependsOn(BuildTestCode)
     .Executes(() =>
     {
         PowerShellTasks.PowerShell(_ => _
             .SetCommand("npm install snyk@latest -g")
         );
         PowerShellTasks.PowerShell(_ => _
             .SetCommand($"snyk auth {SnykToken}")
         );
     });
    Target SnykTest => _ => _
        .DependsOn(SnykAuth)
        .Requires(() => SnykSeverityThreshold)
        .Executes(() =>
        {
            PowerShellTasks.PowerShell(_ => _
                .SetCommand($"snyk test --all-projects --exclude=build --severity-threshold={SnykSeverityThreshold.ToLowerInvariant()}")
            );
        });
    Target SnykCodeTest => _ => _
        .DependsOn(SnykAuth)
        .Requires(() => SnykCodeSeverityThreshold)
        .Executes(() =>
        {
            PowerShellTasks.PowerShell(_ => _
                .SetCommand($"snyk code test --all-projects --exclude=build --severity-threshold={SnykCodeSeverityThreshold.ToLowerInvariant()}")
            );
        });
    Target GenerateSbom => _ => _
        .DependsOn(SnykAuth)
        .Produces(OutputDirectory / "*.json")
        .Executes(() =>
        {
            OutputDirectory.CreateOrCleanDirectory();
            PowerShellTasks.PowerShell(_ => _
                .SetCommand($"snyk sbom --all-projects --format spdx2.3+json --json-file-output={OutputDirectory / "sbom.json"}")
            );
        });
}

using Nuke.Common;
using Nuke.Common.CI.GitHubActions;
using Nuke.Common.IO;
using Nuke.Common.ProjectModel;
using Nuke.Common.Tools.Docker;
using Nuke.Common.Tools.DotNet;

[GitHubActions(
    "continuous",
    GitHubActionsImage.UbuntuLatest,
    On = new[] { GitHubActionsTrigger.Push },
    ImportSecrets = new[] { nameof(SnykToken), nameof(SnykSeverityThreshold), nameof(SnykCodeSeverityThreshold) },
    InvokedTargets = new[] { nameof(BuildTestCode), nameof(SnykTest), nameof(SnykCodeTest), nameof(GenerateSbom) })]
class Build : NukeBuild
{
    public static int Main() => Execute<Build>(x => x.BuildTestCode, x => x.SnykTest, x => x.SnykCodeTest, x => x.GenerateSbom);

    [Parameter("Configuration to build - Default is 'Debug' (local) or 'Release' (server)")]
    readonly Configuration Configuration = IsLocalBuild ? Configuration.Debug : Configuration.Release;

    [Parameter("Snyk Token to interact with the API")][Secret] readonly string SnykToken;
    [Parameter("Snyk Severity Threshold (critical, high, medium or low)")] readonly string SnykSeverityThreshold;
    [Parameter("Snyk Code Severity Threshold (high, medium or low)")] readonly string SnykCodeSeverityThreshold;

    [Solution(GenerateProjects = true)] readonly Solution Solution;

    AbsolutePath SourceDirectory => RootDirectory / "src";
    AbsolutePath TestsDirectory => RootDirectory / "tests";
    AbsolutePath OutputDirectory => RootDirectory / "outputs";

    Target Clean => _ => _
        .Executes(() =>
        {
            SourceDirectory.GlobDirectories("*/bin", "*/obj").DeleteDirectories();
        });

    Target BuildTestCode => _ => _
        .DependsOn(Clean)
        .Executes(() =>
        {
            DotNetTasks.DotNetRestore(_ => _
                .SetProjectFile(Solution)
            );
            DotNetTasks.DotNetBuild(_ => _
                .EnableNoRestore()
                .SetProjectFile(Solution)
                .SetConfiguration(Configuration)
                .SetProperty("SourceLinkCreate", true)
            );
            DotNetTasks.DotNetTest(_ => _
                .EnableNoRestore()
                .EnableNoBuild()
                .SetConfiguration(Configuration)
                .SetTestAdapterPath(TestsDirectory / "*.Tests")
            );
        });
    Target SnykTest => _ => _
        .DependsOn(BuildTestCode)
        .Requires(() => SnykToken, () => SnykSeverityThreshold)
        .Executes(() =>
        {
            // Snyk Test
            DockerTasks.DockerRun(_ => _
                .EnableRm()
                .SetVolume($"{RootDirectory}:/app")
                .SetEnv($"SNYK_TOKEN={SnykToken}")
                .SetImage("snyk/snyk:dotnet")
                .SetCommand($"snyk test --all-projects --exclude=build --severity-threshold={SnykSeverityThreshold.ToLowerInvariant()}")
            );
        });
    Target SnykCodeTest => _ => _
        .DependsOn(BuildTestCode)
        .Requires(() => SnykToken, () => SnykCodeSeverityThreshold)
        .Executes(() =>
        {
            DockerTasks.DockerRun(_ => _
                .EnableRm()
                .SetVolume($"{RootDirectory}:/app")
                .SetEnv($"SNYK_TOKEN={SnykToken}")
                .SetImage("snyk/snyk:dotnet")
                .SetCommand($"snyk code test --all-projects --exclude=build --severity-threshold={SnykCodeSeverityThreshold.ToLowerInvariant()}")
            );
        });
    Target GenerateSbom => _ => _
        .DependsOn(BuildTestCode)
        .Produces(OutputDirectory / "*.json")
        .Requires(() => SnykToken)
        .Executes(() =>
        {
            OutputDirectory.CreateOrCleanDirectory();
            DockerTasks.DockerRun(_ => _
                .EnableRm()
                .SetVolume($"{RootDirectory}:/app")
                .SetEnv($"SNYK_TOKEN={SnykToken}")
                .SetImage("snyk/snyk:dotnet")
                .SetCommand($"snyk sbom --all-projects --format spdx2.3+json --json-file-output={OutputDirectory.Name}/sbom.json")
            );
        });
}

Final Thoughts

Nuke.Build is a great concept for performing build pipelines and it really helps to be able to run the pipeline locally and test it out, making sure paths and everything are correct. Couple that with the capability to generate GitHub Actions and other support CI pipelines to run the code is a big benefit.

Adding Security Scans to catch things early is another plus and I am glad that it’s possible to run those scans in multiple ways in Nuke, hopefully the Snyk CLI can be supported in Nuke directly in the future.

If you haven’t checked out Nuke yet, I would definitely give it a try and see the benefits for yourself.

Coding With Taz

Coding With Taz

Thoughts and things I learn

Building Securely with Nuke.Build: Integrating Snyk Scans for .NET Projects

Introduction

Getting Started

Adding Security Scans

Automating Nuke.Build with GitHub Actions: Generating YAML

Final Thoughts