How to exclude scanning the devDependencies for npm / js projects?

[imranzunzani]

How to exclude scanning the devDependencies for npm / js projects? Currently, the scans seem to be scanning for devDependencies by default, which generates many violations. This happens in both the Repo and PR Scans.

Something similar to:
jeremylong/DependencyCheck#3462

[orz25]

Hi @imranzunzani ,
In Frogbot we currently lack the option of excluding devDependencies from the scan.
However, this option is available on Jfrog Cli: in the Cli, If you want to change the dependency scanning type, you can use the following flag when trigger your scan: --dep-type
Meaning, you can trigger an audit scan locally on your machine by running the following command from your project directory: jf audit --dep-type prodOnly
When this flag is set to "prodOnly" the devDependencies will not be scanned.
In addition, you can add a feature request to the Frogbot project and our team will review it.

You can find more information regarding the different Cli Audit command flags here: https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-security/scan-your-source-code

And can find more information regarding the existing Frogbot configurations here:
https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration
https://github.com/jfrog/documentation/blob/main/jfrog-applications/frogbot/templates/.frogbot/frogbot-config.yml

[imranzunzani]

Hi @orz25,
Figured out a way to do this with Frogbot. Setting an env value, as below, works:

        env:
          NODE_ENV: 'production'

Hope this helps others searching for a way/workaround.