feat: add option to disable the node_modules scan for node.js images #630
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Before v6.12.0, the docker cli plugin was able to scan
npmprojects only when strictpackage.jsonandpackage-lock.jsonpairs of files were identified within container images. The pair of files had to be outside of anode_modulesfolder’s context in order to avoid creating projects out of the dependencies. Scanning container images that had the manifests/lockfiles removed was not possible and customer needs were created to remove that constraint.The scanning of
npmglobal and local scoped node_modules directories has been enabled as a default behavior when a node.js image is scanned.Adding an option to opt-out from the node_modules scan allows the user to scan
npmprojects only when [strictpackage.jsonandpackage-lock.jsonpairs are identified in the container image, thus re-enabling the original npm scan behavior.Where should the reviewer start?
How should this be manually tested?
Any background context you want to provide?
What are the relevant tickets?
Screenshots
Additional questions