If you are working within an environment that hosts many GitHub.com repositories, Mend for GitHub.com provides a global configuration solution to apply parameters to multiple repositories with ease.
This article provides details and instructions on how to create and enable a global configuration that will affect all new repositories integrated using Mend for GitHub.com.
Using the global configuration, you are able to define a configuration that can be inherited by all future integrated repositories, as well as define an onboarding configuration for your integration. The three components of the global configuration are:
whitesource-config repository: The repository where your global-config.json and repo-config.json files are located. Integrated repositories' .whitesource files can point to this repository to inherit the configurations it houses.
global-config.json file: A JSON formatted configuration file where you can define how the onboarding flow will occur for your integrated repositories.
repo-config.json file: A JSON formatted configuration file that will be applied globally to each newly selected integrated repository. It is the global equivalent of the .whitesource file and provides the same configurable parameters for a Mend scan, organization-wide.
Note: All newly integrated repositories will inherit the configuration set in repo-config.json, unless explicitly overridden by a local .whitesource file in the relevant repository.
Within your GitHub organization, create a new repository named exactly whitesource-config.
Add the new whitesource-config repository to your Mend for GitHub.com integration.
The whitesource-config repository will now contain a README file and the two new configuration files (automatically created by the integration), repo-config.json and global-config.json. Configure these files with the Parameters provided in this documentation.
Add the repositories you wish to scan to the Mend for GitHub.com integration.
If you wish to migrate existing integrated repositories to the global configuration, visit our Migrate your existing repositories to Mend for GitHub.com global configuration documentation.
Note: The whitesource-config repository does not support changes to the configuration files done via pull requests. Any edits must be committed directly to the default branch of the repository. Due to this, branch protection rules should not be applied to the whitesource-config repository.
Note: The parameters below are exclusive to the repo-config.json file. The configuration parameters of the .whitesource file can be applied in the repo-config.json as well, but to be used globally.
Parameter | Type | Description |
|---|
overrideConfigAllowList | Array | Optional. Default Value: null. Regulate the ability of repositories that inherit their configuration from the whitesource-config repository to override the parameters locally. There are three options: null ("overrideConfigAllowList": null) - All repositories that inherit configuration from this repo-config.json file can override its settings locally in their .whitesource file.
Empty array ("overrideConfigAllowList": []) - All repositories that inherit configuration from this repo-config.json file cannot override its settings in their .whitesource file. Array with values ("overrideConfigAllowList": ["orgName1/repoName1", "orgName2/repoName2"]) - Only the repositories specified in this list that inherit configuration from this repo-config.json file can override its settings locally in their .whitesource file.
Note: This is a legacy parameter, use overrideConfigAllowList in global-config.json instead. If both this and the same parameter in global-config.json are set up - only global-config.json parameter one will be used.
|
Parameter | Type | Description |
|---|
repoConfigMode | String | Required. Default Value: createOnboardingPR. The configuration mode to be used on all integrated repositories. There are three options: createOnboardingPR - Create an onboarding pull request (PR) containing a .whitesource file with inherited configuration.
The integrated repositories will inherit the configuration from the repo-config.json file located inside the whitesource-config repository. The .whitesource configuration file generated in each repository will contain a single parameter, settingsInheritedFrom, with a value pointing to the repo name and branch in which the repo-config.json file is located.
pushwhitesourceFile - A .whitesource configuration file with inherited configuration will immediately be pushed to the default branch of all integrated repositories without creating any onboarding PRs.
The .whitesource configuration file generated in each repository will contain a single parameter, settingsInheritedFrom, with a value pointing to the repo name and branch in which the repo-config.json file is located.
nowhitesourceFile - Integrated repositories will be scanned without creating a .whitesource file or onboarding PR. The integrated repositories will inherit the configuration from the repo-config.json file located inside the whitesource-config repository.
Note: If the nowhitesourceFile parameter is set, the existing repositories that Mend has access to require a valid commit before scanning will continue. Newly created repositories that Mend has access to will automatically start the initial scan (versus waiting for the onboarding PR to be merged when createOnboardingPR is set).
|
repoConfigFileName | String | Optional. Default Value: .whitesource. Rename the .whitesource configuration file added to an integrated repository.
Note: This is currently only supported for newly-integrated repositories. If a repository already includes a .whitesource file, the integration will continue using it. This parameter is ignored when repoConfigMode is set to nowhitesourceFile.
|
enableCustomProductMapping | Boolean | Optional. Default Value: false. When set to true, each integrated repository that has a topic that starts with the mendmap- prefix will be connected to the Product in the Mend Application with the name that goes after prefix.
Note: Topic length limitation is 32 characters.
|
ignoreSpecificVulnerabilities | Boolean | Optional. Default Value: false. When set to true, all vulnerability IDs listed in a created ignored-vulnerabilities.txt file in the root of whitesource-config repository will be ignored during SCA security scans. The vulnerabilities: The format of ignored-vulnerabilities.txt is a list CVEs or WSs IDs separated by a new line:
CODE
CVE-2017-1000048
WS-2014-0005
CVE-2014-6394
Note: Existing mentions of the ignored vulnerabilities will be removed from the issues with the next valid push after this parameter is enabeled. These change affects only Repo Integration and doesn’t change the vulnerability alerts in the Mend SCA Application.
|
overrideConfigAllowList | Array | Optional. Default Value: null. Regulate the ability of repositories that inherit their configuration from the whitesource-config repository to override the parameters locally. There are three options: null ("overrideConfigAllowList": null) - All repositories that inherit configuration from this repo-config.json file can override its settings locally in their .whitesource file.
Empty array ("overrideConfigAllowList": []) - All repositories that inherit configuration from this repo-config.json file cannot override its settings in their .whitesource file. Array with values ("overrideConfigAllowList": ["orgName1/repoName1", "orgName2/repoName2"]) - Only the repositories specified in this list that inherit configuration from this repo-config.json file can override its settings locally in their .whitesource file.
Notes: This parameter has the same functionality as the one in repo-config.json. It was created to address behavior when there is a repo that is not included in the list of reports that can override the configuration locally, and it contains a .whitesource config with a wrong format. In this case, there will be a failed Configuration Change Check and further scans will be prevented. With this new implementation, such a case will not happen - the .whitesource file will always be ignored, and Configuration Change Check will not block the scans. If both this and the same parameter in repo-config.json are set up - only global-config.json parameter one will be used.
|
Parameter | Type | Description |
|---|
exactNames | Array | Optional. Default Value: N/A. Provide a list of specific repositories to ignore from the integration. For example:
CODE
"ignoredRepos": {
"exactNames": ["myorg/myrepo", "myorg/testrepo"]
}
|
Parameter | Type | Description |
|---|
exactNames | Array | Optional. Default Value: N/A. Define a whitelist of GitHub repository owners that can integrate with the Mend integration. For example:
CODE
"includedOwners": {
"exactNames": ["MyUserName1", "MyUserName2"]
}
|
exactNamesFile | Boolean | Optional. Default Value: false. The available parameter values are: The format of the included-owners.txt file should be a list of strings delimited by a new line. For example:
CODE
UserName1
UserName2
UserName3
Note: If exactNamesFile is set to true, but the included-owners.txt does not exist or is empty, the exactNamesFile value will be changed to false. If exactNamesFile is set to true, the included-owners.txt file contains values, and the exactNames parameter also includes values, values from both parameters will be used.
|
