Configuration File Parameter
Description and Expected Behavior
Command Line Parameter Available?
A string parameter that defines the list of directory patterns which will be ignored when searching for the package.json dependency file during the npm resolution. The list of directories is a comma/semi-colon delimited list.
Whether to resolve npm dependencies.
NOTE: 'package.json' dependency files defined within directories defined by the npm.ignoreDirectoryPatterns are not scanned, and therefore dependencies declared in these files are ignored. For example, the default set of directories to ignore will not include the following dependency files:
Resolves npm dependenciesNPM/yarn dependencies.
Will not resolve npm dependenciesresolve NPM/yarn dependencies.
When using the npm resolver, ignore or include the js files outside the node_modules folder.
NOTE: Only relevant when fileSystemScan is true.
Ignores the js files outside the node_modules folder.
Includes the js files outside the node_modules folder.
Whether to include dev dependencies.
Adds devDependencies to the scan
Only the prod dependencies will be scanned.
Whether to run “npm
Runs "npm install" on found package.json file.If npm.runPreStep is set to true, and the Unified Agent identifies
Installs the NPM/yarn project.
Will not Install the NPM/yarn project.
Whether to ignore errors of the 'npm list' command.
The scan will end with SUCCESS status + hierarchy tree.
The scan will end with SUCCESS status + flat list.
Whether to ignore the scripts in your project's package.json file.
The Unified Agent executes npm executes
The npm install command will run and the scripts in your project's package.json file will be run.
Whether this is a yarn project (or not).
Resolves yarn projects
Will not resolve yarn projects
The access token value provided by the relevant environment (Microsoft Visual Studio or Artifactory) to fetch required data from the NPM registry.
Defines whether to fetch package data from npm registry (either private or public).
The Unified Agent will use only the name and the version of the package.
Fetches package data from npm registry (either private or public).
Enables running the pre-step with the ‘
Runs the pre-step with the ‘
Will not run the pre-step with the ‘
In npm projects, more than one package.json file can exist. Therefore, you can decide to resolve only the main package.json file (the one in the root directory) or all package.json files.
The Unified Agent checks if there is a package.json file in the folder passed as the -d parameter. If no such file exists, the scan will fail; otherwise, the Unified Agent will scan only this package.json.
The Unified Agent resolves all package.json files
Whether to remove duplicate dependencies during npm dependency resolution.
Removes duplicate dependencies during npm dependency resolution.
Includes duplicate dependencies during npm dependency resolution.
Whether to resolve global dependencies and require modules.
NOTE: Require is the equivalent to import in other languages.
Resolves global dependencies and require modules.
Resolves only the dependencies that are declared in the package.json.
Whether the Unified Agent will rely on the manifest (package.json) and lock file (package-lock.json) for the resolution and not rely on NPM commands. If the lock file is missing, the detection will be based on the node_modules folder.
The Unified Agent uses the package.json and package-lock.json to get the hierarchy tree. If the package-lock.json is missing, the detection is based on the node_modules folder.
The Unified Agent runs npm commands to get the hierarchy tree.
Whether the project name will be taken from the dependency file. This is a standalone parameter for the NPM resolver only, taking effect only when the npm resolver is the only active resolver.
If the Unified Agent identifies any additional resolvers besides npm that are set to True, an error is generated.
NOTE: If a productVersion was specified, it will override the project version and be part of the project's name.
The project name will be taken from the package.json file.
The project name will be taken from the CLI/configuration file.
Whether to fail and exit the scan in case of '
In case an error occurs while running '
In case of an error in '
NULL (meaning False - the scan will not fail on npm ls errors)
When scanning Docker images, and npm is not available, in order to extract global dependencies, this parameter eliminates the need to rely on NPM being installed and available; , as the Unified Agent identifies all the global npm packages installed on the Docker image. When true - the Unified Agent will scan every package.json file inside 'node_modules' directory. This parameter is mostly relevant when scanning Docker images.
Resolves all package.json files under the node_modules folder.
Will not scan package.json files under the node_modules folder.