Is it possible to do security/quality scan all the files from node_modules folder?

  • ALM : Bitbucket Cloud
  • CI: Bitbucket Pipeline
  • Scanner command used when applicable (private details masked)
  • Languages of the repository: Typescript, Javascript

I am new to SonarCloud, I was able to integrate it successfully with bitbucket and has started leveraging the reports for the projects.

I wanted to understand if there is possibility to scan the node packages files that I used in the projects too. If there is and someone has already achieved it then need some direction for the same.

Thanks in advance.

-Rehan R. Sheikh

Hey there.

We normally advise against scanning third-party libraries as part of your own projects, since the metrics and issues from them can pollute your own metrics and issues, making it difficult to see what’s going on in your own developed code. Developers aren’t typically empowered to change code in third-party libraries they’re using in their projects.

This is why folders like node_modules are excluded from analysis by default.

If you are looking for an understanding of what vulnerable code might exist in those libraries, we’d suggest finding a good SCA (software component analysis) tool that fits your needs.