Skip to main content
Skip table of contents

Configure Mend for GitHub Enterprise for IaC

Overview

Mend for GitHub Enterprise offers several parameters to configure your IaC scans, checks, and issues.

Getting it Done

Note: IaC scans can only be performed on base branches.

Configuration at the local repository level is done via the .whitesource file. To set up your configuration file for IaC scans, see the Parameters section provided in this documentation. Below is an example of fine-tuning an IaC scan within a repository’s .whitesource file:

CODE
{
  "scanSettings": {
    "enableIaC": true,
    "baseBranches": ["integration"]
  },
  "checkRunSettings": {
    "useMendCheckNames": true,
    "iacCheckRunConclusionLevel": "failure"
  }
}

Note: For global configuration, parameters are set via the repo-config.json file. See our Set up a global configuration for Mend for GitHub Enterprise documentation for more information.

Reference

Parameters

Scan Settings (scanSettings)

Parameter

Type

Description

enableIaC

boolean

Optional. Default Value: false. When set to true, a new Mend IaC Check will be generated for each valid push.

baseBranches

Array

Optional. Default Value: Your GitHub.com "default" branch. Adds the ability to specify one or more base branches to be scanned by Mend for GitHub Enterprise.

Example usage: 

CODE
"baseBranches": ["master", “integration"]

This will set both master and integration branches as base branches.

Check Run Settings (checkRunSettings)

Note: Mend for GitHub Enterprise utilizes the GitHub Checks API that provides checks in commits and pull requests on any repository branch.

Parameter

Type

Description

useMendCheckNames

Boolean

Optional. Default Value: false. The available parameter values are:

  • true - Name of the check will be named after Mend. For example: Mend IaC Check.

  • false - Names of the check will be named after WhiteSource. For example: WhiteSource IaC Check.

Note: When a .whitesource file is created, the value of useMendCheckNames is true.

iacCheckRunConclusionLevel

String

Optional. Default Value: failure. Define the conclusion status for when a Mend IaC Check is completed. The available parameter values are:

  • failure - If the Mend scan detects IaC misconfigurations in a repository, the commit status will show a "failure" indicating that misconfigurations were detected.
    If no misconfigurations were detected, the commit status shows a "success" indicator.

  • success - The commit status will show a “success” indicator at the end of the scan, regardless of whether the scan detected misconfigurations in the repository.

Release Branch Settings (releaseBranchSettings)

Notes:

  • From version 23.10.2 (November 6th, 2023), Release Branch Settings now allows separate scan settings for release branches. It can control independent configuration of failure rules, strict mode, and more, just for scans of release branches.

  • Release Branches must be enabled and defined in order to apply these settings

Parameter

Type

Description

checkRunSettings.failOnIacFindings

Boolean

Optional. Default Value: false. Determines whether a Mend Check Run in release branches should be marked as failed when a IaC violation is detected. The available parameter values are:

  • false - In this mode, the presence of IaC violations will not block the overall progress of the scan, and the checkrun should pass in any case.

  • true - In case a release branch is scanned, the checkrun should fail if a IaC violation has been found.

An example of how to configure Release Branch Settings within the .whitesource file:
CODE
"releaseBranchSettings" : {
  "checkRunSettings": {
    "failOnIaCViolation" : false
  }
}

Issue Settings (issueSettings)

Note:

  • IaC GitHub Issues are meant to be opened for the default branch only and if they are opened for additional baseBranches (scanSettings), then the branch name will not be shown.

  • When an IaC issue is closed it will not be detected in the future scans.

Parameter

Type

Description

iacIssues

Boolean

Optional. Default Value: true. Whether to generate issues for IaC findings. The available values are:

  • true - If the IaC scan is enabled and IaC misconfigurations are detected, issues are created for these findings.

  • false - If the IaC scan is enabled and IaC misconfigurations are detected, no issues are created for these findings.

Note:

  • This parameter is relevant only if the IaC scan is enabled by setting scanSettings.enableIaC to true.

Default Behavior Explained:

  • When iacIssues is not included at all in the configuration (.whitesource/repo-config.json files), the default ofiacIssues is true.

  • From v22.8.1, if you onboard a repository with new, auto-generated .whitesource/repo-config.json files, iacIssues will be explicitly included and set to false by default.

customLabels

Array

Optional. Default Value: N/A. Define labels that will be added to the GitHub Issues created after the scan.

Usage example:

CODE
{
  "issueSettings": {
    "customLabels": ["label1","label2"]
  }
}

Following labels are not available for the use:

  • Mend: dependency security vulnerability

  • Mend: license policy violation

  • Mend: IaC violation

  • Mend: configuration error

  • Mend: code security findings

assignees

Array

Optional. Default Value: N/A. Define users that will be assigned to the GitHub Issues created after the scan.

Usage example:

CODE
{
  "issueSettings": {
    "assignees": ["user1", "user2"]
  }
}

Note: Only users that are Collaborators with access to the repository and push permission can be added.

Environments

The following IaC environments and their configuration files are supported:

  • Terraform

  • Bicep

  • CloudFormation

  • Kubernetes

  • ARM Templates

  • Serverless

  • Helm

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.