Skip to main content
Skip table of contents

Environment Variables for Self-Hosted Integrations

For faster navigation:

  1. Shared environment variables

  2. Controller environment variables

  3. Scanner environment variables

  4. Remediate environment variables

Overview

This provides advanced technical information about the environment variables and their configuration related to the Mend Repo Integrations.

Environmental Variables

Shared

Environment Variables

Description

Controller

Scanner

Remediate

Supported since

WS_ACTIVATION_KEY

Your generated activation key in the Mend application.

Default: null 

Notes:

  • The property should still exist in the prop.json file, its value is disregarded.

  • Also available as bolt.op.activation.key prop.json property.

21.7.2

WS_CREATE_ISSUES

The ability to globally enable/disable Issues creation across all of your organization's repositories.

Default: true 

Note: Also available as bolt4scm.create.issues prop.json property.

21.7.1

WS_HOST_RULES_PRIVATE_KEY

The PGP private key is generated for the Private Registry support.

Default: null 

Note: This variable cannot be used at the same time with WS_HOST_RULES_PRIVATE_KEY_FILE_PATH.

21.9.1

WS_HOST_RULES_PRIVATE_KEY_FILE_PATH

The PGP private key is generated for the Private Registry support.

Default: null 

Notes:

  • This file should be mapped to the running containers.

  • This variable cannot be used at the same time with WS_HOST_RULES_PRIVATE_KEY.

21.9.1

WS_SAST_SCAN_PREFIX

If set to SAST_, the Scanner with this variable will only be used for the SAST scans.

Default: null 

 

JAVA_OPTS

Optional. Used to provide JVM settings if required.

Default: null 

23.6.1

LOG_FORMAT_JSON

Optional. Controls if the logs are saved and printed to STDOUT/console in JSON format.

Default: false

23.12.2

LOG_JSON_LEVEL

Optional. Controls the log level for the JSON logs. Requires LOG_FORMAT_JSON being set to true.

Default: DEBUG

Available values:

  • DEBUG

  • INFO

  • WARN

  • ERROR

23.12.2

REMEDIATE_SERVER_SECRET

For Kubernetes Intracluster Authentication. Once set up, API calls that have an Authorization: Bearer $REMEDIATE_SERVER_SECRET header will be processed.

The REMEDIATE_SERVER_SECRET environment variable needs to be added to both the Controller and Remediate containers.

24.12.1

Controller

Environment Variables

Description

Supported since

WS_CONFIG_ACCOUNT_NAME

The account name that will hold the global whitesouce-config repository.

Default: "whitesource-config"

Note: For GitLab.com self-managed instances:
To avoid malicious configuration hijacking, it is mandatory to specify a value that is not the default “whitesource-config”. The value would be your GitLab.com group that contains the global config repo (still named “whitesource-config”), which all other groups and repos will inherit from.

21.6.3

WS_CONFIG_REPO_NAME

The repository name of the global configuration repository.

Default: "whitesource-config"

21.6.3

WS_HTTPS_CERT_FILE_PATH

If using a certificate file - path to the certificate file.

Default: null 

21.6.3

WS_HTTPS_KEY_FILE_PATH

If using a certificate file - path to the private key file.

Default: null 

21.6.3

WS_KEYSTORE_FILE_PATH

If using a Java keystore - path to the keystore file.

Default: null 

21.6.3

WS_KEYSTORE_PASSWORD

If using a Java keystore - password for the keystore file.

Default: null 

21.6.3

WS_CREATE_CHECK_RUNS

The ability to globally enable/disable build statuses across all of your organization's repositories.

Default: true 

Notes:

  • It is strongly recommended not to set this value to false, since the diff functionality relies on the check run, and this is one of the important means to update on the status of a scan. With this feature disabled there is no way of knowing what's going on if a scan failed, succeeded, found vulnerabilities, etc.

  • Also available as bolt4scm.create.check.runs prop.json property.

21.6.3

WS_REMEDIATE_WEBHOOK_URL

The destination of the Remediate network endpoint to intercept webhooks.

Default: http://remediate-server:8080/webhook

Notes:

  • Must include the “/webhook” suffix.

  • Also available as webhook.remediate.url prop.json property.

