Closed imranzunzani closed 2 months ago
Hi @imranzunzani ,
In Frogbot we currently lack the option of excluding devDependencies from the scan.
However, this option is available on Jfrog Cli: in the Cli, If you want to change the dependency scanning type, you can use the following flag when trigger your scan: --dep-type
Meaning, you can trigger an audit scan locally on your machine by running the following command from your project directory: jf audit --dep-type prodOnly
When this flag is set to "prodOnly" the devDependencies will not be scanned.
In addition, you can add a feature request to the Frogbot project and our team will review it.
You can find more information regarding the different Cli Audit command flags here: https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-security/scan-your-source-code
And can find more information regarding the existing Frogbot configurations here: https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration https://github.com/jfrog/documentation/blob/main/jfrog-applications/frogbot/templates/.frogbot/frogbot-config.yml
Hi @orz25, Figured out a way to do this with Frogbot. Setting an env value, as below, works:
env:
NODE_ENV: 'production'
Hope this helps others searching for a way/workaround.
How to exclude scanning the
devDependencies
for npm / js projects? Currently, the scans seem to be scanning fordevDependencies
by default, which generates many violations. This happens in both the Repo and PR Scans.Something similar to: https://github.com/jeremylong/DependencyCheck/issues/3462