Configure Mend for GitHub Enterprise for IaC
Overview
Mend for GitHub Enterprise offers several parameters to configure your IaC scans, checks, and issues.
Getting it Done
Note: IaC scans can only be performed on base branches.
Configuration at the local repository level is done via the .whitesource file. To set up your configuration file for IaC scans, see the Parameters section provided in this documentation. Below is an example of fine-tuning an IaC scan within a repository’s .whitesource file:
{
"scanSettings": {
"enableIaC": true,
"baseBranches": ["integration"]
},
"checkRunSettings": {
"useMendCheckNames": true,
"iacCheckRunConclusionLevel": "failure"
}
}
Note: For global configuration, parameters are set via the repo-config.json file. See our Set up a global configuration for Mend for GitHub Enterprise documentation for more information.
Reference
Parameters
Scan Settings (scanSettings
)
Parameter | Type | Description |
---|---|---|
enableIaC | boolean | Optional. Default Value: |
baseBranches | Array | Optional. Default Value: Example usage:
CODE
This will set both |
Check Run Settings (checkRunSettings
)
Note: Mend for GitHub Enterprise utilizes the GitHub Checks API that provides checks in commits and pull requests on any repository branch.
Parameter | Type | Description |
---|---|---|
useMendCheckNames | Boolean | Optional. Default Value:
Note: When a .whitesource file is created, the value of useMendCheckNames is |
iacCheckRunConclusionLevel | String | Optional. Default Value:
|
Release Branch Settings (releaseBranchSettings
)
Notes:
From version 23.10.2 (November 6th, 2023), Release Branch Settings now allows separate scan settings for release branches. It can control independent configuration of failure rules, strict mode, and more, just for scans of release branches.
Release Branches must be enabled and defined in order to apply these settings
Parameter | Type | Description |
---|---|---|
checkRunSettings.failOnIacFindings | Boolean | Optional. Default Value:
|
An example of how to configure Release Branch Settings within the .whitesource file:
"releaseBranchSettings" : {
"checkRunSettings": {
"failOnIaCViolation" : false
}
}
Issue Settings (issueSettings
)
Note:
IaC GitHub Issues are meant to be opened for the default branch only and if they are opened for additional baseBranches (
scanSettings
), then the branch name will not be shown.When an IaC issue is closed it will not be detected in the future scans.
Parameter | Type | Description |
---|---|---|
iacIssues | Boolean | Optional. Default Value:
Note:
Default Behavior Explained:
|
customLabels | Array | Optional. Default Value: N/A. Define labels that will be added to the GitHub Issues created after the scan. Usage example:
CODE
Following labels are not available for the use:
|
assignees | Array | Optional. Default Value: N/A. Define users that will be assigned to the GitHub Issues created after the scan. Usage example:
CODE
Note: Only users that are Collaborators with access to the repository and push permission can be added. |
Environments
The following IaC environments and their configuration files are supported:
Terraform
Bicep
CloudFormation
Kubernetes
ARM Templates
Serverless
Helm