Environment Variables for Self-Hosted Integrations

For faster navigation:

Overview

This provides advanced technical information about the environment variables and their configuration related to the Mend Repo Integrations.

Environmental Variables

Shared

Environment Variables	Description	Controller	Scanner	Remediate	Supported since
WS_ACTIVATION_KEY	Your generated activation key in the Mend application. Default: `null` Notes: The property should still exist in the prop.json file, its value is disregarded. Also available as `bolt.op.activation.key` prop.json property.	✅	✅	✅	21.7.2
WS_CREATE_ISSUES	The ability to globally enable/disable Issues creation across all of your organization's repositories. Default: `true` Note: Also available as `bolt4scm.create.issues` prop.json property.	✅	❌	✅	21.7.1
WS_HOST_RULES_PRIVATE_KEY	The PGP private key is generated for the Private Registry support. Default: `null` Note: This variable cannot be used at the same time with WS_HOST_RULES_PRIVATE_KEY_FILE_PATH. Example of usage for the GitHub Enterprise	✅	✅	✅	21.9.1
WS_HOST_RULES_PRIVATE_KEY_FILE_PATH	The PGP private key is generated for the Private Registry support. Default: `null` Notes: This file should be mapped to the running containers. This variable cannot be used at the same time with WS_HOST_RULES_PRIVATE_KEY. Example of usage for the GitHub Enterprise	✅	✅	✅	21.9.1
WS_SAST_SCAN_PREFIX	If set to `SAST_`, the Scanner with this variable will only be used for the SAST scans. Default: `null`	✅	✅	❌
JAVA_OPTS	Optional. Used to provide JVM settings if required. Default: `null`	✅	✅	❌	23.6.1
LOG_FORMAT_JSON	Optional. Controls if the logs are saved and printed to STDOUT/console in JSON format. Default: `false`	✅	✅	❌	23.12.2
LOG_JSON_LEVEL	Optional. Controls the log level for the JSON logs. Requires `LOG_FORMAT_JSON` being set to `true`. Default: `DEBUG` Available values: `DEBUG` `INFO` `WARN` `ERROR`	✅	✅	❌	23.12.2

