jfrog · attiasas · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026
diff --git a/artifactory_test.go b/artifactory_test.go
@@ -238,7 +238,7 @@ func TestDownloadAnalyzerManagerIfNeeded(t *testing.T) {
 	defer setEnvCallBack()
 
 	// Download
-	err := jas.DownloadAnalyzerManagerIfNeeded(0)
+	err := jas.DownloadAnalyzerManagerIfNeeded("", nil, 0)
 	assert.NoError(t, err)
 
 	// Validate Analyzer manager app & checksum.sh2 file exist
@@ -259,7 +259,7 @@ func TestDownloadAnalyzerManagerIfNeeded(t *testing.T) {
 	// Validate no second download occurred
 	firstFileStat, err := os.Stat(amPath)
 	assert.NoError(t, err)
-	err = jas.DownloadAnalyzerManagerIfNeeded(0)
+	err = jas.DownloadAnalyzerManagerIfNeeded("", nil, 0)
 	assert.NoError(t, err)
 	secondFileStat, err := os.Stat(amPath)
 	assert.NoError(t, err)

diff --git a/audit_test.go b/audit_test.go
@@ -964,10 +964,14 @@ func testXrayAuditGem(t *testing.T, format string) string {
 
 // New Sca
 
-func testAuditCommandNewSca(t *testing.T, project string, params auditCommandTestParams) (string, error) {
+func testAuditCommandNewSca(t *testing.T, params auditCommandTestParams, projects ...string) (string, error) {
 	// Must have one target, in new SCA mode the flow should not 'dirty' the local environment
 	// No need to copy or change directories just point to the project directory
-	params.WorkingDirsToScan = []string{filepath.Join(filepath.FromSlash(securityTests.GetTestResourcesPath()), "projects", project)}
+	if len(params.WorkingDirsToScan) == 0 {
+		for _, project := range projects {
+			params.WorkingDirsToScan = append(params.WorkingDirsToScan, filepath.Join(filepath.FromSlash(securityTests.GetTestResourcesPath()), "projects", project))
+		}
+	}
 	params.WithStaticSca = true
 	// No **/tests/** exclusion, we are scanning projects in the test resources path
 	params.CustomExclusion = []string{"*.git*", "*node_modules*", "*target*", "*venv*", "dist"}
@@ -983,10 +987,12 @@ func testAuditCommandNewSca(t *testing.T, project string, params auditCommandTes
 func TestAuditNewScaCycloneDxNpm(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
 
-	output, err := testAuditCommandNewSca(t, filepath.Join("jas", "jas-npm"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom: true,
 		Format:   format.CycloneDx,
-	})
+	},
+		filepath.Join("jas", "jas-npm"),
+	)
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
@@ -999,6 +1005,25 @@ func TestAuditNewScaCycloneDxNpm(t *testing.T) {
 	})
 }
 
+func TestAuditNewScaSimpleJsonMultipleWorkingDirs(t *testing.T) {
+	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
+		WithSbom: true,
+		Format:   format.SimpleJson,
+	},
+		filepath.Join("jas", "jas-npm"),
+		filepath.Join("package-managers", "go", "simple-project"),
+	)
+	assert.NoError(t, err)
+	validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
+		ExactResultsMatch: true,
+		Total:             &validations.TotalCount{Vulnerabilities: 10},
+		Vulnerabilities: &validations.VulnerabilityCount{
+			ValidateScan: &validations.ScanCount{Sca: 7, Sast: 2, Secrets: 1},
+		},
+	})
+}
+
 func TestAuditNewScaSimpleJsonViolations(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
 
@@ -1007,13 +1032,15 @@ func TestAuditNewScaSimpleJsonViolations(t *testing.T) {
 	watchName, deleteWatch := securityTestUtils.CreateWatchOnArtifactoryRepos(t, policyName, "static-sca-watch", xrayUtils.Security)
 	defer deleteWatch()
 
-	output, err := testAuditCommandNewSca(t, filepath.Join("jas", "jas-npm"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom:    true,
 		WithVuln:    true,
 		WithLicense: true,
 		Format:      format.SimpleJson,
 		Watches:     []string{watchName},
-	})
+	},
+		filepath.Join("jas", "jas-npm"),
+	)
 	// Make Sure to check violations with fail build error
 	assert.Equal(t, err, policy.NewFailBuildError())
 	// Validate results
@@ -1033,10 +1060,12 @@ func TestAuditNewScaSimpleJsonViolations(t *testing.T) {
 
 func TestAuditNewScaCycloneDxPnpm(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
-	output, err := testAuditCommandNewSca(t, filepath.Join("package-managers", "npm", "pnpm-lock"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom: true,
 		Format:   format.CycloneDx,
-	})
+	},
+		filepath.Join("package-managers", "npm", "pnpm-lock"),
+	)
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
@@ -1051,11 +1080,13 @@ func TestAuditNewScaCycloneDxPnpm(t *testing.T) {
 
