Scan Customization in Mend for GitHub Enterprise

Overview

This feature allows customers to execute custom pre-build scripts (hooks) before the integration’s package scanning build process begins. Such scripts are useful for preparing the environment or performing setup tasks required before scanning.

Notes:

All scripts are managed centrally under a common directory.
Scripts are executed once per scan, before package manager detection and build steps.

Getting it done

Repository Structure and Setup

Create a dedicated global repository within your organization’s Git account and add a top-level folder named hooks/common/ that contains a pre-build/ folder for scripts.

Example structure:

CODE

hooks/
└── common/
    └── pre-build/

Enabling the Feature

To enable execution of pre-build scripts:

Configure the global customization repository by setting the environment variable MEND_GLOBAL_CUSTOMIZATION_REPO in the controller container.

Example:

MEND_GLOBAL_CUSTOMIZATION_REPO="my-org/my-global-customizations"

Once configured, the system will clone both the scanned project repository and the global customization repository.

Note:

Specify only the <organization>/<repository> identifier (no full URL).
The repository must reside on the same Git hosting domain as the scanned project.
Ensure the Mend integration app is installed on this repository.
There is no need to merge the onboarding PR once it gets created on this repository.

Execution Flow

Common pre-build scripts (common/pre-build/) are executed once at the start of the run, before package manager or project detection occurs.

Execution Order

Scripts in the pre-build/ folder are executed in lexical (alphabetical) order as determined by the file system.

Using numbered prefixes (e.g., 01_init.sh, 02_validate.sh) to control execution order is recommended.

Logging and Behavior

Script output is printed to the scanner logs.
Success or failure is logged, including duration and exit code.
Failures in script execution result in an SCA-Result with severity “Warning”, which may appear in UI results and affect the check run outcome (depending on checkRunSettings.strictMode parameter).
If a script makes modifications to any scan configuration files in the cloned repo (e.g., .whitesource, whitesource.config), they will be ignored.
All scripts are executed regardless of their exit code.
A long-running script will only timeout after BUILD_TOOL_TIMEOUT_MIN.

Skipping Hook Execution

Hook execution can be disabled entirely using configuration or environment variables.

To disable hook execution, configure the optional skipScanningStage object in the .whitesource configuration file, under the scanSettings section.
This object should include a hooks property with a common value.

Alternatively, this parameter can be defined in the global whitesource-config repository,
inside the repo-config.json file, using the same structure under the scanSettings object.

Example:

JSON Configuration

CODE

{
  "scanSettings": {
    "skipScanningStage": {
      "hooks": ["common"]
    }
  }
}

Environment Variables Available to Scripts

The following environment variables are exported to all pre-build scripts:

Variable	Description
`MEND_SCA_SCAN_CTX`	The scan context ID
`MEND_SCA_SCAN_DIR`	Scanned project path (clone project directory)
`MEND_SCA_ORG_NAME`	Mend organization name
`MEND_SCA_APP_NAME`	Mend application (product) name
`MEND_SCA_PROJ_NAME`	Mend project name
`MEND_SCA_REPO_OWNER`	VCS organization (e.g., GitHub/GitLab owner)
`MEND_SCA_REPO_NAME`	Current project repository name
`MEND_SCA_BRANCH_NAME`	Scanned branch name
`MEND_SCA_COMMIT_ID`	Commit ID of the scanned repository