Controller

Environment Variables	Description	Supported since
WS_CONFIG_ACCOUNT_NAME	The account name that will hold the global whitesouce-config repository. Default: `"whitesource-config"`	21.6.3
WS_CONFIG_REPO_NAME	The repository name of the global configuration repository. Default: `"whitesource-config"`	21.6.3
WS_HTTPS_CERT_FILE_PATH	If using a certificate file - path to the certificate file. Default: `null`	21.6.3
WS_HTTPS_KEY_FILE_PATH	If using a certificate file - path to the private key file. Default: `null`	21.6.3
WS_KEYSTORE_FILE_PATH	If using a Java keystore - path to the keystore file. Default: `null`	21.6.3
WS_KEYSTORE_PASSWORD	If using a Java keystore - password for the keystore file. Default: `null`	21.6.3
WS_CREATE_CHECK_RUNS	The ability to globally enable/disable build statuses across all of your organization's repositories. Default: `true` Notes: It is strongly recommended not to set this value to false, since the diff functionality relies on the check run, and this is one of the important means to update on the status of a scan. With this feature disabled there is no way of knowing what's going on if a scan failed, succeeded, found vulnerabilities, etc. Also available as `bolt4scm.create.check.runs` prop.json property.	21.6.3
WS_REMEDIATE_WEBHOOK_URL	The destination of the Remediate network endpoint to intercept webhooks. Default: http://remediate-server:8080/webhook Notes: Must include the “/webhook” suffix. Also available as `webhook.remediate.url` prop.json property.	21.6.3
WS_CACHE_TYPE	Defines one of three available caching mechanisms: DEFAULT MEMORY: Memory caching REDIS: Local Redis caching (requires the set up of the Redis cluster and use of the WS_REDIS_HOST environmental variable) Default: `DEFAULT`	22.2.1
WS_REDIS_HOST	The host address (e.g., “localhost”). Mandatory if WS_CACHE_TYPE=REDIS Default: `null`	22.2.1
WS_REDIS_PORT	Optional. The Redis port on the host. Default: `6379`	22.2.1
WS_REDIS_PASSWORD	Password to the Redis cluster. Default: `null`	22.2.1
WS_REDIS_SSL_ENABLED	Set to true if the Redis Cluster works with the SSL protocol. Default: `false`	22.2.1
MEND_PRODUCT_MAPPING_PREFIX	Defines the prefix for `enableCustomProductMapping` in repo-cofig.json for custom product mapping. Default: `mendmap-`	22.7.2
MEND_ENTITY_CLEANUP_ENABLED	Optional. Controls the behavior of structural maintenance in the Mend UI. The available values are: `true`: If an integrated repository is deleted on the SCM platform, the Project(s) in the Mend UI that are associated to that repository are automatically deleted. If an integrated organization is deleted on the SCM platform, the Product in the Mend UI that is associated to that organization is automatically deleted. `false` (default): Disable the automatic structural maintenance. Note: Only supported in Mend for GitHub Enterprise.	23.11.1
MEND_ADVANCED_MERGE_CONFIDENCE_ENABLED	Optional. Controls whether Smart Merge Control can be enabled for Renovate. The available values are: `true`: Smart Merge Control will function as normal when enabled within the repo configuration `false` (default): Smart Merge Control will NOT function when enabled within the repo configuration See Boost your pull request confidence using Mend Renovate’s Smart Merge Control for more details. Note: For this feature to work, whitelisting http://developer.mend.io in your network is mandatory. This URL is used to fetch the Merge Control token.
W4D_BOLT_MANUAL_SCAN_MAX_REPOS	Optional. Controls the maximum number of scans allowed by the scan.json file. Default: `10` See Global Repo Configuration \| Manually Triggering Repository Scans for more details.
MEND_ENHANCED_CACHING	Enables advanced caching functionality for GitHub API usage. Default: `true` Notes: Only supported in Mend for GitHub Enterprise. Default value is `true` since version 23.7.2.	23.7.2
