Transition Guide – Switch-Over to Mend Developer Platform
Overview
The article outlines the transition steps and includes an appendix listing what is supported in the Mend Developer Platform compared to the classic Mend repository integrations (Bitbucket Cloud and Azure DevOps Repos).
Note: This is a replacement, not a migration: You’ll uninstall the classic app, install the new one, and re-enter settings. No issues, PR comments, build statuses or configuration files are copied as part of the transition.
Difference between the two apps
Mend Developer Platform is a newer app with a convenient UI, but it is still in beta.
It will receive all of the new features, while the classic one will be maintained for a while and will not prioritize new features.
Once the Mend Developer Platform is out of beta, Mend will devise a plan to deprecate the classic integration.
Transition Steps
Uninstall the existing repository integration; running both apps side-by-side causes duplicate findings and inconsistent build results.
Close all open PRs and Issues created by Mend.io.
Choose one of the following options:
Delete the existing repo Projects from the existing organization in the Mend App UI.
OR:Create a new Organization for the Developer Platform deployment.
Install Mend Dev Platform.
Select
Scan only mode
.Adjust the new configurations to your previous repository integration settings using the Transitioning Configuration section below.
Note:
Project/repo admins can configure everything themselves in the controlled repos without the help of the workspace admin (if the override parameter doesn’t block this).
There is no need for a global config repo and config files in the repos.
Transitioning Configuration Options to Mend Developer Platform
This section outlines the changes between the classic Mend repository integrations and the new Mend Developer Platform. From global configurations to repository-specific settings and security management, we clarify the adjustments and enhancements made in our new platform.
Note: Some of the parameters listed below are exclusive to a specific repo integration and not applicable to all Mend repository integrations.
Global Configuration (global-config.json
)
Old Parameter | Details |
---|---|
repoConfigMode | Obsolete. Mend no longer creates configuration files. Exception: Renovate may have its configuration file if configured. |
repoConfigFileName | Obsolete. Mend does not create configuration files. |
settingsInheritedFrom | Settings applied on the Workspace settings page are automatically applied to all repositories. |
ignoreSpecificVulnerabilities | Not supported in the new Mend Developer Platform. |
ignoredRepos.exactNames | Controlled via the Installation Setup Wizard and Repository settings page. |
includedRepos.exactNames | Controlled via the Installation Setup Wizard and Repository settings page. |
.whitesource File and Repo Configuration (repo-config.json
)
Scan Settings (scanSettings
)
Old Parameter | Details |
---|---|
configMode | Use the "UA custom configuration" parameter in the “Open-Source Security” settings. |
configExternalURL | Not supported in the new Mend Developer Platform. |
baseBranches | Use the "Base branches" parameter in the General settings on the Workspace level. |
enableLicenseViolations | Use the "Checks" parameter in the “Open-Source Licensing” settings. |
javaVersion | Not supported in the new Mend Developer Platform. |
repoNameSync | Not supported in the new Mend Developer Platform. |
skipScanningStage | Currently not supported in the new Mend Developer Platform, but it is planned to be. |
exploitability | Obsolete. If there is available exploitability data, it will be automatically applied to the findings. |
Build Settings (buildSettings
)
Old Parameter | Details |
---|---|
displayMode | Not supported in the new Mend Developer Platform. |
createBuildStatus | Use the "Checks" parameter in the “Open-Source Security” settings. |
failBuilds | Use the “Checks - Conclusion status” parameter of the “Open-Source Security” settings section. |
failLicenseBuilds | Use the “Checks - Conclusion status” parameter of the “Open-Source Licensing” settings section. |
showWsInfo | Not supported in the new Mend Developer Platform. |
Issue Settings (issueSettings
)
Old Parameter | Details |
---|---|
minSeverityLevel | Not supported in the new Mend Developer Platform. |
minVulnerabilityScore | Use the “Issues - Vulnerability range” parameter of the “Open-Source Security” settings section. |
maxVulnerabilityScore | Use the “Issues - Vulnerability range” parameter of the “Open-Source Security” settings section. |
displayLicenseViolations | Use the “Issues” parameter of the “Open-Source Licensing” settings section. |
issueType | Use the “Issues - Grouping rule” parameter of the “Open-Source Security” settings section. |
customLabels | Currently not supported in the new Mend Developer Platform, but it is planned to be. |
Remediate Settings (remediateSettings
)
Old Parameter | Details |
---|---|
enableRenovate | Use the “Enable” parameter of the “Renovate” settings section. |
workflowRules | Use the “Remediation” parameter of the “Open-Source Security” settings section. |
Host Rules (hostRules
)
The host rules are managed via “Credentials” in the settings section.
Supported features - Classic Repo Integrations vs. Developer Platform
This section shows a detailed comparison between the Classic repo Integration and the Developer Platform: which features are supported in each, with a breakdown per SCM.
