Configure SCA Reachability for GitHub.com
Overview
The Mend Reachability tool helps you assess the effectiveness of security vulnerabilities associated with open-source components, to prioritize fixing those vulnerabilities.
We want to reduce developers' security burden by utilizing Mend.io’s innovative differentiation - reachability analysis - easily, as part of the GitHub Repository Integration. This will enable developers to focus on fixing the reachable vulnerabilities in their repository.
In the real world, a medium but reachable vulnerability might be prioritized higher by developers than a critical but unreachable vulnerability.
This article will explain about Mend.io’s Reachability technology in the GitHub.com integration and how to use it.
If you’re an SCA user tasked with fixing vulnerabilities detected in your GitHub.com repositories or creating tasks for others to fix them, this article is for you.
Getting it done
Prerequisites before getting started with Reachability
Java repository that uses Maven/Gradle OR JavaScript repository that uses npm/Yarn
Scanning in the GitHub.com repository integration
Use case for Reachability
The initial use case for reachability is that a repo scan includes a “reachability scan” step. This means that the scan may take longer. In the end, the repo scan results will be enriched with reachability information - the scan report will include a visual indication on whether the listed vulnerability is reachable or not.
Once enabled, the reachability indication will be visible as part of the post-scan reports.
Configure Reachability
To enable reachability analysis as part of the Mend repository integration, the .whitesource file needs to be updated.
Enable Reachability
Set the
enableReachability
parameter (located under thescanSettings
within the .whitesource file) to true
Viewing results in the repo integration
The Reachability results will be visible in 3 locations within the repository:
Checkrun results (Security Check)
GitHub Issues
Pull Requests
Viewing the results in the Mend Core Application UI
Kindly follow this article for the full details.
Reachability parameters
reachabilityScanDelayHours
parameter (located under the scanSettings
within the .whitesource file) defines the time interval for which code commits including changes to the existing supported source files will trigger an SCA + reachability check run.
The default value is 48 hours
The minimum value that can be set is 24 hours
Reference
Regular Mend SCA check runs are triggered on code commits that include one of the following:
Changes to packages (manifest) files
Addition or deletion of supported source files
When reachability is enabled, each Mend SCA check run will include reachability analysis and will be triggered on code commits with the following logic:
Changes to packages (manifest) files (same as regular SCA check runs)
Addition or deletion of supported source files (same as regular SCA check runs)
Changes to existing supported source files - after an elapsed time interval has passed (new for reachability)
Parameters
Repository level parameters (scanSettings
)
Parameter | Type | Description |
---|---|---|
enableReachability | Boolean | Required to enable Mend Reachability scan |
reachabilityScanDelayHours | Float | Optional. Default Value:
|
Check Run Settings (checkRunSettings
)
Parameter | Type | Description |
---|---|---|
strictMode | String | Optional. Default Value:
Note: For strictMode to work, the vulnerableCheckRunConclusionLevel and licenseCheckRunConclusionLevel parameters must be set to |
strictModeInfo | Boolean | Optional. Default Value:
|
Mend Reachability - supported languages
The following languages and their package managers are supported for scanning dependencies with Mend Reachability for GitHub.com .
Language | Package Manager | Details |
---|---|---|
Java | Gradle | Configuration file(s): build.gradle, settings.gradle |
Java | Maven | Configuration file(s): settings.xml |
JavaScript | npm | Configuration file(s): package.json |
JavaScript | Yarn | Configuration file(s): package.json |
Python | pip | Configuration file(s): requirements.txt |
Python | Pipenv | Configuration file(s): Pipfile & Pipfile.lock |