Azure YAML Pipelines – Exclude NPM development dependencies from supply chain security scans

If you’re using tools like Checkmarx or JFrog Xray to scan for security vulnerabilities in your third party dependencies in your NPM builds then you may have noticed that they can highlight a lot of security vulnerabilities that come from development only dependencies.

If you’re producing a shared NPM library or service there is no need for your development dependencies to be included in the final package and to acheive this you have to pass the –only=production flag.

This will save a lot of time as security scans will only consider production dependencies.

Example – Using JFrog Xray on Azure Pipelines

Here is the complete code snippet to install only development dependencies, pack and publish the artifact, collect the build-info (for Xray) and then perform a Xray scan of the build.

  parameters:
  - name: artifactoryServiceConnection
    type: string
    default: 'sample-pipeline-service'
  - name: buildSourceRepo
    type: string
    default: 'npm-remote'
  - name: artifactoryBuildname
    type: string  
    default: 'focused-xray-test'
  - name: buildVersion
    type: string  
    default: '24'

steps:
- task: ArtifactoryNpm@2
  inputs:
    command: 'ci'
    artifactoryService: ${{ parameters.artifactoryServiceConnection }}
    sourceRepo: ${{ parameters.buildSourceRepo }}
    collectBuildInfo: true
    threads: 1
    buildName: ${{ parameters.artifactoryBuildname }}
    buildNumber: ${{ parameters.buildVersion }}
    includeEnvVars: true
    arguments: '--only=production'
- task: ArtifactoryNpm@2
  inputs:
    command: 'pack and publish'
    artifactoryService: ${{ parameters.artifactoryServiceConnection }}
    targetRepo: 'samplenpmlib-npm-library-build-local'
    collectBuildInfo: true
    buildName: ${{ parameters.artifactoryBuildname }}
    buildNumber: ${{ parameters.buildVersion }}
    includeEnvVars: true
- task: ArtifactoryPublishBuildInfo@1
  displayName: 'Publishing buildInfo to Artifactory'
  inputs:
    artifactoryService: ${{ parameters.artifactoryServiceConnection }}
    buildName: ${{ parameters.artifactoryBuildname }}
    buildNumber: ${{ parameters.buildVersion }}
- task: ArtifactoryXrayScan@1
  displayName: 'Scanning build with Jfrog XRay'
  inputs:
    allowFailBuild: true
    artifactoryService: ${{ parameters.artifactoryServiceConnection }}
    buildName: ${{ parameters.artifactoryBuildname }}
    buildNumber: ${{ parameters.buildVersion }}