jfrog · attiasas · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026
diff --git a/commands/audit/audit.go b/commands/audit/audit.go
diff --git a/commands/audit/audit_test.go b/commands/audit/audit_test.go
@@ -190,10 +190,221 @@ func TestDetectScansToPerform(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Non-recursive scan on directory with descriptor at top level",
+			wd:   dir,
+			params: func() *AuditParams {
+				param := NewAuditParams().SetWorkingDirs([]string{filepath.Join(dir, "dir", "npm")})
+				param.SetIsRecursiveScan(false)
+				return param
+			},
+			expected: []*results.TargetResults{
+				{
+					ScanTarget: results.ScanTarget{
+						Technology: techutils.Npm,
+						Target:     filepath.Join(dir, "dir", "npm"),
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+					ScaResults: &results.ScaScanResults{
+						Descriptors: []string{filepath.Join(dir, "dir", "npm", "package.json")},
+					},
+				},
+			},
+		},
+		{
+			name: "Single technology (npm only)",
+			wd:   dir,
+			params: func() *AuditParams {
+				param := NewAuditParams().SetWorkingDirs([]string{dir})
+				param.SetTechnologies([]string{"npm"}).SetIsRecursiveScan(true)
+				return param
+			},
+			expected: []*results.TargetResults{
+				{
+					ScanTarget: results.ScanTarget{
+						Technology: techutils.Npm,
+						Target:     filepath.Join(dir, "dir", "npm"),
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+					ScaResults: &results.ScaScanResults{
+						Descriptors: []string{filepath.Join(dir, "dir", "npm", "package.json")},
+					},
+				},
+				{
+					// Requested tech npm had no other descriptors at root; add JAS-only target for requested directory
+					ScanTarget: results.ScanTarget{
+						Target: dir,
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+				},
+			},
+		},
+		{
+			name: "Multiple working dirs (subset - dir and yarn only, no Nuget)",
+			wd:   dir,
+			params: func() *AuditParams {
+				param := NewAuditParams().SetWorkingDirs([]string{filepath.Join(dir, "dir"), filepath.Join(dir, "yarn")})
+				param.SetIsRecursiveScan(true)
+				return param
+			},
+			expected: []*results.TargetResults{
+				{
+					ScanTarget: results.ScanTarget{
+						Technology: techutils.Go,
+						Target:     filepath.Join(dir, "dir", "go"),
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+					ScaResults: &results.ScaScanResults{
+						Descriptors: []string{filepath.Join(dir, "dir", "go", "go.mod")},
+					},
+				},
+				{
+					ScanTarget: results.ScanTarget{
+						Technology: techutils.Maven,
+						Target:     filepath.Join(dir, "dir", "maven"),
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+					ScaResults: &results.ScaScanResults{
+						Descriptors: []string{
+							filepath.Join(dir, "dir", "maven", "maven-sub", "pom.xml"),
+							filepath.Join(dir, "dir", "maven", "maven-sub2", "pom.xml"),
+							filepath.Join(dir, "dir", "maven", "pom.xml"),
+						},
+					},
+				},
+				{
+					ScanTarget: results.ScanTarget{
+						Technology: techutils.Npm,
+						Target:     filepath.Join(dir, "dir", "npm"),
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+					ScaResults: &results.ScaScanResults{
+						Descriptors: []string{filepath.Join(dir, "dir", "npm", "package.json")},
+					},
+				},
+				{
+					ScanTarget: results.ScanTarget{
+						Technology: techutils.Pip,
+						Target:     filepath.Join(dir, "yarn", "Pip"),
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+					ScaResults: &results.ScaScanResults{
+						Descriptors: []string{filepath.Join(dir, "yarn", "Pip", "requirements.txt")},
+					},
+				},
+				{
+					ScanTarget: results.ScanTarget{
+						Technology: techutils.Pipenv,
+						Target:     filepath.Join(dir, "yarn", "Pipenv"),
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+					ScaResults: &results.ScaScanResults{
+						Descriptors: []string{filepath.Join(dir, "yarn", "Pipenv", "Pipfile")},
+					},
+				},
+				{
+					ScanTarget: results.ScanTarget{
