Skip to main content
Skip table of contents

Transition Guide – Switch-Over to Mend Developer Platform

Overview

The article outlines the transition steps and includes an appendix listing what is supported in the Mend Developer Platform compared to the classic Mend repository integrations (Bitbucket Cloud and Azure DevOps Repos).

Note: This is a replacement, not a migration: You’ll uninstall the classic app, install the new one, and re-enter settings. No issues, PR comments, build statuses or configuration files are copied as part of the transition.

Difference between the two apps

  • Mend Developer Platform is a newer app with a convenient UI, but it is still in beta.

  • It will receive all of the new features, while the classic one will be maintained for a while and will not prioritize new features.

  • Once the Mend Developer Platform is out of beta, Mend will devise a plan to deprecate the classic integration.

Transition Steps

  1. Uninstall the existing repository integration; running both apps side-by-side causes duplicate findings and inconsistent build results.

  2. Close all open PRs and Issues created by Mend.io.

  3. Choose one of the following options:

    1. Delete the existing repo Projects from the existing organization in the Mend App UI.
      OR:

    2. Create a new Organization for the Developer Platform deployment.

  4. Install Mend Dev Platform.

  5. Select Scan only mode.

  6. Adjust the new configurations to your previous repository integration settings using the Transitioning Configuration section below.

Note:

  • Project/repo admins can configure everything themselves in the controlled repos without the help of the workspace admin (if the override parameter doesn’t block this).

  • There is no need for a global config repo and config files in the repos.

Transitioning Configuration Options to Mend Developer Platform

This section outlines the changes between the classic Mend repository integrations and the new Mend Developer Platform. From global configurations to repository-specific settings and security management, we clarify the adjustments and enhancements made in our new platform.

Note: Some of the parameters listed below are exclusive to a specific repo integration and not applicable to all Mend repository integrations.

Global Configuration (global-config.json)

Old Parameter

Details

repoConfigMode

Obsolete. Mend no longer creates configuration files. Exception: Renovate may have its configuration file if configured.

repoConfigFileName

Obsolete. Mend does not create configuration files.

settingsInheritedFrom

Settings applied on the Workspace settings page are automatically applied to all repositories.

ignoreSpecificVulnerabilities

Not supported in the new Mend Developer Platform.

ignoredRepos.exactNames

Controlled via the Installation Setup Wizard and Repository settings page.

includedRepos.exactNames

Controlled via the Installation Setup Wizard and Repository settings page.

.whitesource File and Repo Configuration (repo-config.json)

Scan Settings (scanSettings)

Old Parameter

Details

configMode

Use the "UA custom configuration" parameter in the “Open-Source Security” settings.

configExternalURL

Not supported in the new Mend Developer Platform.

baseBranches

Use the "Base branches" parameter in the General settings on the Workspace level.

enableLicenseViolations

Use the "Checks" parameter in the “Open-Source Licensing” settings.

javaVersion

Not supported in the new Mend Developer Platform.

repoNameSync

Not supported in the new Mend Developer Platform.

skipScanningStage

Currently not supported in the new Mend Developer Platform, but it is planned to be.

exploitability

Obsolete. If there is available exploitability data, it will be automatically applied to the findings.

Build Settings (buildSettings)

Old Parameter

Details

displayMode

Not supported in the new Mend Developer Platform.

createBuildStatus

Use the "Checks" parameter in the “Open-Source Security” settings.

failBuilds

Use the “Checks - Conclusion status” parameter of the “Open-Source Security” settings section.

failLicenseBuilds

Use the “Checks - Conclusion status” parameter of the “Open-Source Licensing” settings section.

showWsInfo

Not supported in the new Mend Developer Platform.

Issue Settings (issueSettings)

Old Parameter

Details

minSeverityLevel

Not supported in the new Mend Developer Platform.

minVulnerabilityScore

Use the “Issues - Vulnerability range” parameter of the “Open-Source Security” settings section.

maxVulnerabilityScore

Use the “Issues - Vulnerability range” parameter of the “Open-Source Security” settings section.

displayLicenseViolations

Use the “Issues” parameter of the “Open-Source Licensing” settings section.

issueType

Use the “Issues - Grouping rule” parameter of the “Open-Source Security” settings section.

customLabels

Currently not supported in the new Mend Developer Platform, but it is planned to be.

Remediate Settings (remediateSettings)

Old Parameter

Details

enableRenovate

Use the “Enable” parameter of the “Renovate” settings section.

workflowRules

Use the “Remediation” parameter of the “Open-Source Security” settings section.

Host Rules (hostRules)

The host rules are managed via “Credentials” in the settings section.

Supported features - Classic Repo Integrations vs. Developer Platform

This section shows a detailed comparison between the Classic repo Integration and the Developer Platform: which features are supported in each, with a breakdown per SCM.