MEND_ENHANCED_CACHING_GLOBAL_SETTINGS	Enables advanced caching functionality for the API usage for retrieving the global configuration. Default: `true` Notes: Only supported in Mend for GitHub Enterprise. Default value is `true` since version 23.7.2. Requires MEND_ENHANCED_CACHING being set to `true`.	23.7.2
MEND_ENHANCED_CACHING_REPO	Enables advanced caching functionality for the API usage for retrieving the repo details. Default: `true` Notes: Only supported in Mend for GitHub Enterprise. Default value is `true` since version 23.12.2. Requires MEND_ENHANCED_CACHING being set to `true`.	23.9.2
MEND_ENHANCED_CACHING_LABELS	Enables advanced caching functionality for the API usage for retrieving the issues and PR labels. Default: `true` Notes: Only supported in Mend for GitHub Enterprise. Default value is `true` since version 23.12.2. Requires MEND_ENHANCED_CACHING being set to `true`.	23.9.2
MEND_ENHANCED_CACHING_ISSUES	Enables advanced caching functionality for the API usage for issues. Default: `true` Notes: Only supported in Mend for GitHub Enterprise. Default value is `true` since version 23.12.2. Requires MEND_ENHANCED_CACHING being set to `true`.	23.9.2
MEND_VALIDATE_SCM_RATE_LIMIT	Optional. Controls the rate limit validation. If enabled, an API call to GitHub’s rate_limit endpoint will be made before each scan. If the rate limit buffer (100 calls by default, can be configured with `MEND_RATE_LIMIT_REMAINING_BUFFER`) is reached, the controller will not handle any web hooks or issue sync queue messages and will retry these requests once a new rate limit window starts. Default: `false` Note: When the feature is enabled and the rate limit buffer is reached, the following entries will be visible in the controller log: `WARN Rate limit remaining is less than {remaining_rate_limit_buffer} for installationId: {gh_installation_id}, remaining: {remaining_api_calls}, limit: {installation_hourly_rate_limit}, used: {used_rate_limit`} `WARN Rate limit occurred - waiting at least {X} seconds before the next retry` In addition, on every web hook event, there will be a debug log entry with rate limit data: `DEBUG Rate limit remaining is: {remaining_api_calls} for installationId: {gh_installation_id}, limit: {installation_hourly_rate_limit}, used: {used_rate_limit}, resetAt: {datetime_in_which_the_rate_limit_will_reset`}	24.1.2
MEND_RATE_LIMIT_REMAINING_BUFFER	Optional. Defines the rate limit buffer used in `MEND_VALIDATE_SCM_RATE_LIMIT`. Default: `100`	24.1.2
MEND_CONTROLLER_API_SECRET	Optional. Should contain the same string as the Authorization header in the request to Scan Trigger API. Default: `null` Note: This variable is required for the Scan Trigger API functionality to work.	24.1.2
MEND_ENABLE_ONBOARDING_PR	Optional. Prevents “Onboarding PRs” creation with any used configuration. When set to `false`, Onboarding PRs are never created, even if global configuration enables them. Default: `true` Note: Only supported in Mend for GitHub Enterprise.	24.3.2
MEND_LOG_SCAN_RESULTS	Optional. Enables logging the whole data object of scan results. The size of the log entry varies based on the amount and type of vulnerabilities. On average, data about each vulnerability will be logged in 2000-5000 characters. Default: `false` Example: `Mend Alert received: [PRODUCT=mend-product;REPO=development;BRANCH=main;LIBRARY=uglify-js-1.1.1.tgz;PACKAGE=uglify-js;VERSION=1.1.1;TYPE=javascript/Node.js;VULNERABILITY=CVE-2015-8857;SCORE=9.8]` Notes: Only supported in Mend for GitHub Enterprise. The log entry starts with the string `getProjectAlertsByType response for project`.	24.3.2
MEND_SCAN_REMEDIATE_BRANCHES	Optional. Enables the ability to turn off Mend SCA scans on remediate/renovate branches. When set to `false`, all remediate branches will not trigger scans. Default: `true` Note: Only supported in Mend for GitHub Enterprise, Bitbucket Server and Data Center, and GitLab Server.	24.3.2

