Amazon CodeCatalyst Integration
Overview
This topic describes how Amazon CodeCatalyst integrates with the Unified Agent.
Amazon CodeCatalyst is a fully managed Cloud Native delivery pipeline that manages the entire software lifecycle from coding to deployment, and enables full CI/CD implementation.
A CodeCatalyst integration with Mend allows you to automate the scanning of any project as part of the CodeCatalyst pipeline process, on every code commit.
Using the integration, you can view the scan results inside CodeCatalyst, and also automatically fail builds in case of an organizational compliance or security policy violation.
NOTE: To use Mend SCA with CodeCatalyst, you must have a Mend account.
Integrating Amazon CodeCatalyst with Mend SCA
Note: Only Mend Administrators have access to the Integrate tab.
To integrate Amazon CodeCatalyst with Mend SCA, do as follows:
Login to your Mend account.
In the top menu bar of the Web Console, click the Integrate tab.
On the Integrate screen, find the CI/CD Integration section and click to expand it.
Click the Generate Activation Key to generate the activation key that you will use to activate Mend SCA in CodeCatalyst. Copy the activation key and save it for the next step.
Activating and Running the Mend SCA Action
NOTE: Mend SCA is a CodeCatalyst “Action” and can be found in the Action catalog.
To activate and run the Mend SCA action, do as follows:
Go to the CI/CD section of your project in CodeCatalyst, create a new secret named `MendLicenseKey`
Paste your copied activation key into this secret
Create or edit an existing workflow. NOTE: Make sure to confirm the branch name in the workflow is the correct branch you wish to scan
Add the Mend SCA action to it by choosing it from the Actions list. When adding the Mend SCA action, you will need to edit it and replace ' MendLicenseKey: SECRET_NAME' with MendLicenseKey: ${Secrets.MendLicenseKey}
(Optional) Define the thresholds for the SCA report generated by the action. If these thresholds are exceeded, the workflow and the SCA report will be marked as “failing”
(Optional) Configure the Product & Project definitions by setting the `MendProduct` and `MendProject` parameters. These will have the following default values:
`MendProduct`: CodeCatalyst Project Name
`MendProject`: CodeCatalyst Workflow Name
Commit the changes to the CodeCatalyst workflow
When the workflow runs, the Mend SCA action will execute and analyze your project for Open Source vulnerabilities
After the workflow completes, your SCA results can be reviewed either by clicking the Action and selecting the "Reports" tab of the Action Run Summary, or via the "Reports" menu in the project navigation
Your SCA results will also be available in your Mend application portal.
YAML Example
Name: Workflow_0ce8
SchemaVersion: "1.0"
# Optional - Set automatic triggers.
Triggers:
- Type: Push
Branches:
- develop
# Required - Define action configurations.
Actions:
MendSCA_54:
# Identifies the action. Do not modify this value.
Identifier: mend/mendsca@v1
# Specifies the source and/or artifacts to pass to the action as input.
Inputs:
# Required
Sources:
- WorkflowSource # This specifies that the action requires this Workflow as a source
Outputs:
# Manual reports configuration
Reports:
# Optional
MendSCA:
Format: SARIFSCA
IncludePaths:
- report.sarif
Artifacts:
- Name: MendLogs
Files:
- "whitesource/**/*"
# Defines the action's properties.
Configuration:
# Required; type: string; description: Find this in your Mend account in the CI/CD Integration section
MendLicenseKey: ${Secrets.MendLicenseKey}