> For the complete documentation index, see [llms.txt](https://help.aikido.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.aikido.dev/code-scanning/scanning-practices/scanning-dev-dependencies-for-cves.md).

# Scanning Dev Dependencies for CVEs

{% hint style="warning" %}
Aikido **always** scans dev dependencies for malware. The following article relates to CVE scanning and how to enable.
{% endhint %}

**By default**, Aikido will **not** report vulnerabilities for dependencies that are only installed on the developer machine (devdeps). The assumption here is that they will not ship to production and won't impact the security of your live product.

However, there are some cases in which scanning for dev dependencies might be a valuable addition to the other scans:

* Compliance reasons, including the software that is only available on the developer machines
* SvelteKit: packages are often marked as dev dependency although they make it into production.

We support **JavaScript, Java and Python.**

### Enabling Dev Dependencies Per Repository <a href="#enabling-dev-dependencies-per-repository" id="enabling-dev-dependencies-per-repository"></a>

It is possible to enable dev dependency scanning on per repo basis.

**Step 1.** Contact Aikido to enable the functionality. Quickest way to do this is contact us via chat.

**Step 2.** Go to the detail page of a specific repository and click '**Configure**'.

![Security scan dashboard showing critical PHP issues with statuses and recommended fix times.](/files/eOTKzsmJadVexY6GjSG8)

**Step 3.** Scroll down in the modal to enable dev dependency scanning

![Option to enable or disable scanning of developer dependencies with warning about false positives.](/files/rIoho1vWMEz9F8GuM5Ct)

**Step 4.** Trigger a manual rescan to see results immediately, or wait for the next scheduled scan.

{% hint style="info" %}
Dev dependency findings will also surface on the next push to the default branch via PR gating.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://help.aikido.dev/code-scanning/scanning-practices/scanning-dev-dependencies-for-cves.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
