Open
Conversation
…config in new flow
attiasas
added
the
safe to test
github-actions
Bot
removed
the
safe to test
attiasas
added
the
safe to test
github-actions
Bot
removed
the
safe to test
attiasas
added
the
safe to test
attiasas
added
the
safe to test
github-actions
Bot
removed
the
safe to test
attiasas
added
the
safe to test
github-actions
Bot
removed
the
safe to test
eranturgeman
reviewed
May 7, 2026
| return []string{target.Target} | ||
| } | ||
|
|
||
| func GetWorkingDirsFromTarget(target results.ScanTarget) []string { |
eranturgeman
reviewed
May 7, 2026
|
|
||
| func (a *JasScanner) Run(scannerCmd ScannerCmd, module jfrogappsconfig.Module) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) { | ||
| func (a *JasScanner) DeprecatedRun(scannerCmd ScannerCmd, module jfrogappsconfig.Module, centralConfigExclusions []string) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) { | ||
| func() { |
Contributor
There was a problem hiding this comment.
we can remove the func() {...}() wrapper - it adds no value it wraps it and calls the func inside DeprecatedRun.
eranturgeman
reviewed
May 7, 2026
| if len(st.Include) > 0 { | ||
| relativePaths := []string{} | ||
| for _, path := range st.Include { | ||
| relativePaths = append(relativePaths, utils.GetRelativePath(path, st.Target)) |
Contributor
There was a problem hiding this comment.
aren't they already relative paths here?
eranturgeman
reviewed
May 7, 2026
| return false | ||
| } | ||
|
|
||
| func (st ScanTarget) String() (str string) { |
Contributor
There was a problem hiding this comment.
- in line 267 do str += st.Name or you'll erase the previous step of the Target/Target + Include dirs
- The log can contain Target + Include dirs + Name + techs and it will look like that:
{} [].
maybe we should make it a bit more readable, like:
: {} [technologies: ]
eranturgeman
reviewed
May 7, 2026
| relative := utils.GetRelativePath(potential.Target, sourceBasePath) | ||
| log.Debug(fmt.Sprintf("Comparing target %s, relative: '%s'", potential.String(), relative)) | ||
| if technology != techutils.NoTech && potential.Technology != technology { | ||
| if len(technologies) > 0 && !utils.ElementsEqual[techutils.Technology](potential.Technologies, technologies) { |
Contributor
There was a problem hiding this comment.
maybe not something we want to address but maybe worth noting- if a new tech is added in a PR (new module or something) we will find no match. this is a edge case but maybe worth a comment
eranturgeman
reviewed
May 7, 2026
| return filepath.Join(curationFolder, "nuget"), nil | ||
| } | ||
|
|
||
| func GetFullPathsWorkingDirs(workingDirs []string) ([]string, error) { |
Contributor
There was a problem hiding this comment.
can maybe be replaced with coreutils.GetFullPathsWorkingDirs
eranturgeman
reviewed
May 7, 2026
| }) | ||
| } | ||
| // Load deprecated apps config information for all targets | ||
| if params.DeprecatedAppsConfig() == nil && !isNewFlow(params.bomGenerator) { |
Contributor
There was a problem hiding this comment.
shouldn't it be params.DeprecatedAppsConfig != nil ?
eranturgeman
reviewed
May 7, 2026
| return | ||
| } | ||
|
|
||
| func runApplicabilityScan(applicabilityScanManager *ApplicabilityScanManager, params ContextualAnalysisScanParams) (vulnerabilitiesSarifRuns []*sarif.Run, err error) { |
Contributor
There was a problem hiding this comment.
why manager is passed as a param and it is not a method?
eranturgeman
reviewed
May 7, 2026
| return | ||
| } | ||
|
|
||
| func runIacScan(iacScanManager *IacScanManager, params IacScanParams) (vulnerabilitiesResults []*sarif.Run, violationsResults []*sarif.Run, err error) { |
Contributor
There was a problem hiding this comment.
why manager is passed as a param and it is not a method?
eranturgeman
reviewed
May 7, 2026
| return | ||
| } | ||
|
|
||
| func runSastScan(sastScanManager *SastScanManager, params SastScanParams) (vulnerabilitiesResults []*sarif.Run, violationsResults []*sarif.Run, err error) { |
Contributor
There was a problem hiding this comment.
