.svg){kind=logo}
Overview
The article outlines the transition steps and includes an appendix listing what is supported in the Mend Developer Platform compared to the classic Mend repository integrations (Bitbucket Cloud, Azure DevOps Repos, and GitHub Cloud).
Note: This is a replacement, not a migration: You’ll uninstall the classic app, install the new one, and re-enter settings. No issues, PR comments, build statuses or configuration files are copied as part of the transition.
Status Differences
-
The Mend Developer Platform is a newer app with a convenient UI.
-
The Mend Developer Platform will receive all of the new features, while the classic one will be maintained for a while and will not prioritize new features.
Transition Steps
-
Uninstall the existing repository integration; running both apps side-by-side causes duplicate findings and inconsistent build results.
-
Close all open PRs and Issues created by Mend.io.
-
Choose one of the following options:
-
Delete the existing repo Projects from the existing organization in the Mend App UI.
OR: -
Create a new Organization for the Developer Platform deployment.
-
-
Install Mend Dev Platform.
-
Select
Scan only mode. -
Adjust the new configurations to your previous repository integration settings using the Transitioning Configuration section below.
Note:
-
Project/repo admins can configure everything themselves in the controlled repos without the help of the workspace admin (if the override parameter doesn’t block this).
-
There is no need for a global config repo and config files in the repos.
Transitioning Configuration Options to Mend Developer Platform
This section outlines the changes between the classic Mend repository integrations and the new Mend Developer Platform. From global configurations to repository-specific settings and security management, we clarify the adjustments and enhancements made in our new platform.
Note: Some of the parameters listed below are exclusive to a specific repo integration and not applicable to all Mend repository integrations.
Global Configuration (global-config.json)
|
Old Parameter |
Details |
|---|---|
|
repoConfigMode |
Obsolete. Mend no longer creates configuration files. Exception: Renovate may have its configuration file if configured. |
|
repoConfigFileName |
Obsolete. Mend does not create configuration files. |
|
settingsInheritedFrom |
Settings applied on the Workspace settings page are automatically applied to all repositories. |
|
ignoreSpecificVulnerabilities |
Not supported in the new Mend Developer Platform. |
|
ignoredRepos.exactNames |
Controlled via the Installation Setup Wizard and Repository settings page. |
|
includedRepos.exactNames |
Controlled via the Installation Setup Wizard and Repository settings page. |
.whitesource File and Repo Configuration (repo-config.json)
Scan Settings (scanSettings)
|
Old Parameter |
Details |
|---|---|
|
configMode |
Use the "UA custom configuration" parameter in the “Dependencies” settings. |
|
configExternalURL |
Not supported in the new Mend Developer Platform. |
|
baseBranches |
Use the "Base branches" parameter in the General settings on the Workspace level. |
|
enableLicenseViolations |
Use the "Checks" parameter in the “Dependencies Licensing” settings. |
|
javaVersion |
Not supported in the new Mend Developer Platform. |
|
repoNameSync |
Not supported in the new Mend Developer Platform. |
|
skipScanningStage |
Currently not supported in the new Mend Developer Platform, but it is planned to be. |
|
exploitability |
Obsolete. If there is available exploitability data, it will be automatically applied to the findings. |
Build Settings (buildSettings)
|
Old Parameter |
Details |
|---|---|
|
displayMode |
Not supported in the new Mend Developer Platform. |
|
createBuildStatus |
Use the "Checks" parameter in the “Dependencies” settings. |
|
failBuilds |
Use the “Checks - Conclusion status” parameter of the “Dependencies” settings section. |
|
failLicenseBuilds |
Use the “Checks - Conclusion status” parameter of the “Dependencies Licensing” settings section. |
|
showWsInfo |
Not supported in the new Mend Developer Platform. |
Issue Settings (issueSettings)
|
Old Parameter |
Details |
|---|---|
|
minSeverityLevel |
Not supported in the new Mend Developer Platform. |
|
minVulnerabilityScore |
Use the “Issues - Vulnerability range” parameter of the “Dependencies” settings section. |
|
maxVulnerabilityScore |
Use the “Issues - Vulnerability range” parameter of the “Dependencies” settings section. |
|
displayLicenseViolations |
Use the “Issues” parameter of the “Dependencies” settings section. |
|
issueType |
Use the “Issues - Grouping rule” parameter of the “Dependencies” settings section. |
|
customLabels |
Use the “Issues - Labels” paramter of the “Dependencies” settings section. |
Remediate Settings (remediateSettings)
|
Old Parameter |
Details |
|---|---|
|
enableRenovate |
Use the “Enable” parameter of the “Dependencies → Renovate” settings section. |
|
workflowRules |
Use the “Remediation” parameter of the “Dependencies” settings section. |
Host Rules (hostRules)
The host rules are managed via “Credentials” in the settings section.