Scanner

Environment Variables	Description	Supported since
WS_UA_LOG_IN_CONSOLE	If set to `true` the UA logs will also be printed to the stdout, like the scanner logs. Default: `false` Notes: This property will be deprecated in the future. We advise switching to the `EXTERNAL_LOG_IN_CONSOLE` parameter at your earliest convenience. Depending on the number and size of scans, enabling this variable consistently may impact the performance and disk space of the scanner container. If you enable this variable for your scans, we recommend to monitor and clean up the log output on a regular basis.	21.7.2
WS_LOG_DIRECTORY	Configure the path to both the scanner and the UA log files. Using this property will also append a partial request token to the log filenames. Default: `null`	21.7.2
WS_GIT_CONNECTOR	Enable cloning project files through Git shell commands. To enable, set value to `true`. Default: `false` Note: By default, the Scanner uses JGit library for any Git-related operations.	21.9.1
MEND_PROXY_FOR_UA	If `proxy.for.all` in the `prop.json` is set to `true`, and this parameter is set to `false,` then proxy settings from `prop.json` will not be used for the Unified Agent. Can be used when there is a need to control proxy for the Unified Agent separately from other components: via Proxy Settings in `whitesource.config` configuration file. Default: `false`	22.9.1
MEND_UA_COMMAND_TIMEOUT	Specifies the timeout (in seconds) of the Unified Agent scan commands. Default: `900`	23.8.1
GITHUB_CONNECTOR_CONNECTION_TIMEOUT	Specifies the timeout (in milliseconds) for the initial connection to the Github API endpoint to retrieve the Github Installation Access Token. Can be set to `-1` to disable the timeout. Default: `40000`	22.11.3.2
GITHUB_CONNECTOR_READ_TIMEOUT	Specifies the timeout (in milliseconds) for the Github API to send Github Installation Access Token. Can be set to `-1` to disable the timeout. Default: `40000`	22.11.3.2
RETRY_ON_FAILED_CLONE	Specifies if the Scanner is going to preform retries when it fails to clone the repository. Default: `true`	23.3.2
EXTERNAL_LOG_IN_CONSOLE	If set to true, all SCM logs (including pre-step builder logs) will also be printed to `stdout`, like the scanner logs. Default: `null` Notes: This parameter replaces the `WS_UA_LOG_IN_CONSOLE`. Depending on the number and size of scans, enabling this variable consistently may impact the performance and disk space of the scanner container. If you enable this variable for your scans, we recommend monitoring and cleaning the log output on a regular basis.	23.10.2
MEND_SCA_FORCE_PRESTEP	Optional variable for PSB, which accepts a list of package manager names. For each package manager from the list, PSB will force run a pre-step according to the manifest file and ignore the lock file, if present. Default: `null` The package manager names should be separated by commas. Example: `"npm, pnpm, yarn, nuget-packages"`	23.11.3
SCM_SCANNER_REQUEST_TIMEOUT	Specifies the timeout (in minutes) for the entire scan (including cloning, running the PSB, UA, and the sending the update request). Default: `360` (6 hours)	21.2.2
SCM_SCANNER_WSS_SCAN_TIMEOUT	Specifies the timeout (in minutes) for running the Unified Agent. Default: `120` (2 hours)	20.2.2
BUILD_TOOL_TIMEOUT_MIN	Specifies the timeout (in minutes) for running the PSB (Pre-Scan Builder) tool. Default: `120` (2 hours)	23.5.2
RUNINSTALL_MATCH	Optional. Controls Dynamic Tool Installation Mechanism. Value: Comma-delimited strings/paths. Default: `null` The strings provided will be matched against the git remote for the repository, for example the remote might be like “https://github.com/someorg/somerepo.git” Runinstall will work only with git remotes matching one of these strings. Examples: “someorg/somerepo” - match the repo of this name “someorg/somerepo,someorg/otherrepo” - match two repos “someorg/” - match all repos in the organization Note: There are other environment variables for advanced use that were not defined in this table. To see them, please refer to the Dynamic Tool Installation Mechanism article.	24.3.2
RUNINSTALL_KEY_ID	Optional. AWS Key ID, set this in order to send Dynamic Tool Installation Mechanism logging to CloudWatch (akin to AWS_ACCESS_KEY_ID) Default: `null`	24.3.2
RUNINSTALL_ACCESS_KEY	Optional. AWS Secret Access Key, set this in order to send Dynamic Tool Installation Mechanism logging to CloudWatch (akin to AWS_SECRET_ACCESS_KEY) Default: `null`	24.3.2
MEND_SCA_LOCKS_VERIFICATION	Optional. Triggers the PSB to verify the correctness of the lock file with the manifest file. If a mismatch is found, the check-run will fail with a corresponding error. Default: `false` Supported Package Manager: npm - When `MEND_SCA_LOCKS_VERIFICATION=true` and a `package-lock.json` file is detected, the `npm ci` command is executed to ensure it matches the manifest file.	24.8.1
MEND_SCA_OVERRIDE_LOCK	Optional. Accepts a list of package manager names. For each package manager from the list, the PSB will prevent the check-run from failing if the lock file does not match the manifest file. Instead, a warning will be issued, and override the lock file when a pre-step is performed. Default: `null` The package manager names should be separated by commas. For example: `"npm, pnpm, yarn"` Note: This environment variable can only be used when `MEND_SCA_LOCKS_VERIFICATION` is set to `true`.	24.8.1

Remediate

Environment Variables	Description	Supported since
WS_REMEDIATE_SERVER_ONLY	Indicates whether a Remediate container is marked as a server. The Remediate server enqueues jobs for the Remediate workers. Note: There can be only 1 Remediate server.	21.7.1
WS_REMEDIATE_SERVER_URL	The URL of the Remediate server. This indicates that the Remediate container is a worker and pulls jobs from the Remediate server. Default: `null` Note: Ignored if WS_REMEDIATE_SERVER_ONLY is specified.	21.7.1
LOG_LEVEL=DEBUG	Enables DEBUG mode in Scanner, Controller, Remediate and Remediate-Worker logs. Note: set to `DEBUG`	23.2
WS_PROP_JSON_FILE_PATH	Path to the prop.json file. Default: `null`	21.7.1
WS_CONTROLLER_DESTINATION_URL	The URL of the Controller network endpoint. Default: `http://wss-ghe-app:5678` Note: Also available as `controller.url` prop.json property.	21.7.1
LOG_FORMAT	If set to `json` then Remediate will be configured to output JSON log messages. Default: `null`
GITHUB_COM_TOKEN	GitHub Personal Access Token to eliminate GitHub’s rate limit of unauthenticated API requests. For more details, see here. Default: `null`	21.3.1
SCHEDULER_CRON	Defines cron schedule for Renovate. This configuration option accepts a 5-part cron schedule and is optional. Default value: `0 * * * ` (i.e. once per hour exactly on the hour). Note:* If you are decreasing the interval then be careful that you do not exhaust the available hourly API rate limit or cause too much load.