All SCMs
Feature | Description and documentation | Classic Repo Integration | Developer Platform |
---|---|---|---|
Programmatic secret setting | In "clasic" repo integrations, users can automate commiting to a git repo containing secrets | Yes | No (Will be supported in Q1 2025) |
specify javaVersion | Yes | No | |
Choose whether to scan submodules or not | Yes | No (Will be supported in Q2 2025) | |
exploitability | Yes | Yes | |
"displayMode" - diff/baseline | Yes | No | |
"showWsInfo" - showing project token and more info in the commit status | Yes | No (Will be supported in Q2 2025) | |
useMendStatusNames - controls whether the checks will be named "mend" or "whitesource" | Yes | No | |
skipScanningStage | Yes | No | |
customLabels | Define labels that will be added to the Azure DevOps Repos issues created after the scan. | Yes | No (Will be supported in Q2 2025) |
Configure whether vulnerabilities are 0-10 or grouped by min med high critical | minVulnerabilityScore | Yes | No |
strcitModeCustomMessage | Yes | No | |
Dynamic tool installation | No | ||
repoNameSync | Yes | No | |
Code Source for GH com | Yes | No | |
custom product mapping | Yes | No | |
Inherit previous commit status | N/A | No | |
Allow list (IPs) | Yes | ||
Work with Workflow Licensing violations (Platform) | No | Yes | |
Print logs in JSON | |||
Sync the list of files that trigger a scan | |||
Scan branch when it's created | |||
dont sync issues for archived repos | |||
display source file path in license scan results | |||
git lfs support to Scanner and Remedaite |
Azure DevOps
Feature | Description and documentation | Classic Repo Integration | Developer Platform |
---|---|---|---|
SAST scanning | No | Yes | |
Reachability | No | Yes | |
rerun scan via UI | No | Yes | |
IaC | infra as code | Yes | No |
Org level settings | Yes | No | |
per org installation | Yes | No | |
support project tokens | Yes | No | |
API for controlling secrets | No | ||
specify javaVersion | https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca | Yes | No |
Choose whether to scan submodules or not | scanSettings.cloneSubmodules | Yes | No |
exploitability | https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca | Yes | No |
"displayMode" - diff/baseline | https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca | Yes | No |
"showWsInfo" - showing project token and more info in the commit status | https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca | Yes | No |
useMendStatusNames - controls whether the checks will be named "mend" or "whitesource" | https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca | Yes | No |
skipScanningStage | Yes | No | |
customLabels | Define labels that will be added to the Azure DevOps Repos issues created after the scan. | Yes | No |
Configure whether vulnerabilities are 0-10 or grouped by min med high critical | minVulnerabilityScore | Yes | No |
repoNameSync | https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca | Yes | No |
custom work items + fields | Yes | Yes | |
Work with policy Licensing violations (Core) | Yes | Yes | |
"strictMode" and "strictModeInfo" | fail security check on partial scan results | Yes | Yes |
scan all feature branches | Yes | Yes | |
configure opening work item per dependency or per vulnerability | Yes | Yes | |
specify list of base branches | Yes | Yes | |
custom/external UA config | https://docs.mend.io/legacy-sca/latest/unified-agent-configuration-for-native-integration | Yes | Yes |
Inherit previous commit status | No | No | |
releaseBranches | Yes | Yes | |
Dynamic tool installation | No | ||
Work with Workflow Licensing violations (Platform) | No | No | |
Don't update work item state during sync | |||
Print logs in JSON | |||
Sync the list of files that trigger a scan | |||
Scan branch when it's created | |||
dont sync issues for archived repos | |||
display source file path in license scan results | |||
git lfs support to Scanner and Remedaite | |||
Allow list (IPs) |
Bitbucket Cloud
Feature | Description and documentation | Classic Repo Integration | Developer Platform |
---|---|---|---|
SAST scanning | No | Yes | |
Reachability | No | Yes | |
rerun scan via UI | No | Yes | |
releaseBranches | No | Yes | |
createBuildStatus | configure whether Mend will run the security check or not | Yes | Yes |
failLicenseBuilds | configure the conclusion status for Mend License checks | Yes | Yes |
disaplyLicenseViolations | configure whether to generate an issue for every detected license policy violation | Yes | Yes |
hostRules | https://docs.mend.io/integrations/latest/install-mend-for-bitbucket-cloud | Yes | Yes |
API for controlling secrets | No | ||
specify javaVersion | https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca | Yes | No |
exploitability | https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca | Yes | No |
"showWsInfo" - showing project token and more info in the commit status | https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca | Yes | No |
skipScanningStage | Yes | No | |
Configure whether vulnerabilities are 0-10 or grouped by min med high critical | minVulnerabilityScore | Yes | No |
repoNameSync | https://docs.mend.io/integrations/latest/configure-mend-for-azure-repos-for-sca | Yes | No |
Work with policy Licensing violations (Core) | Yes | Yes | |
"strictMode" and "strictModeInfo" | fail security check on partial scan results | Yes | Yes |
scan all feature branches | Yes | Yes | |
configure opening work item per dependency or per vulnerability | Yes | Yes | |
specify list of base branches | Yes | Yes | |
custom/external UA config | https://docs.mend.io/legacy-sca/latest/unified-agent-configuration-for-native-integration | Yes | Yes |
Inherit previous commit status | No | No | |
Work with Workflow Licensing violations (Platform) | No | No | |
Dynamic tool installation | No | ||
Print logs in JSON | |||
Sync the list of files that trigger a scan | |||
Scan branch when it's created | |||
dont sync issues for archived repos | |||
display source file path in license scan results | |||
git lfs support to Scanner and Remedaite | |||
Allow list (IPs) |