Scan your Infrastructure as Code (IaC) with Mend for Azure Repos
Overview
Mend for Azure Repos’s IaC (Infrastructure as Code) scan provides a review of your Infrastructure as Code (IaC) configuration files for security vulnerabilities.
Use case
Mend for Azure Repos IaC scans can be utilized in the following ways:
You, a DevOps engineer, before deployment, want to ensure that your cloud infrastructure is following best practices in the commits made to your Azure DevOps repository.
You, a development team leader, are responsible for a repository and want to make sure there are no violations in your team’s IaC configuration files. You want to monitor the overall state of the repository.
Mend’s Answer: With every valid commit, the IaC scan creates a Mend IaC Check that provides an overview of all violation details as well as generates GitHub Issues for each violation and how to confront them using provided best practices. This is all done without you ever needing to leave Azure DevOps Repos.
Getting it done
Once you have installed the Mend for Azure Repos, you will see a Pull Request (PR) created by the whitesource/configure branch
appear in your integrated repositories. This is also referred to as the Mend for Azure Repos "onboarding PR":
The “onboarding PR” will contain the .whitesource file, which handles the configuration of your Mend for Azure Repos scan. You can edit the .whitesource file before merging the onboarding PR to ensure that your first scan is configured appropriately for your repository:
This will initiate the installation and start the first scan on your selected repositories. You can define settings (like selected branches) later on in the .whitesource file.
Configure Mend for Azure Repos for IaC scan
The .whitesource file is used to configure Mend for Azure Repos IaC scans. To learn more about the IaC-supported languages, configuration, and parameters, visit our Configure Mend for Azure Repos for IaC documentation.
Run the Scan
Once you merge the onboarding PR into your default branch, this will start the first SCA scan on your repository.
Any concurrent IaC scans on your repository are initiated via a valid push command. As the IaC check relies on the SCA check, a valid push command meets at least one of the following requirements:
One of the commits in the push command added/removed a source file(s) with an extension supported by Mend. Refer to the Mend Languages page to find out whether or not a specific language and its extensions are supported.
One of the commits in the push command includes an addition/deletion/modification of the package manager dependency file(s). Refer to the list of supported dependency files to determine whether your dependency files are supported.
For Go, Python, JavaScript, or Maven projects, when the manifest file (go.mod, Pipfile, package.json, or pom.xml) is changed, the scan will be triggered only if the dependencies section is changed.
Note:
A push command may consist of multiple commits.
You can manually trigger a scan for several repositories at once. For more information, refer to our Global Configuration document.
View the Scan Status
Once the scan is started, there is an Azure DevOps Repos check created called Mend IaC Check.
Within Azure DevOps Repos, in your repository's Repos > Commits page, you can view the status and results of each scan. Click a specific check icon in order to view the Mend check:
Mend IaC Check
Once the scan has been started, there are several status indicators available as feedback on a head commit:
Queued: The IaC scan has not begun and is scheduled to begin.
In progress: (Blue Circle Icon) The IaC scan is currently in progress:
Success: (Green checkmark icon) No IaC violations were detected.
Failure: (Red ”X” icon) One or more IaC violations were detected during the Mend scan:
Neutral: Conclusion occurs when the push command was not valid:
Note: The Failure status can also occur when an error (i.e. scan timeout) that occurred during the scan.
View the Scan Results
Once your Mend for Azure Repos scan has been completed, there are multiple resources to review your results. For more information to help you in understanding your findings, visit our View the results of your Mend for Azure Repos SCA scan documentation.