Is there a way to run npm audit on the private packages in Artifactory. Currently artifactory is running npm audit on the packages downloaded from remote repository(NPM public registry). But, we want to scan the packages developed internally as well.
Thanks!!!
As you mention, Artifactory can audit NPM package on npm virtual repositories that aggregate at least one remote repository that supports npm audit. An example of such repository would be resgistry.npmjs.org.
The data from the audit commands is provided by the site, npmjs would not give us that information for our local packages. JFrog does offer Xray, a product that integrates with Artifactory and which recursively checks private/public artifacts and dependencies for vulnerabilities or license violations. The docs mentions on this:
JFrog Xray users with Artifactory Pro X / Enterprise / Enterprise+ license, will get an enhanced audit report that includes security vulnerabilities from Xray's database. When Xray is configured to work with Artifactory, an audit report can be generated from scratch even without connecting to any remote repository.
At that point the audit feature will work for your own artifacts and public ones that don't have audit information.