why manager is passed as a param and it is not a method?
eranturgeman
reviewed
May 7, 2026
| return | ||
| } | ||
|
|
||
| func runSecretsScan(secretScanManager *SecretScanManager, params SecretsScanParams) (vulnerabilitiesResults []*sarif.Run, violationsResults []*sarif.Run, err error) { |
Contributor
There was a problem hiding this comment.
why manager is passed as a param and it is not a method?
eranturgeman
reviewed
May 7, 2026
| log.Debug(fmt.Sprintf("Skipping %s scan as requested by '%s' config profile...", jasType, configProfile.ProfileName)) | ||
| return true | ||
| } | ||
| // validate target is excluded by config profile exclude patterns |
Contributor
There was a problem hiding this comment.
// validate IF target is excluded by config profile exclude patterns
eranturgeman
reviewed
May 7, 2026
| require.Equal(t, "dir/file2", sarifutils.GetLocationFileName(result.Locations[0])) | ||
| } | ||
|
|
||
| func TestShouldSkipScannerByConfigProfile(t *testing.T) { |
Contributor
There was a problem hiding this comment.
what about test for ShouldSkipScannerByModule
eranturgeman
reviewed
May 7, 2026
|
|
||
| func GenerateSbomForTarget(generator SbomGenerator, params SbomGeneratorParams) { | ||
| startLog := "Generating SBOM" | ||
| if params.TotalTargets > 1 { |
Contributor
There was a problem hiding this comment.
just making sure - it TotalTarget > 1, do we have them all in params.Target.Target?.
Also change the log to " for targets: %s"
eranturgeman
reviewed
May 7, 2026
| } | ||
| outLog := "SBOM generated" | ||
| if totalTargets > 1 { | ||
| outLog += fmt.Sprintf(" for target '%s'", target) |
Contributor
There was a problem hiding this comment.
also here, it totalTargets > 1 we need to change the log to " for targets ..."
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Support multiple working dirs with single-target scan flow & deprecate jfrog-apps-config in new flow
Summary
Refactors the audit scan pipeline to support multiple working directories via a single scan target (
--static-sca/ Xray lib flow), and deprecates thejfrog-apps-config.ymlmodule system for JAS scans in the new flow. Scan configuration (include/exclude patterns, central config modules) is now carried directly onScanTargetinstead of being resolved throughjfrog-apps-configmodules.Depends on:
Analyzer-Manager minimum version:
1.33.0Changes
ScanTargetextended – addedInclude,Exclude,DeprecatedAppsConfigModule, andCentralConfigModulesfields; added methodsIsScanRequestedByCentralConfig,GetCentralConfigExclusions,GetDeprecatedAppsConfigModuleExclusions.createSingleScanTarget) – when the new flow (Xray lib BOM generator) is active, a singleScanTargetis created with the working directories as include paths, instead of detecting one target per technology directory.Run(target ScanTarget)(new flow, target-based) andDeprecatedRun(module, centralConfigExclusions)(old flow, module-based). Config file generation, exclude-pattern resolution, and SARIF result reading follow the same split.jfrog-apps-configdeprecated in new flow –AppsConfigModulereplaced byDeprecatedAppsConfigModule; config loading only happens in the old (graph-based) flow. A deprecation warning is emitted when the file is detected.ScanTarget.Excludeis set during target detection and passed through to BOM generation (Xray libIgnorePatterns+IncludeDirs) and all JAS scanner config files.matchCentralConfigModulesassigns profile modules to targets;ShouldSkipScannerByConfigProfilechecks enablement per scan type on the target.fillMissingRequiredInvocationInformationnow aggregates execution success and creates a single canonical invocation withincludeproperty bag for multi-root targets.bomgenerator– logging of component counts and duration is now in the sharedGenerateSbomForTargetinstead of duplicated inXrayLibBomGenerator.GetFullPathsWorkingDirs,IsPathExcluded,ElementsEqual,CreateNewInvocation.commands/audit/audit_test.go,jas/common_test.go,jas/secrets/secretsscanner_test.go,jas/iac/iacscanner_test.go,jas/applicability/applicabilitymanager_test.go,utils/results/results_test.go,utils/paths_test.go,utils/utils_test.go.Testing
Notes
jfrog-apps-config.ymlis deprecated – flags, env vars, or central JFrog Platform config should be used instead.jfrog-apps-configas before.