Configure Mend Developer Platform for SCA

Overview

Mend Developer Platform provides various parameters to customize Open-Source Security (SCA) and Renovate scans, checks, and issue configurations. In this guide, we'll walk you through the process of configuring the developer platform settings, highlighting key differences between workspace/project and repository configurations along the way.

Getting it done

To edit settings for the workspace or repository, ensure you possess appropriate administrative access at the desired level, whether it's the workspace/organization or the repository itself. It's crucial to understand that the Mend Developer Platform does not feature distinct user management; instead, user roles are determined by the permissions granted within the SCM system.

Configure your workspace or repository settings

Open the workspace/project you want to configure on the Mend Developer Platform homepage.
Click SETTINGS.

The Mend Developer Platform configuration can be done via the following screens:

The configuration screens in the Mend Developer Platform are the same for both workspace and repository levels. This documentation provides instructions for configuring general settings.

General

The General screen provides a high-level perspective, and you can track and configure the following options:

View the Mend Organization that your Bitbucket Cloud workspace/Azure DevOps project is linked to.
Disable repo-level override, which toggles whether users with admin access to a repository can override the configuration set at the workspace/project level. Workspace/Project admins will still be able to override on the repository level.
Base branches - Mend will consider the values set here as the base branches for the repo when scanning. Spaces and duplicates are not allowed.
For each specified branch, a Mend project will be created in the Mend Platform application. The name of the project will contain the suffix "_branchName". For example, MyApp_dev.
Custom work item type (AZDO only) - This parameter specifies the type of work item to be created for all Mend work items. Set this parameter to a string equal to the name of a work item type in your project.
Custom work item fields (AZDO only) - This parameter specifies custom fields to be added to all Mend work items. If a field with a matching name exists in the work item template and the value is a compatible data type, it will be added to the work item. To override a value on repo level create a custom field with the same name.

Notes:

Custom work item types and Custom work item fields are applicable for Azure DevOps only.
In order to configure custom work items, you have to use a custom process. (in Azure DevOps: Organization Settings → Process → create an inherited process)

Release Branches - The parameter's value is an array of strings that represent the actual branch name or a regex pattern (Java-compatible).
- Example "release", "release\\/.*"

Branches matching the regex expressions will be scanned, with checks created and a Mend project generated. Issues and remediation PRs won't be created. If a branch matches both Release Branch and Base Branch parameters, it will be scanned as a base branch.

Credentials

Credentials - You can save credentials and other types of sensitive information to be later used for host rules configuration.
Secret can be used as an environmental variable when the project is being scanned.
Host rules - In order to scan dependencies from private registries, Mend must be provided with some details such as host URL and credentials. Create a host rule that should have all of the required information in order to fetch the dependencies. For credentials create secrets in the section above.

Dependencies (SCA)

In this screen menu, you can control if the Mend SCA engine is enabled and if repositories are going to be scanned for Dependencies (SCA).

Checks - If enabled, Mend will create Build status for open-source security scans and provide results in commit comments.
- Conclusion status - If set to “Success” the Security Check will always be “Success”, even if the check fails.
- Only print results - When enabled for a Workspace or Repository there are no commit comments to indicate that the scan is in progress or that it was a neutral scan.
  - The build status for both scenarios (scan in progress and neutral check) will still be created for the scanned commits.
  - This can be used to reduce the Bitbucket/Azure DevOps API usage, deal with the rate limits, or reduce noise in the repository.
- Vulnerability range - Specify the range [0-10] for what findings Mend will fail a Security Check.
Issues - Defines if Mend will create issues for the engine findings.
- Vulnerability range - Specify the range [0-10] for what findings Mend will open Issues.
- Grouping rule - Define how issues should be grouped: one for each vulnerability or direct dependency.

Bitbucket Cloud: For the Issues to be created, the repository should have an Issue Tracker enabled. This is done in the repository settings in Bitbucket Cloud.

Azure DevOps: For the Issues to be created, the repository should have Boards enabled. This is done in the project settings in Azure DevOps Repos.

Scan all feature branches - Enabling this will trigger a scan of all feature branches that contain a valid commit.

