Mend Bolt for Azure Pipelines

Overview

This integration does not support Azure DevOps Server (TFS) installations.

The Mend Bolt extension enables you to do the following:

• Detect and remediate vulnerable open source components

• Generate a comprehensive open-source inventory report per build

• Enforce open source license compliance, including dependencies’ licenses

NOTE: Mend only stores and generates a report for the latest build data of a particular pipeline definition.

Support for Languages and Package Managers 

Mend Bolt supports languages and package managers that are supported today by the Unified Agent (over 200 languages).

Note the following limitations:

• Docker image scanning is not supported.

Prerequisites

Ensure the following:

• Your Azure DevOps organization is connected to an Azure Active Directory via Organization Settings > Azure Active Directory.

• You do not have any existing Mend extensions installed. If so, these must be uninstalled.

• If you are using a self-hosted build agent, note that running it behind a web proxy is not currently supported.

• The relevant package manager used by your project is installed.

Installing the Extension

To install the extension, do as follows:

1. Click here to access the Visual Studio Marketplace. The Mend Bolt extension page is displayed.

2. Click Get it free and follow the installation procedure.

Activating the Extension

To activate the extension, do as follows:

1. After installing the extension, navigate to Organization Settings > Extensions > Mend within your Azure DevOps organization.

2. An activation form enabling you to create your Mend account is displayed. Enter the following details:

   • First name

   • Last name

   • Work email

   • Company name

   • Phone Number (optional)

   • Country

3. Click Create Account.

Adding a Mend Bolt Build Task to Your Pipeline

To add a Mend Bolt build task to your existing pipeline, do as follows:

1. Go to the relevant Azure DevOps project for which you want Mend Bolt to run.

2. Inside your Azure DevOps project, from the sidebar, click Pipelines. The Pipelines page is displayed.

3. Click the relevant pipeline. The specific pipeline page is displayed.

4. Click Edit. Do one of the following procedures:

   • Adding a Build Task to a YAML Pipeline

   • Adding a Build Task to a Classic Pipeline

This activates the Mend integration on your build pipeline.

NOTE: Adding a pre-step build task is not necessary in order for Mend to successfully scan the build repository. Mend by default runs a pre-step command as part of the Mend Bolt task.

Adding a Build Task to a YAML Pipeline

1. In the pipeline edit page, from the right side, click Show assistant. The Tasks sidebar is displayed.

2. In the search bar, enter mend. The Mend task is displayed.

3. Click the Mend Bolt task.

4. From the bottom right corner, click Add. The Mend Bolt task is added to the pipeline.

   CODE

   
   - task: mend@21
     inputs:
       cwd: '$(System.DefaultWorkingDirectory)'

5. Click Save & queue.

NOTE: The Mend task can be moved to other locations within the steps section, depending on your preferences.

Adding a Build Task to a Classic Pipeline

1. To add a task to the Agent Job, click the plus (“+”) sign next to the agent job section. The Add Tasks section is displayed.

2. In the search bar, enter mend. The Mend Bolt task is displayed.

3. Click the Mend Bolt tab, and then click Add. The Mend Bolt task is added to the pipeline.

4. (Optional) To specify the name of the Mend project to be created, enter the name in the Project name field.
   NOTE: You cannot change the project name after the first build run.

5. Click Save & queue.

NOTE: The Mend task can be moved to other locations within the steps section, depending on your preferences.