Supported features - Classic Repo Integrations vs. Developer Platform
This section provides a detailed comparison between the Classic repo Integration and the Developer Platform, showing which features are supported in each and a breakdown by SCM.
All SCMs
|
Feature |
Description and documentation |
Classic Repo Integration |
Developer Platform |
|---|---|---|---|
|
Many to one mapping |
Map many organizations/workspaces to a single Mend organization |
No |
Yes |
|
Programmatic secret setting |
In "classic" repo integrations, users can automate committing to a git repo containing secrets |
Yes |
Github only (Will be supported for Azure and Bitbucket in 2026) |
|
Specify javaVersion |
|
Yes |
No |
|
Choose whether to scan submodules or not |
|
Yes |
No |
|
Exploitability |
|
Yes |
Yes |
|
"displayMode" - diff/baseline |
|
Yes |
No |
|
"showWsInfo" - showing project token and more info in the commit status |
|
Yes |
No |
|
useMendStatusNames - controls whether the checks will be named "mend" or "whitesource" |
|
Yes |
No, all checks will be named “mend”. |
|
skipScanningStage |
|
Yes |
No |
|
customLabels |
Define labels to be added to Azure DevOps Repos issues created after the scan. |
Yes |
Yes |
|
Configure whether vulnerabilities are 0-10 or grouped by min, med high critical |
minVulnerabilityScore
|
Yes |
No, Developer Platform uses the 0-10 method. |
|
strcitModeCustomMessage |
|
Yes |
No |
|
Dynamic tool installation |
|
|
No |
|
repoNameSync |
|
Yes |
No |
|
Code Source for GH com |
|
Yes |
No |
|
custom product mapping |
|
Yes |
No |
|
Inherit previous commit status |
|
N/A |
No |
|
Allow list (IPs) |
|
Yes |
|
|
Work with Workflow Licensing violations (Platform) |
|
No |
Yes |
|
Display source file path in license scan results |
When license violations are found in source files, the path to the file is shown in the markdown (license checks) |
Yes |
No |
|
git lfs support to Scanner and Remedaite |
|
|
|
|
Monorepo partitioning (beta) |
Azure DevOps Repos: Mend Developer Platform for Azure DevOps Repos Bitbucket Cloud: Mend Developer Platform for Bitbucket Cloud GitHub.com: |
No |
Yes |
Azure DevOps
|
Feature |
Description and documentation |
Classic Repo Integration |
Developer Platform |
|---|---|---|---|
|
SAST scanning |
|
No |
Yes |
|
Reachability |
|
No |
Yes |
|
rerun scan via UI |
|
No |
Yes |
|
IaC |
Infrastructure as code |
Yes |
No |
|
Org level settings |
|
Yes |
Yes |
|
per org installation |
|
Yes |
No |
|
support project tokens |
|
Yes |
Yes (project mapping in repo settings) |
|
API for controlling secrets |
|
|
No |
|
specify javaVersion |
Yes |
No |
|
|
Choose whether to scan submodules or not |
scanSettings.cloneSubmodules |
Yes |
No |
|
exploitability |
Yes |
Yes |
|
|
"displayMode" - diff/baseline |
Yes |
No |
|
|
"showWsInfo" - showing project token and more info in the commit status |
Yes |
No |
|
|
useMendStatusNames - controls whether the checks will be named "mend" or "whitesource" |
Yes |
No, all checks will be named “mend”. |
|
|
skipScanningStage |
|
Yes |
No |
|
customLabels |
Define labels to be added to Azure DevOps Repos issues created after the scan. |
Yes |
Yes |
|
Configure whether vulnerabilities are 0-10 or grouped by min med high critical |
minVulnerabilityScore
|
Yes |
No, the Developer Platform uses the 0-10 method. |
|
repoNameSync |
Yes |
No |
|
|
custom work items + fields |
|
Yes |
Yes |
|
Work with policy Licensing violations (Core) |
|
Yes |
Yes |
|
"strictMode" and "strictModeInfo" |
Fail security check on partial scan results |
Yes |
Yes |
|
scan all feature branches |
|
Yes |
Yes |
|
configure opening work item per dependency or per vulnerability |
|
Yes |
Yes |
|
specify list of base branches |
|
Yes |
Yes |
|
custom/external UA config |
Yes |
Yes |
|
|
Inherit previous commit status |
|
No |
No |
|
releaseBranches |
|
Yes |
Yes |
|
Dynamic tool installation |
|
|
No |
|
Work with Workflow Licensing violations (Platform) |
|
No |
Yes |
|
Don't update work item state during sync |
|
|
|
|
Display source file path in license scan results |
