Environment Variables for Self-Hosted Integrations
Overview
This provides advanced technical information about the environment variables and their configuration related to the Mend Repo Integrations.
Environmental Variables
Shared
Environment Variables | Description | Controller | Scanner | Remediate | Supported since |
---|---|---|---|---|---|
WS_ACTIVATION_KEY | Your generated activation key in the Mend application. Default: Notes:
| ✅ | ✅ | ✅ | 21.7.2 |
WS_CREATE_ISSUES | The ability to globally enable/disable Issues creation across all of your organization's repositories. Default: Note: Also available as | ✅ | ❌ | ✅ | 21.7.1 |
WS_HOST_RULES_PRIVATE_KEY | The PGP private key is generated for the Private Registry support. Default: Note: This variable cannot be used at the same time with WS_HOST_RULES_PRIVATE_KEY_FILE_PATH. | ✅ | ✅ | ✅ | 21.9.1 |
WS_HOST_RULES_PRIVATE_KEY_FILE_PATH | The PGP private key is generated for the Private Registry support. Default: Notes:
| ✅ | ✅ | ✅ | 21.9.1 |
WS_SAST_SCAN_PREFIX | If set to Default: | ✅ | ✅ | ❌ |
|
JAVA_OPTS | Optional. Used to provide JVM settings if required. Default: | ✅ | ✅ | ❌ | 23.6.1 |
LOG_FORMAT_JSON | Optional. Controls if the logs are saved and printed to STDOUT/console in JSON format. Default: | ✅ | ✅ | ❌ | 23.12.2 |
LOG_JSON_LEVEL | Optional. Controls the log level for the JSON logs. Requires Default: Available values:
| ✅ | ✅ | ❌ | 23.12.2 |
REMEDIATE_SERVER_SECRET | For Kubernetes Intracluster Authentication. Once set up, API calls that have an The | ✅ | ❌ | ✅ | 24.12.1 |
Controller
Environment Variables | Description | Supported since |
---|---|---|
WS_CONFIG_ACCOUNT_NAME | The account name that will hold the global whitesouce-config repository. Default: Note: For GitLab.com self-managed instances: | 21.6.3 |
WS_CONFIG_REPO_NAME | The repository name of the global configuration repository. Default: | 21.6.3 |
WS_HTTPS_CERT_FILE_PATH | If using a certificate file - path to the certificate file. Default: | 21.6.3 |
WS_HTTPS_KEY_FILE_PATH | If using a certificate file - path to the private key file. Default: | 21.6.3 |
WS_KEYSTORE_FILE_PATH | If using a Java keystore - path to the keystore file. Default: | 21.6.3 |
WS_KEYSTORE_PASSWORD | If using a Java keystore - password for the keystore file. Default: | 21.6.3 |
WS_CREATE_CHECK_RUNS | The ability to globally enable/disable build statuses across all of your organization's repositories. Default: Notes:
| 21.6.3 |
WS_REMEDIATE_WEBHOOK_URL | The destination of the Remediate network endpoint to intercept webhooks. Default: http://remediate-server:8080/webhook Notes:
| 21.6.3 |
WS_CACHE_TYPE | Defines one of three available caching mechanisms:
Default: | 22.2.1 |
WS_REDIS_HOST | The host address (e.g., “localhost”). Mandatory if WS_CACHE_TYPE=REDIS Default: | 22.2.1 |
WS_REDIS_PORT | Optional. The Redis port on the host. Default: | 22.2.1 |
WS_REDIS_PASSWORD | Password to the Redis cluster. Default: | 22.2.1 |
WS_REDIS_SSL_ENABLED | Set to true if the Redis Cluster works with the SSL protocol. Default: | 22.2.1 |
MEND_PRODUCT_MAPPING_PREFIX | Defines the prefix for Default: | 22.7.2 |
MEND_ENTITY_CLEANUP_ENABLED | Optional. Controls the behavior of structural maintenance in the Mend UI. The available values are:
Note: Only supported in Mend for GitHub Enterprise. | 23.11.1 |
MEND_ADVANCED_MERGE_CONFIDENCE_ENABLED | Optional. Controls whether Smart Merge Control can be enabled for Renovate. The available values are:
See Boost your pull request confidence using Mend Renovate’s Smart Merge Control for more details. Note: For this feature to work, whitelisting http://developer.mend.io in your network is mandatory. This URL is used to fetch the Merge Control token. |
|
MEND_MC_SERVER_URL | Defines the endpoint used to retrieve Merge Confidence data by querying this API. Required when Default: https://developer.mend.io. | |
W4D_BOLT_MANUAL_SCAN_MAX_REPOS | Optional. Controls the maximum number of scans allowed by the scan.json file. Default: See Global Repo Configuration | Manually Triggering Repository Scans for more details. |
|
MEND_ENHANCED_CACHING | Enables advanced caching functionality for GitHub API usage. Default: Notes:
| 23.7.2 |
MEND_ENHANCED_CACHING_GLOBAL_SETTINGS | Enables advanced caching functionality for the API usage for retrieving the global configuration. Default: Notes:
| 23.7.2 |
