Connect your container images to their source repositories with Mend for GitHub Enterprise Code Source
Overview
Mend for GitHub Enterprise Code Source provides a streamlined and highly effective approach to tracing vulnerabilities back to their source code in repositories. Mend’s proprietary labeling achieves this by adding the source repository URL and the Dockerfile path to your Dockerfile using OCI annotations, saving you time in researching risks detected on your built container images.
How does Mend for GitHub Enterprise Code Source work?
Code Source is configured via Mend’s repository integrations. When enabled, Code Source navigates your Mend integrated repositories with GitHub’s built-in search API for Dockerfiles to see if the following labels are within them:
Mend’s proprietary label:
LABEL io.mend.image.dockerfile.path=
Open Container Initiative (OCI) label:
LABEL org.opencontainers.image.source=
If they are not, Code Source creates a branch with a pull request (PR) to add the labels per Dockerfile. Rest assured that:
The Code Source PR applies the labels at the end of your Dockerfile, ensuring your container image build process is not disrupted later on.
Once you merge the Code Source PR, the labels will apply the next time your image is built.In case you already have the OCI label within your Dockerfile prior to enabling Code Source, Code Source will detect this and won’t create a PR to duplicate the label.
If no PR is created, the labels can be added manually to your docker file, for example:
In collaboration with scanning your container image with the Mend CLI, these details will be provided seamlessly in the Mend Application’s Cloud Native UI, allowing you to trace back to the image’s source repository:
Getting it done
Prerequisites before using Mend for GitHub Enterprise Code Source
Have an active, Mend-onboarded, GitHub repository that contains a Dockerfile.
How do I configure Mend for GitHub Enterprise Code Source?
The .whitesource file is used to configure Mend for GitHub Enterprise Code Source. To learn more about the Code Source configuration setup and parameters, visit our Configure Mend for GitHub Enterprise Code Source documentation.
How do I start Mend for GitHub Enterprise Code Source?
Once enabled, the Mend for GitHub Enterprise Code Source feature occurs on every push to your repository’s branches configured within the baseBranches parameter of your Mend for GitHub Enterprise configuration files, .whitesource (for local) and repo-config.json (for global).
Where do I view my Mend for GitHub Enterprise Code Source results?
Once Mend for GitHub Enterprise Code Source completes, a pull request (PR) is created for each Dockerfile that does not already contain the Code Source labels. For more information to help you in understanding this PR, visit our Understand the results of Mend for GitHub Enterprise Code Source documentation.
Connect your container images with Mend for GitHub Enterprise Code Source
This video provides a brief overview and demonstrates how to connect your container images to their source repositories with Mend for GitHub Enterprise Code Source.