Skip to main content

Scan package preparation

To get the best results from a scan, consider these best practices before you upload packages.

Artifact types

  • For Java, upload either a WAR or JAR package.

  • For JavaScript, upload either a JS or ZIP package.

You can include multiple JAR files in a ZIP package. The maximum upload size limit for a ZIP file is 1 GB.

Access to class files and dependencies

If you package your files differently than suggested here, Scan has to make assumptions about your code. The results might not be as precise as they could be. They could include false negatives and positives.

When Scan has access to all the appropriate class files and dependencies, the results do not include phantom classes. A phantom class is a referenced class but either scan is unable to find bytecode for it or the scan was unable to decompile the code into intermediate representation (IR).

  • Scan needs access to these files:

    • Application class files

    • Application dependency jar or class files

  • Organize application and dependencies in WAR files as described in the Oracle Java™ Servlet Specification.

  • Organize applications and dependencies in JAR files similar to the way SpringBoot JAR files are organized.

    SpringBoot JAR files place applications and dependencies in well-known areas.

  • Including standard JDK files and common servlet container-provided dependencies are not required. Scan provides these dependencies for you.


To be able to deliver accurate results, Scan needs to understand the web framework that your application uses.

  • Source code scans: This scan type supports all frameworks for the supported languages.

  • Java binary scans: This scan type supports these frameworks:

    • Angular 8 or later

    • J2EE

    • Jakarta EE 2.0-3.0

    • jQuery

    • React 16 or later

    • SpringBoot

    • Spring MVC

    • Vue.JS 2 or later

Avoid use of thin JAR files

Thin JAR files contain only application byte code. These files require special execution loaders to dynamically access dependencies for loading. If you upload a thin JAR file, Scan does not execute any of your application code. It cannot access the application dependencies for accurate scanning.