MEND_ENHANCED_CACHING_REPO | Enables advanced caching functionality for the API usage for retrieving the repo details. Default: Notes:
| 23.9.2 |
MEND_ENHANCED_CACHING_LABELS | Enables advanced caching functionality for the API usage for retrieving the issues and PR labels. Default: Notes:
| 23.9.2 |
MEND_ENHANCED_CACHING_ISSUES | Enables advanced caching functionality for the API usage for issues. Default: Notes:
| 23.9.2 |
MEND_VALIDATE_SCM_RATE_LIMIT | Optional. Controls the rate limit validation. If enabled, an API call to GitHub’s rate_limit endpoint will be made before each scan. If the rate limit buffer (100 calls by default, can be configured with Default: Note: When the feature is enabled and the rate limit buffer is reached, the following entries will be visible in the controller log:
In addition, on every web hook event, there will be a debug log entry with rate limit data:
| 24.1.2 |
MEND_RATE_LIMIT_REMAINING_BUFFER | Optional. Defines the rate limit buffer used in Default: | 24.1.2 |
MEND_CONTROLLER_API_SECRET | Optional. Should contain the same string as the Authorization header in the request to Scan Trigger API. Default: Note: This variable is required for the Scan Trigger API functionality to work. | 24.1.2 |
MEND_ENABLE_ONBOARDING_PR | Optional. Prevents “Onboarding PRs” creation with any used configuration. When set to Default: Note: Only supported in Mend for GitHub Enterprise. | 24.3.2 |
MEND_LOG_SCAN_RESULTS | Optional. Enables logging the whole data object of scan results. Default: Example: Notes:
| 24.3.2 |
MEND_SCAN_REMEDIATE_BRANCHES | Optional. Enables the ability to turn off Mend SCA scans on remediate/renovate branches. When set to Default: Note: Only supported in Mend for GitHub Enterprise, Bitbucket Server and Data Center, and GitLab Server. | 24.3.2 |
MEND_HTTPS_SNI_HOST_CHECK_ENABLED |
| 24.12.1 |
MEND_REACHABILITY_ZERO_DAY_ENABLED | Optional. Default: Note: Only supported in Mend for GitHub Enterprise. | 24.3.2 |
MEND_REACHABILITY_ZERO_DAY_MIN_SCORE | Optional. Default: Note: Only supported in Mend for GitHub Enterprise. | 24.3.2 |
Scanner
Environment Variables | Description | Supported since |
---|---|---|
WS_UA_LOG_IN_CONSOLE | If set to Default: Notes:
| 21.7.2 |
WS_LOG_DIRECTORY | Configure the path to both the scanner and the UA log files. Using this property will also append a partial request token to the log filenames. Default: | 21.7.2 |
WS_GIT_CONNECTOR | Enable cloning project files through Git shell commands. To enable, set value to Default: Note: By default, the Scanner uses JGit library for any Git-related operations. | 21.9.1 |
MEND_PROXY_FOR_UA | If Can be used when there is a need to control proxy for the Unified Agent separately from other components: via Proxy Settings in Default: | 22.9.1 |
MEND_UA_COMMAND_TIMEOUT | Specifies the timeout (in seconds) of the Unified Agent scan commands. Default: | 23.8.1 |
GITHUB_CONNECTOR_CONNECTION_TIMEOUT | Specifies the timeout (in milliseconds) for the initial connection to the Github API endpoint to retrieve the Github Installation Access Token. Can be set to Default: | 22.11.3.2 |
GITHUB_CONNECTOR_READ_TIMEOUT | Specifies the timeout (in milliseconds) for the Github API to send Github Installation Access Token. Can be set to Default: | 22.11.3.2 |
RETRY_ON_FAILED_CLONE | Specifies if the Scanner is going to preform retries when it fails to clone the repository. Default: | 23.3.2 |
EXTERNAL_LOG_IN_CONSOLE | If set to true, all SCM logs (including pre-step builder logs) will also be printed to Default: Notes:
| 23.10.2 |
MEND_SCA_FORCE_PRESTEP | Optional variable for PSB, which accepts a list of package manager names. For each package manager from the list, PSB will force run a pre-step according to the manifest file and ignore the lock file, if present. Default: The package manager names should be separated by commas. Example:
| 23.11.3 |
SCM_SCANNER_REQUEST_TIMEOUT | Specifies the timeout (in minutes) for the entire scan (including cloning, running the PSB, UA, and the sending the update request). Default: | 21.2.2 |
SCM_SCANNER_WSS_SCAN_TIMEOUT | Specifies the timeout (in minutes) for running the Unified Agent. Default: | 20.2.2 |
SCM_SAST_TIMEOUT | Specifies the timeout (in minutes) for running a SAST scan. Default: | 22.5.2 |
BUILD_TOOL_TIMEOUT_MIN | Specifies the timeout (in minutes) for running the PSB (Pre-Scan Builder) tool. Default: | 23.5.2 |
