Skip to main content
Skip table of contents

Configure Mend for Azure Repos for IaC

Overview

Mend for Azure Repos offers several parameters to configure your IaC scans, checks, and issues.

Getting it Done

Note: IaC scans can only be performed on base branches.

Configuration at the local repository level is done via the .whitesource file. To set up your configuration file for IaC scans, see the Parameters section provided in this documentation. Below is an example of fine-tuning an IaC scan within a repository’s .whitesource file:

CODE 
{
  "scanSettings": {
    "enableIaC": true,
    "baseBranches": ["integration"]
  },
  "checkRunSettings": {
    "useMendCheckNames": true
  }
}

Note: For global configuration, parameters are set via the repo-config.json file. See our Set up a global configuration for Mend for Azure Repos documentation for more information.

Reference

Parameters

Scan Settings (scanSettings)

Parameter

Type

Description

enableIaC

boolean

Optional. Default Value: false. When set to true, a new Mend IaC Check will be generated for each valid push.

Notes:

  • When enabled, after every valid push, a branch (ws-iac-scan-results/{mend_scan_token}) is temporarily created and deleted after the scan has completed.

  • When an IaC work item is closed it will not be detected in the future scans.

  • IaC issues are meant to be opened for the default branch only and if they are opened for additional baseBranches then the branch name will not be shown.

baseBranches

Array

Optional. Default Value: Your Azure DevOps Repos "default" branch. Adds the ability to specify one or more base branches to be scanned by Mend for Azure Repos.

Example usage: 

CODE 
"baseBranches": ["master", “integration"]

This will set both master and integration branches as base branches.

Notes:

  • A Work item will only be created for the specified branch names.

  • For each specified branch, a Mend project will be created. The name of the project will contain a suffix "_branchname". For example, MyApp_dev. This suffix will not apply to the default branch.

Check Run Settings (checkRunSettings)

Note: Mend for Azure Repos utilizes the Azure DevOps Checks API that provides checks in commits and pull requests on any repository branch.

Parameter

Type

Description

useMendCheckNames

Boolean

Optional. Default Value: false. The available parameter values are:

  • true - Name of the check will be named after Mend. For example: Mend IaC Check.

  • false - Names of the check will be named after WhiteSource. For example: WhiteSource IaC Check.

Note: When a .whitesource file is created, the value of useMendCheckNames is true.

Issue Settings (issueSettings)

Note:

  • IaC Issues are meant to be opened for the default branch only and if they are opened for additional baseBranches (scanSettings), then the branch name will not be shown.

  • When an IaC issue is closed it will not be detected in the future scans.

Parameter

Type

Description

iacIssues

Boolean

Optional. Default Value: true. Whether to generate work items for IaC findings. The available values are:

  • true - If the IaC scan is enabled and IaC misconfigurations are detected, work items are created for these findings.

  • false - If the IaC scan is enabled and IaC misconfigurations are detected, no work items are created for these findings.

Note: This parameter is relevant only if the IaC scan is enabled by setting scanSettings.enableIaC to true.

Default Behavior Explained:

  • When iacIssues is not included at all in the configuration (.whitesource/repo-config.json files), the default ofiacIssues is true.

  • From v22.8.1, if you onboard a repository with new, auto-generated .whitesource/repo-config.json files, iacIssues will be explicitly included and set to false by default.

customLabels

Array

Optional. Default Value: N/A. Define labels that will be added to the Azure DevOps Repos Issues created after the scan.

Usage example:

CODE 
{
  "issueSettings": {
    "customLabels": ["label1","label2"]
  }
}

Following labels are not available for the use:

  • Mend: dependency security vulnerability

  • Mend: license policy violation

  • Mend: IaC violation

  • Mend: configuration error

  • Mend: code security findings

Supported Environments

The following IaC environments and their configuration files are supported:

  • Terraform

  • Bicep

  • CloudFormation

  • Kubernetes

  • ARM Templates

  • Serverless

  • Helm

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close