#
YarnAudit
Finds CVEs in Node modules included as dependencies in a project that is packaged by Yarn.
This scanner allows you to select which types of dependencies to exclude. By default, all dependencies are included.
See https://yarnpkg.com/lang/en/docs/dependency-types/ for more info on dependency types.
#
Configuration
scanner_configs:
YarnAudit:
exclude_groups:
# Including all 3 effectively disables yarn as yarn audit is a CVE scanner on dependencies
- dependencies # project dependencies
- devDependencies # dev only dependencies
- optionalDependencies # specifically labelled as optional
exceptions:
- advisory_id: 788
changed_by: Appsec team
notes: Temporary exception generated automatically
expiration: "2021-04-27"
If you only want to scan production-related dependencies, then you want the following:
scanner_configs:
YarnAudit:
exclude_groups:
- devDependencies # dev only dependencies
See NodeAudit doc for more configuration options.