Note: Once enabled, a pop-up window will appear to confirm this setting, alerting you that this may trigger a large number of scans.

Dependency updates - You can control if the Mend Remediate and Renovate engines are enabled. Mend will provide updated suggestions for outdated dependencies.
- Silent Mode - Repositories will be scanned, and results will be shown in the dashboard, but no issues and pull requests will be created automatically. This sets dryRun=lookup in the Renovate configuration.
- Renovate
  - Automated PRs - Mend will automatically create pull requests to update outdated dependencies.
  - Require config file - Mend will create automated PRs only if the Renovate configuration file is present in the repository.
  - Create onboarding PRs - Mend will create an Onboarding PR that contains the Renovate configuration file in all repositories that don’t already contain it. This sets onboarding=true and requireConfig=required in the Renovate configuration.
- Remediate - Mend will create a pull request to remediate security findings.
  - Automated PRs - Mend will automatically create pull requests to remediate security vulnerabilities.
  - Remediation range - Specify the range [0-10] for what findings Mend will create remediation pull requests.

Note: If config requirement or onboarding PR are enabled for Renovate - Remediate will work only if the config is present or onboarding PR is merged.

Scanner
- UA custom configuration - You can manage the Unified Agent custom configuration parameters when running a scan.
Reachability - SCA scans in the Developer Platform are enriched with Reachability information, which helps you focus on fixing vulnerabilities that are reachable in your application, resulting in significant noise reduction and increased effectiveness of your risk mitigation efforts.
- Scan Delay - Defines the time interval (in hours) during which code commits, including changes to the existing supported source files, will trigger an SCA + reachability check run.

Note: To learn more about configuring Reachability for the Mend Developer Platform, please visit the documentation here.

Dependency Licensing (SCA)

Note: License policies can only be configured via the legacy SCA Application. Visit this page to learn how to do it. If you’re logged into the Mend AppSec Platform, follow the steps in this article to switch over to the legacy SCA Application.

Issues - Defines if Mend will create issues for all licensing findings.
Checks - Mend will create Build status for all licensing findings and provide results in commit comments.
- Conclusion status - If set to “Success” the License Check will always be “Success”, even if the check fails.

Scan Insights

Note:

This feature is not applicable to SAST.
Scan Insights are available for Dependencies (security checks) and Dependency Licensing (license checks), but are configured separately for each.

Scan Insights (known as “strictMode” in the classic repo integrations) is a feature that enables you to fail the security or license check when scan results are partial. It includes the capability to print the Pre-Scan Build (PSB) report directly to the security/license checks. When Scan Insights are enabled, reports display messages according to the selected display level: Info / Warning / Error.

Enable Scan Insights

To enable scan insights, navigate to the Developer Platform’s Dependencies or Dependencies Licensing settings screen. Example:

Toggle Scan Insights on and configure the Fail level and Display level.

When scan insights are enabled, the PSB report is printed to the security/license checks based on the selected display level (if there are items to report):

Info - show info and higher messages.
Warning - show warning messages and higher.
Error - show error messages only.

In case of partial scan results, a “scan error” tag is created in the Mend Platform according to the configured “Fail Level.” If the partial scan results are lower than the configured “Fail Level”, no “scan error” tag will be created.

Supported Dependency Files

The following dependency files are supported by the Mend Developer Platform for SCA scans:

build.gradle
build.gradle.kts
gradle.lockfile
gradle.properties
libs.gradle
settings.gradle
cargo.toml
dependencies.scala
pom.xml
setup.py
requirements.txt
Gemfile.lock
package.json
package-lock.json
yarn.lock
pnpm-lock.yaml
bower.json
go.mod
Gopkg.lock
Godeps.lock
vendor.conf
gogradle.lock
glide.lock
composer.json
build.sbt
packages.config
packrat.lock
paket.dependencies
Pipfile
pipfile.lock
Podfile
pyproject.toml
libs.versions.toml
poetry.lock
pubspec.yaml
setup.cfg
environment.yml
Any metafile with one of the following extensions:
- asp
- aspx
- config
- csproj
- do
- htm
- html
- jsp
- shtml
- tf
- xhtml
Cargo.lock