azure-devopsgithub-advanced-security

Github Advanced Security not finding NPM packages (Azure Devops)


I have configured Github Advanced Security for three projects in Azure DevOps: one in C#, one in Python, and one in Vue/Vite. The scanning process works as expected for the C# and Python projects, successfully identifying and scanning all packages. However, for the Vue/Vite project, it only outputs one component, even though there are more components in the project.

I attempted to test the functionality by adding an old package with a known vulnerability to the package.json file. Despite this, the scan still only reports one NPM component and states, "Dependency Scanning has detected no package vulnerabilities."

Has anyone successfully implemented Github Advanced Security with a JavaScript/NPM/Vite project in Azure DevOps?

enter image description here


Solution

  • Add npm install before "AdvancedSecurity-Dependency-Scanning" task. For example:

    - task: CmdLine@2
      inputs:
        script: |
          cd my-vue-app
          npm install
    - task: AdvancedSecurity-Dependency-Scanning@1
    

    Then you will see the details like this: enter image description here