Connect your container images to their source repositories with Mend for GitHub.com Code Source
Overview
Mend for GitHub.com Code Source provides a streamlined and highly effective approach to tracing vulnerabilities back to their source code in repositories. Mend’s proprietary labeling achieves this by adding the source repository URL and the Dockerfile path to your Dockerfile using OCI annotations, saving you time in researching risks detected on your built container images.
How does Mend for GitHub.com Code Source work?
Code Source is configured via Mend’s repository integrations. When enabled, Code Source navigates your Mend integrated repositories with GitHub’s built-in search API for Dockerfiles to see if the following labels are within them:
Mend’s proprietary label:
LABEL io.mend.image.dockerfile.path=
Open Container Initiative (OCI) label:
LABEL org.opencontainers.image.source=
If they are not, Code Source creates a branch with a pull request (PR) to add the labels per Dockerfile. Rest assured that:
The Code Source PR applies the labels at the end of your Dockerfile, ensuring your container image build process is not disrupted later on.
Once you merge the Code Source PR, the labels will apply the next time your image is built.In case you already have the OCI label within your Dockerfile prior to enabling Code Source, Code Source will detect this and won’t create a PR to duplicate the label.
If no PR is created in a short period of time, the labels can be added manually to your docker file. PRs can be delayed when GitHub has not indexed your repository, based on an Enterprise and Private repository prioritization process. Code Source PRs are also not created for cloned or forked repositories.
Here is an example of labels which have been manually added:
In collaboration with scanning your container image with the Mend CLI, these details will be provided seamlessly in the Mend Application’s Cloud Native UI, allowing you to trace back to the image’s source repository:
Getting it done
Prerequisites before using Mend for GitHub.com Code Source
Install Mend for GitHub.com in your GitHub organization.
Have an active, Mend-onboarded, GitHub repository that contains a Dockerfile.
How do I configure Mend for GitHub.com Code Source?
The .whitesource file (for a local configuration) and the repo-config.json file (for a global configuration) are used to configure Mend for GitHub.com Code Source. To learn more about the Code Source configuration setup and parameters, visit our Configure Mend for GitHub.com Code Source documentation.
How do I start Mend for GitHub.com Code Source?
Once enabled, the Mend for GitHub.com Code Source feature occurs on every push to your repository’s branches configured within the baseBranches
parameter of your Mend for GitHub.com configuration files, .whitesource (for local configuration) and repo-config.json (for global configuration).
Where do I view my Mend for GitHub.com Code Source results?
Once Mend for GitHub.com Code Source completes, individual pull requests (PR) are created for each Dockerfile that does not already contain the Code Source labels. For more information to help you in understanding these PRs, visit our Understand the results of Mend for GitHub.com Code Source documentation.