RUNINSTALL_MATCH | Optional. Controls Dynamic Tool Installation Mechanism. Value: Comma-delimited strings/paths. Default: The strings provided will be matched against the git remote for the repository, for example the remote might be like “https://github.com/someorg/somerepo.git” Runinstall will work only with git remotes matching one of these strings. Examples:
Note: There are other environment variables for advanced use that were not defined in this table. To see them, please refer to the Dynamic Tool Installation Mechanism article. | 24.3.2 |
RUNINSTALL_KEY_ID | Optional. AWS Key ID, set this in order to send Dynamic Tool Installation Mechanism logging to CloudWatch (akin to AWS_ACCESS_KEY_ID) Default: | 24.3.2 |
RUNINSTALL_ACCESS_KEY | Optional. AWS Secret Access Key, set this in order to send Dynamic Tool Installation Mechanism logging to CloudWatch (akin to AWS_SECRET_ACCESS_KEY) Default: | 24.3.2 |
MEND_SCA_LOCKS_VERIFICATION | Optional. Triggers the PSB to verify the correctness of the lock file with the manifest file. If a mismatch is found, the check-run will fail with a corresponding error. Default: Supported Package Manager:
| 24.8.1 |
MEND_SCA_OVERRIDE_LOCK | Optional. Accepts a list of package manager names. For each package manager from the list, the PSB will prevent the check-run from failing if the lock file does not match the manifest file. Instead, a warning will be issued, and override the lock file when a pre-step is performed. Default: The package manager names should be separated by commas. For example:
Note: This environment variable can only be used when | 24.8.1 |
MEND_SCA_ORCHESTRATOR_ENABLED | Optional. The default is ‘false’. Change to ‘true’ in conjunction with MEND_AI_ENABLE_CODE_CAPABILITIES to enable Mend AI, to automatically scan your private AI codebases for risk, model usage, or governance violations, as part of the SCA scan. Results are only visible in the Mend AppSec Platform UI. Note:
| 25.4.3 |
MEND_AI_ENABLE_CODE_CAPABILITIES | Optional. The default is ‘false’. Change to ‘true’ in conjunction with MEND_SCA_ORCHESTRATOR_ENABLED to enable Mend AI, to automatically scan your private AI codebases for risk, model usage, or governance violations, as part of the SCA scan. Results are only visible in the Mend AppSec Platform UI. Note:
| 25.4.3 |
Remediate
Environment Variables | Description | Supported since |
---|---|---|
RENOVATE_MERGE_CONFIDENCE_ENDPOINT | Defines the endpoint used to retrieve Merge Confidence data by querying this API. Required when The value should be identical to the value of | |
WS_REMEDIATE_SERVER_ONLY | Indicates whether a Remediate container is marked as a server. The Remediate server enqueues jobs for the Remediate workers. Note: There can be only 1 Remediate server. | 21.7.1 |
WS_REMEDIATE_SERVER_URL | The URL of the Remediate server. This indicates that the Remediate container is a worker and pulls jobs from the Remediate server. Default: Note: Ignored if WS_REMEDIATE_SERVER_ONLY is specified. | 21.7.1 |
LOG_LEVEL=DEBUG | Enables DEBUG mode in Scanner, Controller, Remediate and Remediate-Worker logs. Note: set to | 23.2 |
WS_PROP_JSON_FILE_PATH | Path to the prop.json file. Default: | 21.7.1 |
WS_CONTROLLER_DESTINATION_URL | The URL of the Controller network endpoint. Default: Note: Also available as | 21.7.1 |
LOG_FORMAT | If set to Default: |
|
GITHUB_COM_TOKEN | GitHub Personal Access Token to eliminate GitHub’s rate limit of unauthenticated API requests. For more details, see here. Default: | 21.3.1 |
SCHEDULER_CRON | Defines cron schedule for Renovate. This configuration option accepts a 5-part cron schedule and is optional. Default value: Note: If you are decreasing the interval then be careful that you do not exhaust the available hourly API rate limit or cause too much load. |
|
MEND_REMEDIATE_WORKER_CLEANUP | Optional. Defines how often to perform file cleanup on Worker containers. Default value: "off". Values:
| 24.11.1 |
MEND_REMEDIATE_WORKER_CLEANUP_DIRS | Optional. Comma separated list of directories to clean during Worker cleanup).
CODE
Note: Setting this variable will replace the default list of directories. To add a directory to the existing default list, you must include all the default folders in the new value. | 24.11.1 |
CHECK_REDIS_ON_STARTUP | Optional. Performs a Redis connection check on startup. It will fail to start if it cannot establish a connection to Redis. Any value assigned to this variable will enable the feature. | 24.7.1 |