Support all attributes in Central Configs

[attiasas]

feat(audit): config-profile scan targets, include/exclude, and xray-lib working dirs

Depends on:

• XRAY-135682 (bug: secrets/CA when multiple roots are passed)

• XRAY-138915 (improvement: iac does not support multiple roots)

• XSC - Update params in config profile jfrog-client-go#1344

Analyzer-Manager minimum version: 1.33.0

• Update AnalyzerManager version to 1.33.0 #748

Summary

Aligns audit, git audit, SCA (Xray-Lib), and JAS scanners with JFrog Platform config profiles: per-target include/exclude patterns, scanner enablement, secret validation, partial results, and custom analyzer download paths. Passes resolved include directories and exclusions into Xray-Lib instead of global ignore patterns, and refactors scan execution around an enriched ScanTarget model.

Changes

• Audit / scan orchestration (commands/audit/, commands/scan/, commands/git/audit/): target discovery via GetTargetsInfo; populate ScanTarget with include/exclude and central-config modules; honor config-profile scanner toggles and allow_partial_results; wire custom releases repo for Xray-Lib plugin download.
• Xray-Lib BOM (sca/bom/xrayplugin/): pass IncludeDirs and per-target SCA exclusions to the plugin; remove WithTotalTargets / WithIgnorePatterns; support WithCentralRemoteReleasesDetails for profile-driven dependency downloads.
• JAS scanners (jas/, jas/runner/): run against results.ScanTarget (include roots, profile exclusions); consolidate config-profile skip logic; fix SARIF invocation working directory to reflect scan target, not analyzer-manager temp dir; per-target secret validation via IsSecretValidationActive.
• Results model (utils/results/): ScanTarget gains Include, Exclude, Technologies[], CentralConfigModules; skippable GeneralErrors / TargetErrors for partial results; helpers for central-config scan requests and exclusions; expanded unit tests.
• Path / exclusion utilities (utils/paths.go, utils/techutils.go): pattern handling for include/exclude during recursive scans.
• Git audit (commands/git/audit/): fetch config profile by clone URL; hidden --use-config-profile flag (default true); validate single-module profile constraints.
• CLI (cli/docs/flags.go, cli/gitcommands.go): expose WorkingDirs on audit; add hidden use-config-profile.
• Output / parsers (utils/results/conversion/, utils/results/output/): adapt to multi-technology targets and updated error shapes.
• Dependencies (go.mod, go.sum): bump jfrog-client-go and jfrog-cli-artifactory.

Notes

• Behavioral / API shifts: single Technology on ScanTarget replaced by Technologies[]; GeneralError replaced by GeneralErrors (SkippableError); JAS ScannerCmd adds target-based Run with DeprecatedRun for legacy jfrog-apps-config modules.
• Git audit config profile is limited to one module with path_from_root: "." (enforced in verifyConfigProfile).
• In the new flow, jfrog-apps-config.yml is deprecated – flags, env vars, or central JFrog Platform config should be used instead.
• The old graph-based flow is untouched and still loads jfrog-apps-config as before.

[eranturgeman]

I see this check existed before, but I dont think it is really a possible usecase. we can leave it for safety though

[eranturgeman]

maybe add another testcase with multi-rows and different technologies?

[eranturgeman]

LGTM! see my comments