 func TestAuditNewScaCycloneDxMaven(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
-	output, err := testAuditCommandNewSca(t, filepath.Join("package-managers", "maven", "maven-example"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom: true,
 		Threads:  5,
 		Format:   format.CycloneDx,
-	})
+	},
+		filepath.Join("package-managers", "maven", "maven-example"),
+	)
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
@@ -1070,15 +1101,17 @@ func TestAuditNewScaCycloneDxMaven(t *testing.T) {
 
 func TestAuditNewScaCycloneDxGradle(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
-	output, err := testAuditCommandNewSca(t, filepath.Join("package-managers", "gradle", "gradle-lock"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom: true,
 		Format:   format.CycloneDx,
-	})
+	},
+		filepath.Join("package-managers", "gradle", "gradle-lock"),
+	)
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
-		Total:             &validations.TotalCount{Vulnerabilities: 11, BomComponents: 7 + 1, Licenses: 5},
-		SbomComponents:    &validations.SbomCount{Direct: 7, Root: 1},
+		Total:             &validations.TotalCount{Vulnerabilities: 11, BomComponents: 6 + 1, Licenses: 5},
+		SbomComponents:    &validations.SbomCount{Direct: 6, Root: 1},
 		Vulnerabilities: &validations.VulnerabilityCount{
 			ValidateScan:                &validations.ScanCount{Sca: 11},
 			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 5, NotApplicable: 1, MissingContext: 5},
@@ -1088,10 +1121,12 @@ func TestAuditNewScaCycloneDxGradle(t *testing.T) {
 
 func TestAuditNewScaCycloneDxGo(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
-	output, err := testAuditCommandNewSca(t, filepath.Join("package-managers", "go", "simple-project"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom: true,
 		Format:   format.CycloneDx,
-	})
+	},
+		filepath.Join("package-managers", "go", "simple-project"),
+	)
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
@@ -1106,10 +1141,12 @@ func TestAuditNewScaCycloneDxGo(t *testing.T) {
 
 func TestAuditNewScaCycloneDxYarn(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
-	output, err := testAuditCommandNewSca(t, filepath.Join("package-managers", "yarn", "yarn-v3"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom: true,
 		Format:   format.CycloneDx,
-	})
+	},
+		filepath.Join("package-managers", "yarn", "yarn-v3"),
+	)
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
@@ -1124,10 +1161,12 @@ func TestAuditNewScaCycloneDxYarn(t *testing.T) {
 
 func TestAuditNewScaCycloneDxPip(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
-	output, err := testAuditCommandNewSca(t, filepath.Join("jas", "jas"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom: true,
 		Format:   format.CycloneDx,
-	})
+	},
+		filepath.Join("jas", "jas"),
+	)
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
@@ -1141,10 +1180,12 @@ func TestAuditNewScaCycloneDxPip(t *testing.T) {
 
 func TestAuditNewScaCycloneDxPoetry(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
-	output, err := testAuditCommandNewSca(t, filepath.Join("package-managers", "python", "poetry", "poetry-project"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom: true,
 		Format:   format.CycloneDx,
-	})
+	},
+		filepath.Join("package-managers", "python", "poetry", "poetry-project"),
+	)
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
@@ -1159,10 +1200,12 @@ func TestAuditNewScaCycloneDxPoetry(t *testing.T) {
 
 func TestAuditNewScaCycloneDxPipenv(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
-	output, err := testAuditCommandNewSca(t, filepath.Join("package-managers", "python", "pipenv", "pipenv-lock"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom: true,
 		Format:   format.CycloneDx,
-	})
+	},
+		filepath.Join("package-managers", "python", "pipenv", "pipenv-lock"),
+	)
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
@@ -1177,10 +1220,12 @@ func TestAuditNewScaCycloneDxPipenv(t *testing.T) {
 
 func TestAuditNewScaCycloneDxUV(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
-	output, err := testAuditCommandNewSca(t, filepath.Join("package-managers", "python", "uv", "uv"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom: true,
 		Format:   format.CycloneDx,
-	})
+	},
+		filepath.Join("package-managers", "python", "uv", "uv"),
+	)
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
@@ -1195,10 +1240,12 @@ func TestAuditNewScaCycloneDxUV(t *testing.T) {
 
