This might be a newbie question, but we want to integrate SAST scanning into our TypeScript / NodeJS project. From what I read in the tool’s documentation, it is built to scan the project’s source code.
My question is should I or should I not scan the transpiled JavaScript in my dist / build directory?
Context:
We accidentally were using the tool in a stage of our CI/CD where, due to build artifacts, the transpiled JavaScript was present. We then started receiving a bunch of vulnerability alerts from the JavaScript files inside that directory. To me, it makes little sense to scan that directory since the tool is supposed to scan the source code (the TypeScript files in our case). The thing is, and maybe this is too obvious and that is why I can’t find anything on this, but I can’t find any source to back this up on GitHub - nodesecurity/eslint-plugin-security: ESLint rules for Node Security or Docs home | Semgrep.