Skip to content

Docs for conan audit context filter #4239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Sep 26, 2025
Merged

Docs for conan audit context filter #4239

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d5a81c6
Update!
AbrilRBS Sep 23, 2025
bedb87f
Update args
AbrilRBS Sep 23, 2025
4415475
Update security/audit.rst
czoido Sep 24, 2025
52b8f8e
Commands as code block
AbrilRBS Sep 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 25 additions & 2 deletions security/audit.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@
Scanning dependencies with conan audit
======================================

A new command, `conan audit`, was added in **Conan 2.14**. It provides a built-in way to
**scan your dependencies for known CVEs**.
The ``conan audit`` commands provide a built-in way to **scan your dependencies for known CVEs**.

For a step-by-step guide on authentication, usage examples, output formats, and setting up
private providers, see :ref:`Checking package vulnerabilities <devops_audit>`. In short:
Expand Down Expand Up @@ -33,6 +32,30 @@ This command also supports using your own JFrog Platform as a private provider f
vulnerability scanning. See the :ref:`Adding private providers
<devops_audit_private_providers>` section for more details.

Filtering queried packages
--------------------------

By default, the ``conan audit scan`` command will query all packages in the dependency graph.
You can filter the packages to be queried based on their context using the ``--context`` option,
which accepts ``"host"``, or ``"build"`` as values, and when omitted, defaults to quering both contexts.

This allows you to skip checking for CVEs in build requirements, which are not part of the final product
and therefore less relevant (but still important!) for vulnerability scanning.

It's also possible to perform this filter using the ``conan audit list`` command,
by leveraging the packages list filtering from the ``conan list`` command. For example:

.. code-block:: bash

# Generate the dependency graph in JSON format
$ conan graph info . --format=json > graph.json
# Create a packages list for the resolved dependency graph, filtering to only contain the `host` context packages
$ conan list --graph=graph.json --graph-context=host --format=json > pkglist.json
# Scan the filtered packages list for vulnerabilities
$ conan audit list --list=pkglist.json



.. seealso::

- `JFrog Academy Conan 2 Essentials: Scanning C++ packages for Vulnerabilities using Conan Audit <https://academy.jfrog.com/conan-2-essentials/2164300?utm_source=Conan+Docs>`__
Expand Down