21.6.3

WS_CACHE_TYPE

Defines one of three available caching mechanisms:

  • DEFAULT

  • MEMORY: Memory caching

  • REDIS: Local Redis caching (requires the set up of the Redis cluster and use of the WS_REDIS_HOST environmental variable)

Default: DEFAULT 

22.2.1

WS_REDIS_HOST

The host address (e.g., “localhost”).

Mandatory if WS_CACHE_TYPE=REDIS

Default: null

22.2.1

WS_REDIS_PORT

Optional. The Redis port on the host.

Default: 6379

22.2.1

WS_REDIS_PASSWORD

Password to the Redis cluster.

Default: null

22.2.1

WS_REDIS_SSL_ENABLED

Set to true if the Redis Cluster works with the SSL protocol.

Default: false

22.2.1

MEND_PRODUCT_MAPPING_PREFIX

Defines the prefix for enableCustomProductMapping in repo-cofig.json for custom product mapping.

Default: mendmap-

22.7.2

MEND_ENTITY_CLEANUP_ENABLED

Optional. Controls the behavior of structural maintenance in the Mend UI. The available values are:

  • true:

    • If an integrated repository is deleted on the SCM platform, the Project(s) in the Mend UI that are associated to that repository are automatically deleted.

    • If an integrated organization is deleted on the SCM platform, the Product in the Mend UI that is associated to that organization is automatically deleted.

  • false (default): Disable the automatic structural maintenance.

Note: Only supported in Mend for GitHub Enterprise.

23.11.1

MEND_ADVANCED_MERGE_CONFIDENCE_ENABLED

Optional. Controls whether Smart Merge Control can be enabled for Renovate.

The available values are:

  • true: Smart Merge Control will function as normal when enabled within the repo configuration

  • false (default): Smart Merge Control will NOT function when enabled within the repo configuration

See Boost your pull request confidence using Mend Renovate’s Smart Merge Control for more details.

Note: For this feature to work, whitelisting http://developer.mend.io in your network is mandatory. This URL is used to fetch the Merge Control token.

 

MEND_MC_SERVER_URL

Defines the endpoint used to retrieve Merge Confidence data by querying this API. Required when MEND_ADVANCED_MERGE_CONFIDENCE_ENABLED is set to true.

Default: https://developer.mend.io.

W4D_BOLT_MANUAL_SCAN_MAX_REPOS

Optional. Controls the maximum number of scans allowed by the scan.json file.

Default: 10

See Global Repo Configuration | Manually Triggering Repository Scans for more details.

 

MEND_ENHANCED_CACHING

Enables advanced caching functionality for GitHub API usage.

Default: true

Notes:

  • Only supported in Mend for GitHub Enterprise.

  • Default value is true since version 23.7.2.

23.7.2

MEND_ENHANCED_CACHING_GLOBAL_SETTINGS

Enables advanced caching functionality for the API usage for retrieving the global configuration.

Default: true

Notes:

  • Only supported in Mend for GitHub Enterprise.

  • Default value is true since version 23.7.2.

  • Requires MEND_ENHANCED_CACHING being set to true.

23.7.2

MEND_ENHANCED_CACHING_REPO

Enables advanced caching functionality for the API usage for retrieving the repo details.

Default: true

Notes:

  • Only supported in Mend for GitHub Enterprise.

  • Default value is true since version 23.12.2.

  • Requires MEND_ENHANCED_CACHING being set to true.

23.9.2

MEND_ENHANCED_CACHING_LABELS

Enables advanced caching functionality for the API usage for retrieving the issues and PR labels.

Default: true

Notes:

  • Only supported in Mend for GitHub Enterprise.

  • Default value is true since version 23.12.2.

  • Requires MEND_ENHANCED_CACHING being set to true.

23.9.2

MEND_ENHANCED_CACHING_ISSUES

Enables advanced caching functionality for the API usage for issues.

Default: true

Notes:

  • Only supported in Mend for GitHub Enterprise.

  • Default value is true since version 23.12.2.

  • Requires MEND_ENHANCED_CACHING being set to true.

23.9.2

MEND_VALIDATE_SCM_RATE_LIMIT

Optional. Controls the rate limit validation. If enabled, an API call to GitHub’s rate_limit endpoint will be made before each scan. If the rate limit buffer (100 calls by default, can be configured with MEND_RATE_LIMIT_REMAINING_BUFFER) is reached, the controller will not handle any web hooks or issue sync queue messages and will retry these requests once a new rate limit window starts.