When license violations are found in source files, the path to the file is shown in the markdown (license checks) |
Yes |
No |
|
Monorepo partitioning (beta) |
Azure DevOps Repos: Mend Developer Platform for Azure DevOps Repos Bitbucket Cloud: Mend Developer Platform for Bitbucket Cloud GitHub.com: |
No |
Yes |
Bitbucket Cloud
|
Feature |
Description and documentation |
Classic Repo Integration |
Developer Platform |
|---|---|---|---|
|
SAST scanning |
|
No |
Yes |
|
Reachability |
|
No |
Yes |
|
rerun scan via UI |
|
No |
Yes |
|
releaseBranches |
|
No |
Yes |
|
createBuildStatus |
Configure whether Mend will run the security check or not |
Yes |
Yes |
|
failLicenseBuilds |
Configure the conclusion status for Mend License checks |
Yes |
Yes |
|
disaplyLicenseViolations |
Configure whether to generate an issue for every detected license policy violation |
Yes |
Yes |
|
hostRules |
Yes |
Yes |
|
|
API for controlling secrets |
|
|
No |
|
specify javaVersion |
Yes |
No |
|
|
exploitability |
Yes |
Yes |
|
|
"showWsInfo" - showing project token and more info in the commit status |
Yes |
No |
|
|
skipScanningStage |
|
Yes |
No |
|
Configure whether vulnerabilities are 0-10 or grouped by min med high critical |
minVulnerabilityScore
|
Yes |
No, the Developer Platform uses the 0-10 method. |
|
repoNameSync |
Yes |
No |
|
|
Work with policy Licensing violations (Core) |
|
Yes |
Yes |
|
"strictMode" and "strictModeInfo" |
Fail security check on partial scan results |
Yes |
Yes |
|
scan all feature branches |
|
Yes |
Yes |
|
configure opening work item per dependency or per vulnerability |
|
Yes |
Yes |
|
specify list of base branches |
|
Yes |
Yes |
|
custom/external UA config |
Yes |
Yes |
|
|
Inherit previous commit status |
|
No |
No |
|
Work with Workflow Licensing violations (Platform) |
|
No |
Yes |
|
Dynamic tool installation |
|
|
No |
|
Display source file path in license scan results |
When license violations are found in source files, the path to the file is shown in the markdown (license checks) |
Yes |
No |
|
Monorepo partitioning (beta) |
Azure DevOps Repos: Mend Developer Platform for Azure DevOps Repos Bitbucket Cloud: Mend Developer Platform for Bitbucket Cloud GitHub.com: |
No |
Yes |
GitHub Cloud
|
Feature |
Description and documentation |
Classic Repo Integration |
Developer Platform |
|---|---|---|---|
|
SAST scanning |
|
Yes |
Yes |
|
Reachability |
|
Yes |
Yes |
|
rerun scan via UI |
|
Yes |
Yes |
|
releaseBranches |
|
Yes |
Yes |
|
releaseBranchSettings |
Enable different settings only for release branches |
Yes |
No |
|
createBuildStatus |
Configure whether Mend will run the security check or not |
Yes |
Yes |
|
failLicenseBuilds |
Configure the conclusion status for Mend License checks |
Yes |
Yes |
|
disaplyLicenseViolations |
Configure whether to generate an issue for every detected license policy violation |
Yes |
Yes |
|
hostRules |
Yes |
Yes |
|
|
API for controlling secrets |
|
Yes |
Yes |
|
specify javaVersion |
Yes |
No |
|
|
exploitability |
Yes |
Yes |
|
|
"showWsInfo" - showing project token and more info in the commit status |
Yes |
No |
|
|
skipScanningStage |
|
Yes |
No |
|
Configure whether vulnerabilities are 0-10 or grouped by min med high critical |
minVulnerabilityScore
|
Yes |
No, the Developer Platform uses the 0-10 method. |
|
repoNameSync |
Yes |
No |
|
|
Work with policy Licensing violations (Core) |
|
Yes |
Yes |
|
"strictMode" and "strictModeInfo" |
Fail security check on partial scan results |
Yes |
Yes |
|
scan all feature branches |
|
Yes |
Yes |
|
configure opening Issue per dependency or per vulnerability |
|
Yes |
Yes |
|
specify list of base branches |
|
Yes |
Yes |
|
custom/external UA config |
Yes |
Yes |
|
|
Inherit previous commit status |
|
No |
No |
|
Work with Workflow Licensing violations (Platform) |
|
No |
Yes |
|
Dynamic tool installation |
|
|
No |
|
Display source file path in license scan results |
When license violations are found in source files, the path to the file is shown in the markdown (license checks) |
Yes |
No |