+						Technology: techutils.Yarn,
+						Target:     filepath.Join(dir, "yarn"),
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+					ScaResults: &results.ScaScanResults{
+						Descriptors: []string{filepath.Join(dir, "yarn", "package.json")},
+					},
+				},
+			},
+		},
+		{
+			name: "Single technology (maven only)",
+			wd:   dir,
+			params: func() *AuditParams {
+				param := NewAuditParams().SetWorkingDirs([]string{filepath.Join(dir, "dir", "maven")})
+				param.SetIsRecursiveScan(true)
+				return param
+			},
+			expected: []*results.TargetResults{
+				{
+					ScanTarget: results.ScanTarget{
+						Technology: techutils.Maven,
+						Target:     filepath.Join(dir, "dir", "maven"),
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+					ScaResults: &results.ScaScanResults{
+						Descriptors: []string{
+							filepath.Join(dir, "dir", "maven", "maven-sub", "pom.xml"),
+							filepath.Join(dir, "dir", "maven", "maven-sub2", "pom.xml"),
+							filepath.Join(dir, "dir", "maven", "pom.xml"),
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "Non-recursive on go directory",
+			wd:   dir,
+			params: func() *AuditParams {
+				param := NewAuditParams().SetWorkingDirs([]string{filepath.Join(dir, "dir", "go")})
+				param.SetIsRecursiveScan(false)
+				return param
+			},
+			expected: []*results.TargetResults{
+				{
+					ScanTarget: results.ScanTarget{
+						Technology: techutils.Go,
+						Target:     filepath.Join(dir, "dir", "go"),
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+					ScaResults: &results.ScaScanResults{
+						Descriptors: []string{filepath.Join(dir, "dir", "go", "go.mod")},
+					},
+				},
+			},
+		},
+		{
+			name: "Single target with one working dir (npm)",
+			wd:   dir,
+			params: func() *AuditParams {
+				param := NewAuditParams().SetWorkingDirs([]string{filepath.Join(dir, "dir", "npm")})
+				param.SetIsSingleTarget(true).SetIsRecursiveScan(false)
+				return param
+			},
+			expected: []*results.TargetResults{
+				{
+					ScanTarget: results.ScanTarget{
+						Target:     dir,
+						Include:    []string{filepath.Join(dir, "dir", "npm")},
+						Technology: techutils.Npm,
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+				},
+			},
+		},
+		{
+			name: "Single target with one working dir (maven)",
+			wd:   dir,
+			params: func() *AuditParams {
+				param := NewAuditParams().SetWorkingDirs([]string{filepath.Join(dir, "dir", "maven")})
+				param.SetIsSingleTarget(true).SetIsRecursiveScan(false)
+				return param
+			},
+			expected: []*results.TargetResults{
+				{
+					ScanTarget: results.ScanTarget{
+						Target:     dir,
+						Include:    []string{filepath.Join(dir, "dir", "maven")},
+						Technology: techutils.Maven,
+					},
+					JasResults: &results.JasScansResults{JasVulnerabilities: results.JasScanResults{}, JasViolations: results.JasScanResults{}},
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
+			if test.wd != "" {
+				defer securityTestUtils.ChangeWDWithCallback(t, test.wd)()
+			}
 			results := results.NewCommandResults(utils.SourceCode).SetEntitledForJas(true).SetSecretValidation(true)
 			detectScanTargets(results, test.params())
 			if assert.Len(t, results.Targets, len(test.expected)) {
@@ -210,6 +421,13 @@ func TestDetectScansToPerform(t *testing.T) {
 					if test.expected[i].ScaResults != nil {
 						sort.Strings(test.expected[i].ScaResults.Descriptors)
 					}
+					// Normalize for comparison: DeprecatedAppsConfigModule varies by working dir and is not under test
+					results.Targets[i].DeprecatedAppsConfigModule = nil
+					// Normalize single-target expected to actual cwd (path can differ e.g. /var vs /private/var on macOS)
+					if len(results.Targets) == 1 && len(results.Targets[i].Include) > 0 {
+						test.expected[i].Target = results.Targets[i].Target
+						test.expected[i].Include = results.Targets[i].Include
+					}
 				}
 			}
 			assert.ElementsMatch(t, test.expected, results.Targets)