Default: false

Note: When the feature is enabled and the rate limit buffer is reached, the following entries will be visible in the controller log:

WARN Rate limit remaining is less than {remaining_rate_limit_buffer} for installationId: {gh_installation_id}, remaining: {remaining_api_calls}, limit: {installation_hourly_rate_limit}, used: {used_rate_limit}

WARN Rate limit occurred - waiting at least {X} seconds before the next retry

In addition, on every web hook event, there will be a debug log entry with rate limit data:

DEBUG Rate limit remaining is: {remaining_api_calls} for installationId: {gh_installation_id}, limit: {installation_hourly_rate_limit}, used: {used_rate_limit}, resetAt: {datetime_in_which_the_rate_limit_will_reset}

24.1.2

MEND_RATE_LIMIT_REMAINING_BUFFER

Optional. Defines the rate limit buffer used in MEND_VALIDATE_SCM_RATE_LIMIT.

Default: 100

24.1.2

MEND_CONTROLLER_API_SECRET

Optional. Should contain the same string as the Authorization header in the request to Scan Trigger API.

Default: null

Note: This variable is required for the Scan Trigger API functionality to work.

24.1.2

MEND_ENABLE_ONBOARDING_PR

Optional. Prevents “Onboarding PRs” creation with any used configuration.

When set to false, Onboarding PRs are never created, even if global configuration enables them.

Default: true

Note: Only supported in Mend for GitHub Enterprise.

24.3.2

MEND_LOG_SCAN_RESULTS

Optional. Enables logging the whole data object of scan results.
The size of the log entry varies based on the amount and type of vulnerabilities. On average, data about each vulnerability will be logged in 2000-5000 characters.

Default: false

Example: Mend Alert received: [PRODUCT=mend-product;REPO=development;BRANCH=main;LIBRARY=uglify-js-1.1.1.tgz;PACKAGE=uglify-js;VERSION=1.1.1;TYPE=javascript/Node.js;VULNERABILITY=CVE-2015-8857;SCORE=9.8]

Notes:

  • Only supported in Mend for GitHub Enterprise.

  • The log entry starts with the string getProjectAlertsByType response for project.

24.3.2

MEND_SCAN_REMEDIATE_BRANCHES

Optional. Enables the ability to turn off Mend SCA scans on remediate/renovate branches. When set to false, all remediate branches will not trigger scans.

Default: true

Note: Only supported in Mend for GitHub Enterprise, Bitbucket Server and Data Center, and GitLab Server.

24.3.2

MEND_HTTPS_SNI_HOST_CHECK_ENABLED

  • Default: true

  • Setting it to false will disable SNI host validation.

24.12.1

MEND_REACHABILITY_ZERO_DAY_ENABLED

Optional. Default: true
If enabled, whenever the Mend database is updated with a new security vulnerability in a dependency that is included in any of the user’s repositories, a new scan will be triggered (“zero day” scan) to check whether that new vulnerability is reachable in the relevant repositories.

Note: Only supported in Mend for GitHub Enterprise.

24.3.2

MEND_REACHABILITY_ZERO_DAY_MIN_SCORE

Optional. Default: 9.0
This parameter defines the minimum CVSS score of a security vulnerability that would trigger a “zero day” scan if the effected dependency is part of the user’s code base.

Note: Only supported in Mend for GitHub Enterprise.

24.3.2

Scanner

Environment Variables

Description

Supported since

WS_UA_LOG_IN_CONSOLE

If set to true the UA logs will also be printed to the stdout, like the scanner logs.

Default: false

Notes:

  • This property will be deprecated in the future. We advise switching to the EXTERNAL_LOG_IN_CONSOLE parameter at your earliest convenience.

  • Depending on the number and size of scans, enabling this variable consistently may impact the performance and disk space of the scanner container.

  • If you enable this variable for your scans, we recommend to monitor and clean up the log output on a regular basis.

21.7.2

WS_LOG_DIRECTORY 

Configure the path to both the scanner and the UA log files. Using this property will also append a partial request token to the log filenames.

Default: null

21.7.2

WS_GIT_CONNECTOR

Enable cloning project files through Git shell commands.

To enable, set value to true.

Default: false 

Note: By default, the Scanner uses JGit library for any Git-related operations.

21.9.1

MEND_PROXY_FOR_UA

If proxy.for.all in the prop.json is set to true, and this parameter is set to false, then proxy settings from prop.json will not be used for the Unified Agent.

