Skip to main content
Skip table of contents

Scan your Infrastructure as Code (IaC) with Mend for Azure Repos

Overview

Mend for Azure Repos’s IaC (Infrastructure as Code) scan provides a review of your Infrastructure as Code (IaC) configuration files for security vulnerabilities.

Use case

Mend for Azure Repos IaC scans can be utilized in the following ways:

  • You, a DevOps engineer, before deployment, want to ensure that your cloud infrastructure is following best practices in the commits made to your Azure DevOps repository.

  • You, a development team leader, are responsible for a repository and want to make sure there are no violations in your team’s IaC configuration files. You want to monitor the overall state of the repository.

Mend’s Answer: With every valid commit, the IaC scan creates a Mend IaC Check that provides an overview of all violation details as well as generates GitHub Issues for each violation and how to confront them using provided best practices. This is all done without you ever needing to leave Azure DevOps Repos.

Getting it done

Once you have installed the Mend for Azure Repos, you will see a Pull Request (PR) created by the whitesource/configure branch appear in your integrated repositories. This is also referred to as the Mend for Azure Repos "onboarding PR":

The “onboarding PR” will contain the .whitesource file, which handles the configuration of your Mend for Azure Repos scan. You can edit the .whitesource file before merging the onboarding PR to ensure that your first scan is configured appropriately for your repository:

This will initiate the installation and start the first scan on your selected repositories. You can define settings (like selected branches) later on in the .whitesource file.

Configure Mend for Azure Repos for IaC scan

The .whitesource file is used to configure Mend for Azure Repos IaC scans. To learn more about the IaC-supported languages, configuration, and parameters, visit our Configure Mend for Azure Repos for IaC documentation.

Run the Scan

Once you merge the onboarding PR into your default branch, this will start the first SCA scan on your repository.

Any concurrent IaC scans on your repository are initiated via a valid push command. As the IaC check relies on the SCA check, a valid push command meets at least one of the following requirements:

  • One of the commits in the push command added/removed a source file(s) with an extension supported by Mend. Refer to the Mend Languages page to find out whether or not a specific language and its extensions are supported.

  • One of the commits in the push command includes an addition/deletion/modification of the package manager dependency file(s). Refer to the list of supported dependency files to determine whether your dependency files are supported.
    For Go, Python, JavaScript, or Maven projects, when the manifest file (go.mod, Pipfile, package.json, or pom.xml) is changed, the scan will be triggered only if the dependencies section is changed.

Note:

View the Scan Status

Once the scan is started, there is an Azure DevOps Repos check created called Mend IaC Check.

Within Azure DevOps Repos, in your repository's Repos > Commits page, you can view the status and results of each scan. Click a specific check icon in order to view the Mend check:

Mend IaC Check

Once the scan has been started, there are several status indicators available as feedback on a head commit:

  • Queued: The IaC scan has not begun and is scheduled to begin.

  • In progress: (Blue Circle Icon) The IaC scan is currently in progress:

  • Success: (Green checkmark icon) No IaC violations were detected.

  • Failure: (Red ”X” icon) One or more IaC violations were detected during the Mend scan:

  • Neutral: Conclusion occurs when the push command was not valid:

Note: The Failure status can also occur when an error (i.e. scan timeout) that occurred during the scan.

View the Scan Results

Once your Mend for Azure Repos scan has been completed, there are multiple resources to review your results. For more information to help you in understanding your findings, visit our View the results of your Mend for Azure Repos SCA scan documentation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.