diff --git a/commands/audit/auditparams.go b/commands/audit/auditparams.go
@@ -3,6 +3,7 @@ package audit
 import (
 	"time"
 
+	jfrogappsconfig "github.com/jfrog/jfrog-apps-config/go"
 	"github.com/jfrog/jfrog-client-go/xray/services"
 	xscServices "github.com/jfrog/jfrog-client-go/xsc/services"
 
@@ -18,10 +19,13 @@ import (
 )
 
 type AuditParams struct {
+	// Where to scan
+	appsConfig     *jfrogappsconfig.JFrogAppsConfig
+	workingDirs    []string
+	isSingleTarget bool
 	// Common params to all scan routines
 	resultsContext    results.ResultContext
 	gitContext        *xscServices.XscGitInfoContext
-	workingDirs       []string
 	installFunc       func(tech string) error
 	fixableOnly       bool
 	minSeverityFilter severityutils.Severity
@@ -192,6 +196,15 @@ func (params *AuditParams) SetScansResultsOutputDir(outputDir string) *AuditPara
 	return params
 }
 
+func (params *AuditParams) SetIsSingleTarget(isSingleTarget bool) *AuditParams {
+	params.isSingleTarget = isSingleTarget
+	return params
+}
+
+func (params *AuditParams) IsSingleTarget() bool {
+	return params.isSingleTarget
+}
+
 func (params *AuditParams) createXrayGraphScanParams() *services.XrayGraphScanParams {
 	return &services.XrayGraphScanParams{
 		RepoPath:               params.resultsContext.RepoPath,
@@ -212,7 +225,7 @@ func (params *AuditParams) ToBuildInfoBomGenParams() (bomParams technologies.Bui
 	bomParams = technologies.BuildInfoBomGeneratorParams{
 		XrayVersion:         params.GetXrayVersion(),
 		Progress:            params.Progress(),
-		ExclusionPattern:    technologies.GetExcludePattern(params.GetConfigProfile(), params.IsRecursiveScan(), params.Exclusions()...),
+		ExclusionPattern:    technologies.GetScaExcludePattern(params.GetConfigProfile(), params.IsRecursiveScan(), params.Exclusions()...),
 		AllowPartialResults: params.AllowPartialResults(),
 		// Artifactory repository info
 		ServerDetails:          serverDetails,
@@ -263,6 +276,15 @@ func (params *AuditParams) SetFilesToScan(filesToScan []string) *AuditParams {
 	return params
 }
 
+func (params *AuditParams) SetDeprecatedAppsConfig(appsConfig *jfrogappsconfig.JFrogAppsConfig) *AuditParams {
+	params.appsConfig = appsConfig
+	return params
+}
+
+func (params *AuditParams) DeprecatedAppsConfig() *jfrogappsconfig.JFrogAppsConfig {
+	return params.appsConfig
+}
+
 func (params *AuditParams) FilesToScan() []string {
 	return params.filesToScan
 }

diff --git a/commands/curation/curationaudit.go b/commands/curation/curationaudit.go
@@ -430,7 +430,7 @@ func (ca *CurationAuditCommand) getBuildInfoParamsByTech() (technologies.BuildIn
 	serverDetails, err := ca.ServerDetails()
 	return technologies.BuildInfoBomGeneratorParams{
 		XrayVersion:      ca.GetXrayVersion(),
-		ExclusionPattern: technologies.GetExcludePattern(ca.GetConfigProfile(), ca.IsRecursiveScan(), ca.Exclusions()...),
+		ExclusionPattern: technologies.GetScaExcludePattern(ca.GetConfigProfile(), ca.IsRecursiveScan(), ca.Exclusions()...),
 		Progress:         ca.Progress(),
 		// Artifactory Repository params
 		ServerDetails:          serverDetails,

diff --git a/commands/scan/scan.go b/commands/scan/scan.go
@@ -565,10 +565,11 @@ func (scanCmd *ScanCommand) getXrayScanGraphParams(msi string) *scangraph.ScanGr
 
 func (scanCmd *ScanCommand) RunBinaryJasScans(cmdType utils.CommandType, msi string, secretValidation bool, targetResults *results.TargetResults, targetCompId string, graphScanResults *services.ScanResponse, jasFileProducerConsumer *utils.SecurityParallelRunner, scanThreadId int) (err error) {
 	scanLogPrefix := clientutils.GetLogMsgPrefix(scanThreadId, false)
-	module, err := getJasModule(targetResults)
+	deprecatedAppsConfigModule, err := getJasDeprecatedAppsConfigModule(targetResults.Target)
 	if err != nil {
 		return targetResults.AddTargetError(fmt.Errorf(scanLogPrefix+"jas scanning failed with error: %s", err.Error()), false)
 	}
+	targetResults.DeprecatedAppsConfigModule = &deprecatedAppsConfigModule
 	// Prepare Jas scans
 	scannerOptions := []jas.JasScannerOption{
 		jas.WithEnvVars(
@@ -604,7 +605,6 @@ func (scanCmd *ScanCommand) RunBinaryJasScans(cmdType utils.CommandType, msi str
 		Runner:          jasFileProducerConsumer,
 		ServerDetails:   scanCmd.serverDetails,
 		Scanner:         scanner,
-		Module:          module,
 		TargetOutputDir: scanCmd.outputDir,
 		ScansToPerform:  scanCmd.scansToPerform,
 		CvesProvider: func() (directCves []string, indirectCves []string) {
@@ -646,8 +646,8 @@ func isDockerBinary(cmdType utils.CommandType, targetResults *results.TargetResu
 	return cmdType == utils.DockerImage || targetResults.Technology == techutils.Docker || targetResults.Technology == techutils.Oci
 }
 
-func getJasModule(targetResults *results.TargetResults) (jfrogappsconfig.Module, error) {
-	jfrogAppsConfig, err := jas.CreateJFrogAppsConfig([]string{targetResults.Target})
+func getJasDeprecatedAppsConfigModule(target string) (jfrogappsconfig.Module, error) {
+	jfrogAppsConfig, err := jas.CreateJFrogAppsConfig([]string{target})
 	if err != nil {
 		return jfrogappsconfig.Module{}, err
 	}