Can be used when there is a need to control proxy for the Unified Agent separately from other components: via Proxy Settings in whitesource.config configuration file.

Default: false

22.9.1

MEND_UA_COMMAND_TIMEOUT

Specifies the timeout (in seconds) of the Unified Agent scan commands.

Default: 900

23.8.1

GITHUB_CONNECTOR_CONNECTION_TIMEOUT

Specifies the timeout (in milliseconds) for the initial connection to the Github API endpoint to retrieve the Github Installation Access Token.

Can be set to -1 to disable the timeout.

Default: 40000

22.11.3.2

GITHUB_CONNECTOR_READ_TIMEOUT

Specifies the timeout (in milliseconds) for the Github API to send Github Installation Access Token.

Can be set to -1 to disable the timeout.

Default: 40000

22.11.3.2

RETRY_ON_FAILED_CLONE

Specifies if the Scanner is going to preform retries when it fails to clone the repository.

Default: true

23.3.2

EXTERNAL_LOG_IN_CONSOLE

If set to true, all SCM logs (including pre-step builder logs) will also be printed to stdout, like the scanner logs.

Default: null

Notes:

  • This parameter replaces the WS_UA_LOG_IN_CONSOLE.

  • Depending on the number and size of scans, enabling this variable consistently may impact the performance and disk space of the scanner container.

  • If you enable this variable for your scans, we recommend monitoring and cleaning the log output on a regular basis.

23.10.2

MEND_SCA_FORCE_PRESTEP

Optional variable for PSB, which accepts a list of package manager names. For each package manager from the list, PSB will force run a pre-step according to the manifest file and ignore the lock file, if present.

Default: null

The package manager names should be separated by commas. Example:

"npm, pnpm, yarn, nuget-packages"

23.11.3

SCM_SCANNER_REQUEST_TIMEOUT

Specifies the timeout (in minutes) for the entire scan (including cloning, running the PSB, UA, and the sending the update request).

Default: 360 (6 hours)

21.2.2

SCM_SCANNER_WSS_SCAN_TIMEOUT

Specifies the timeout (in minutes) for running the Unified Agent.

Default: 120 (2 hours)

20.2.2

SCM_SAST_TIMEOUT

Specifies the timeout (in minutes) for running a SAST scan.

Default: 240 (4 hours)

22.5.2

BUILD_TOOL_TIMEOUT_MIN

Specifies the timeout (in minutes) for running the PSB (Pre-Scan Builder) tool.

Default: 120 (2 hours)

23.5.2

RUNINSTALL_MATCH

Optional. Controls Dynamic Tool Installation Mechanism.

Value: Comma-delimited strings/paths. 

Default: null

The strings provided will be matched against the git remote for the repository, for example the remote might be like “https://github.com/someorg/somerepo.git”

Runinstall will work only with git remotes matching one of these strings. Examples:

  • “someorg/somerepo” - match the repo of this name

  • “someorg/somerepo,someorg/otherrepo” - match two repos

  • “someorg/” - match all repos in the organization

Note: There are other environment variables for advanced use that were not defined in this table. To see them, please refer to the Dynamic Tool Installation Mechanism article.

24.3.2

RUNINSTALL_KEY_ID

Optional. AWS Key ID, set this in order to send Dynamic Tool Installation Mechanism logging to CloudWatch (akin to AWS_ACCESS_KEY_ID)

Default: null

24.3.2

RUNINSTALL_ACCESS_KEY

Optional. AWS Secret Access Key, set this in order to send Dynamic Tool Installation Mechanism logging to CloudWatch (akin to AWS_SECRET_ACCESS_KEY)

Default: null

24.3.2

MEND_SCA_LOCKS_VERIFICATION

Optional. Triggers the PSB to verify the correctness of the lock file with the manifest file. If a mismatch is found, the check-run will fail with a corresponding error.

Default: false

Supported Package Manager:

  • npm - When MEND_SCA_LOCKS_VERIFICATION=true and a package-lock.json file is detected, the npm ci command is executed to ensure it matches the manifest file.

24.8.1

MEND_SCA_OVERRIDE_LOCK

Optional. Accepts a list of package manager names. For each package manager from the list, the PSB will prevent the check-run from failing if the lock file does not match the manifest file. Instead, a warning will be issued, and override the lock file when a pre-step is performed.