 func TestAuditNewScaCycloneDxNuget(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditNewScaTests(t, utils.StaticScanMinVersion)
-	output, err := testAuditCommandNewSca(t, filepath.Join("package-managers", "nuget", "single4.0"), auditCommandTestParams{
+	output, err := testAuditCommandNewSca(t, auditCommandTestParams{
 		WithSbom: true,
 		Format:   format.CycloneDx,
-	})
+	},
+		filepath.Join("package-managers", "nuget", "single4.0"),
+	)
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
@@ -1224,14 +1271,14 @@ func TestAuditNewScaSnippetDetection(t *testing.T) {
 		Watches:     []string{watchName},
 	}
 	// No snippet detection. nothing should be found
-	output, err := testAuditCommandNewSca(t, filepath.Join("package-managers", "c", "snippet_detection"), params)
+	output, err := testAuditCommandNewSca(t, params, filepath.Join("package-managers", "c", "snippet_detection"))
 	assert.NoError(t, err)
 	validations.VerifySimpleJsonResults(t, output,
 		validations.ValidationParams{ExactResultsMatch: true},
 	)
 	// With snippet detection. should find 4 licenses violations
 	params.WithSnippetDetection = true
-	output, err = testAuditCommandNewSca(t, filepath.Join("package-managers", "c", "snippet_detection"), params)
+	output, err = testAuditCommandNewSca(t, params, filepath.Join("package-managers", "c", "snippet_detection"))
 	assert.NoError(t, err)
 	validations.VerifySimpleJsonResults(t, output,
 		validations.ValidationParams{

diff --git a/cli/docs/flags.go b/cli/docs/flags.go
@@ -177,6 +177,8 @@ const (
 	DetailedSummary = "detailed-summary"
 	CacheValidity   = "cache-validity"
 	GitThreads      = gitPrefix + Threads
+
+	UseConfigProfile = "use-config-profile"
 )
 
 // Mapping between security commands (key) and their flags (key).
@@ -217,8 +219,8 @@ var commandFlags = map[string][]string{
 		// Violations params
 		scanProjectKey, Watches, Snippet, ScanVuln, Fail,
 		// Scan params
-		Threads, ExclusionsAudit,
-		auditSca, auditIac, auditSast, auditSecrets, auditWithoutCA, SecretValidation, Sbom,
+		Threads, ExclusionsAudit, WorkingDirs,
+		auditSca, auditIac, auditSast, auditSecrets, auditWithoutCA, SecretValidation, Sbom, UseConfigProfile,
 		// Output params
 		Licenses, OutputFormat, ExtendedTable, OutputDir, UploadRtRepoPath,
 		// Scan Logic params
@@ -363,6 +365,8 @@ var flagsMap = map[string]components.Flag{
 	AddSastRules: components.NewStringFlag(AddSastRules, "Incorporate any additional SAST rules (in JSON format, with absolute path) into this local scan."),
 	Port:         components.NewStringFlag(Port, "Specifies the port to run the SAST server on.", components.SetMandatory()),
 
+	UseConfigProfile: components.NewBoolFlag(UseConfigProfile, "Set to false to override config profile for the audit.", components.WithBoolDefaultValue(true), components.SetHiddenBoolFlag()),
+
 	// Docker flags
 	DockerImageName: components.NewStringFlag(DockerImageName, "Specifies the Docker image name to audit. Uses the same format as the Docker CLI, including Artifactory-hosted images."),
 

diff --git a/cli/gitcommands.go b/cli/gitcommands.go
@@ -55,6 +55,8 @@ func GitAuditCmd(c *components.Context) error {
 		return err
 	}
 	gitAuditCmd.SetServerDetails(serverDetails).SetXrayVersion(xrayVersion).SetXscVersion(xscVersion)
+	// Set config profile params
+	gitAuditCmd.SetUseConfigProfile(c.GetBoolFlagValue(flags.UseConfigProfile))
 	// Set violations params
 	format, err := outputFormat.ParseOutputFormat(c.GetStringFlagValue(flags.OutputFormat), outputFormat.All)
 	if err != nil {

diff --git a/cli/scancommands.go b/cli/scancommands.go
@@ -556,14 +556,12 @@ func CreateAuditCmd(c *components.Context) (string, string, *coreConfig.ServerDe
 		return "", "", nil, nil, err
 	}
 	auditCmd.SetBomGenerator(sbomGenerator).SetCustomBomGenBinaryPath(c.GetStringFlagValue(flags.XrayLibPluginBinaryCustomPath))
-	auditCmd.SetScaScanStrategy(scaScanStrategy)
-	auditCmd.SetViolationGenerator(violationGenerator)
+	auditCmd.SetScaScanStrategy(scaScanStrategy).SetViolationGenerator(violationGenerator).SetIncludeSbom(shouldIncludeSbom(c, format))
 	auditCmd.SetUploadCdxResults(uploadResults).SetRtResultRepository(c.GetStringFlagValue(flags.UploadRtRepoPath))
 	auditCmd.SetTargetRepoPath(addTrailingSlashToRepoPathIfNeeded(c)).
 		SetProject(getProject(c)).
 		SetIncludeVulnerabilities(c.GetBoolFlagValue(flags.Vuln)).
 		SetIncludeLicenses(c.GetBoolFlagValue(flags.Licenses)).
-		SetIncludeSbom(shouldIncludeSbom(c, format)).
 		SetIncludeSnippetDetection(includeSnippetDetection).
 		SetFail(c.GetBoolFlagValue(flags.Fail)).
 		SetPrintExtendedTable(c.GetBoolFlagValue(flags.ExtendedTable)).