We scanned nodejs git repository which has both package.json and package-lock.json, we observed packages under devdependencies are not listed in sbom.
Please help us in resolving the issue.
Regards,
Anvitha
In the Syft configuration, you will see an option to include dev dependencies for Javascript, which is disabled by default (you can see the configuration options using syft config):
javascript:
...
# include development-scoped dependencies (env: SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES)
include-dev-dependencies:
You can set this in a config file or from the command line using the environment variable noted in the config SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES=true. For example, you could run like:
SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES=true syft <image>
I think this should be what you’re looking for; let me know if you have any issues.
Thank you so much, it is working, May i know where can i find all the environment variables ?