All SCMs

Feature

Description and documentation

Classic Repo Integration

Developer Platform

Programmatic secret setting

In "clasic" repo integrations, users can automate commiting to a git repo containing secrets

Yes

No

(Will be supported in Q1 2025)

specify javaVersion

Yes

No

Choose whether to scan submodules or not

Yes

No (Will be supported in Q2 2025)

exploitability

Yes

Yes

"displayMode" - diff/baseline

Yes

No

"showWsInfo" - showing project token and more info in the commit status

Yes

No (Will be supported in Q2 2025)

useMendStatusNames - controls whether the checks will be named "mend" or "whitesource"

Yes

No

skipScanningStage

Yes

No

customLabels

Define labels that will be added to the Azure DevOps Repos issues created after the scan.

Yes

No (Will be supported in Q2 2025)

Configure whether vulnerabilities are 0-10 or grouped by min med high critical

minVulnerabilityScore
minSeverityLevel

Yes

No

strcitModeCustomMessage

Yes

No

Dynamic tool installation

No

repoNameSync

Yes

No

Code Source for GH com

Yes

No

custom product mapping

Yes

No

Inherit previous commit status

N/A

No

Allow list (IPs)

Yes

Work with Workflow Licensing violations (Platform)

No

Yes

Print logs in JSON

Sync the list of files that trigger a scan

Scan branch when it's created

dont sync issues for archived repos

display source file path in license scan results

git lfs support to Scanner and Remedaite

Azure DevOps

Feature

Description and documentation

Classic Repo Integration

Developer Platform

SAST scanning

No

Yes

Reachability

No

Yes

rerun scan via UI

No

Yes

IaC

infra as code

Yes

No

Org level settings

Yes

No

per org installation

Yes

No

support project tokens

Yes

No

API for controlling secrets

No

specify javaVersion

https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca

Yes

No

Choose whether to scan submodules or not

scanSettings.cloneSubmodules

Yes

No

exploitability

https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca

Yes

No

"displayMode" - diff/baseline

https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca

Yes

No

"showWsInfo" - showing project token and more info in the commit status

https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca

Yes

No

useMendStatusNames - controls whether the checks will be named "mend" or "whitesource"

https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca

Yes

No

skipScanningStage

Yes

No

customLabels

Define labels that will be added to the Azure DevOps Repos issues created after the scan.

Yes

No

Configure whether vulnerabilities are 0-10 or grouped by min med high critical

minVulnerabilityScore
minSeverityLevel

Yes

No

repoNameSync

https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca

Yes

No

custom work items + fields

Yes

Yes

Work with policy Licensing violations (Core)

Yes

Yes

"strictMode" and "strictModeInfo"

fail security check on partial scan results

Yes

Yes

scan all feature branches

Yes

Yes

configure opening work item per dependency or per vulnerability

Yes

Yes

specify list of base branches

Yes

Yes

custom/external UA config

https://docs.mend.io/legacy-sca/latest/unified-agent-configuration-for-native-integration

Yes

Yes

Inherit previous commit status

No

No

releaseBranches

Yes

Yes

Dynamic tool installation

No

Work with Workflow Licensing violations (Platform)

No

No

Don't update work item state during sync

Print logs in JSON

Sync the list of files that trigger a scan

Scan branch when it's created

dont sync issues for archived repos

display source file path in license scan results

git lfs support to Scanner and Remedaite

Allow list (IPs)

Bitbucket Cloud

Feature

Description and documentation

Classic Repo Integration

Developer Platform

SAST scanning

No

Yes

Reachability

No

Yes

rerun scan via UI

No

Yes

releaseBranches

No

Yes

createBuildStatus

configure whether Mend will run the security check or not

Yes

Yes

failLicenseBuilds

configure the conclusion status for Mend License checks

Yes

Yes

disaplyLicenseViolations

configure whether to generate an issue for every detected license policy violation

Yes

Yes

hostRules

https://docs.mend.io/integrations/latest/install-mend-for-bitbucket-cloud

Yes

Yes

API for controlling secrets

No

specify javaVersion

https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca

Yes

No

exploitability

https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca

Yes

No

"showWsInfo" - showing project token and more info in the commit status

https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca

Yes

No

skipScanningStage

Yes

No

Configure whether vulnerabilities are 0-10 or grouped by min med high critical

minVulnerabilityScore
minSeverityLevel

Yes

No

repoNameSync

https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca

Yes

No

Work with policy Licensing violations (Core)

Yes

Yes

"strictMode" and "strictModeInfo"

fail security check on partial scan results

Yes

Yes

scan all feature branches

Yes

Yes

configure opening work item per dependency or per vulnerability

Yes

Yes

specify list of base branches

Yes

Yes

custom/external UA config

https://docs.mend.io/legacy-sca/latest/unified-agent-configuration-for-native-integration

Yes

Yes

Inherit previous commit status

No

No

Work with Workflow Licensing violations (Platform)

No

No

Dynamic tool installation

No

Print logs in JSON

Sync the list of files that trigger a scan

Scan branch when it's created

dont sync issues for archived repos

display source file path in license scan results

git lfs support to Scanner and Remedaite

Allow list (IPs)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.