Scanning JavaScript and TypeScript code

By default, any NPM dependencies (node_modules directory) that exists in your project is included in the project package only for translation. This improves the analysis results by including type resolution information from the JavaScript and TypeScript code. However, OpenText SAST excludes the files in node_modules from the analysis and no vulnerabilities are reported for these NPM dependencies in the scan results.

To prevent Fortify ScanCentral SAST from automatically restoring dependencies, include the -skipBuild option in the scan request command. Note that any existing node_modules directory is still included in the project package that is sent to the Controller unless you explicitly exclude it.

To exclude the node_modules directory from your project package, use the -exclude option in the start or package command. For example:

scancentral -sscurl <ssc_url> -ssctoken <token> start -exclude node_modules

To include the NPM dependencies in the scan results, see the OpenText™ Static Application Security Testing User Guide for information about translating JavaScript and TypeScript code.