Default: null

The package manager names should be separated by commas. For example:

"npm, pnpm, yarn"

Note: This environment variable can only be used when MEND_SCA_LOCKS_VERIFICATION is set to true.

24.8.1

MEND_SCA_ORCHESTRATOR_ENABLED

Optional. The default is ‘false’. Change to ‘true’ in conjunction with MEND_AI_ENABLE_CODE_CAPABILITIES to enable Mend AI, to automatically scan your private AI codebases for risk, model usage, or governance violations, as part of the SCA scan. Results are only visible in the Mend AppSec Platform UI.

Note:

  1. Only supported in Mend for GitHub Enterprise.

  2. Mend AI results are only visible in the Mend AppSec Platform UI.

25.4.3

MEND_AI_ENABLE_CODE_CAPABILITIES

Optional. The default is ‘false’. Change to ‘true’ in conjunction with MEND_SCA_ORCHESTRATOR_ENABLED to enable Mend AI, to automatically scan your private AI codebases for risk, model usage, or governance violations, as part of the SCA scan. Results are only visible in the Mend AppSec Platform UI.

Note:

  1. Only supported in Mend for GitHub Enterprise.

  2. Mend AI results are only visible in the Mend AppSec Platform UI.

25.4.3

Remediate

Environment Variables

Description

Supported since

RENOVATE_MERGE_CONFIDENCE_ENDPOINT

Defines the endpoint used to retrieve Merge Confidence data by querying this API.

Required when MEND_ADVANCED_MERGE_CONFIDENCE_ENABLED is set to true.

The value should be identical to the value of MEND_MC_SERVER_URL (Default: https://developer.mend.io)

WS_REMEDIATE_SERVER_ONLY

Indicates whether a Remediate container is marked as a server. The Remediate server enqueues jobs for the Remediate workers.

Note: There can be only 1 Remediate server.

21.7.1

WS_REMEDIATE_SERVER_URL

The URL of the Remediate server. This indicates that the Remediate container is a worker and pulls jobs from the Remediate server.

Default: null

Note: Ignored if WS_REMEDIATE_SERVER_ONLY is specified.

21.7.1

LOG_LEVEL=DEBUG

Enables DEBUG mode in Scanner, Controller, Remediate and Remediate-Worker logs.

Note: set to DEBUG

23.2

WS_PROP_JSON_FILE_PATH

Path to the prop.json file.

Default: null

21.7.1

WS_CONTROLLER_DESTINATION_URL

The URL of the Controller network endpoint.

Default: http://wss-ghe-app:5678

Note: Also available as controller.url prop.json property.

21.7.1

LOG_FORMAT

If set to json then Remediate will be configured to output JSON log messages.

Default: null

 

GITHUB_COM_TOKEN

GitHub Personal Access Token to eliminate GitHub’s rate limit of unauthenticated API requests. For more details, see here.

Default: null

21.3.1

SCHEDULER_CRON

Defines cron schedule for Renovate.

This configuration option accepts a 5-part cron schedule and is optional. Default value: 0 * * * * (i.e. once per hour exactly on the hour).

Note: If you are decreasing the interval then be careful that you do not exhaust the available hourly API rate limit or cause too much load.

 

MEND_REMEDIATE_WORKER_CLEANUP

Optional. Defines how often to perform file cleanup on Worker containers. Default value: "off".

Values:

  • off - no cleanup is preformed

  • always - cleanup is done after every job completion.

  • (cron schedule) - all other values will be treated as a cron time. If it is invalid, the service will shut down. Otherwise, a cron scheduler will run at the specified intervals.
    e.g. MEND_REMEDIATE_WORKER_CLEANUP="0 0 * * *" will perform cleanup daily at midnight.

24.11.1

MEND_REMEDIATE_WORKER_CLEANUP_DIRS

Optional. Comma separated list of directories to clean during Worker cleanup).
By default, all files within these folders that were created after the worker booted will be removed:

CODE 
/opt/containerbase
/tmp/renovate/cache
/tmp/renovate/repos
/home/ubuntu

Note: Setting this variable will replace the default list of directories. To add a directory to the existing default list, you must include all the default folders in the new value.

24.11.1

CHECK_REDIS_ON_STARTUP

Optional. Performs a Redis connection check on startup. It will fail to start if it cannot establish a connection to Redis. Any value assigned to this variable will enable the feature.

24.7.1

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close