Skip to main content
Skip table of contents

Trigger repository scans manually with Mend for Azure Repos global configuration

Overview

This feature enables users to trigger scans for specific repositories manually.

For each repository in the list, a scan will be triggered (in the latest commit of the specified branch), including the creation of the security check run.

Note: Manually triggering scans is currently supported for SCA scans only.

Getting It Done

The scan.json file

In order to trigger the manual SCA scan, a file called scan.json needs to be pushed to the whitesource-config repo. The scan.json file contains a list of repositories and their branches to scan, and can also be configured to save the scan logs to a defined ws-logs repository. More information on these features is included in the setup section below.

Note:

  • The repositories list is limited to ten. If there are more than ten repositories included in the scan.json file, no repositories will be scanned, and a check run will be created.

  • If a branch name is not specified, the default branch will be scanned.

Setup

  1. Within your Azure DevOps project, create a “whitesource-config” repository and a “ws-logs” repository.

  2. Ensure that your Azure DevOps PAT for the Mend integration has access to these two repositories within your Azure DevOps project.

  3. Sync your Azure project by going into your Mend UI → Integrations tab → Azure Repos → Sync Projects.

    image-20240311-135851.png
Legacy SCA Application

Sync your Azure project by going into your Mend UI → Integrate tab → Developer Integrations → Mend for Azure Repos → Sync Projects.

Note: This will kick off the integration to check if there are any new repos that need to be onboarded (this being the "whitesource-config" and "ws-logs" repos you created in step 1).

  1. Check your "whitesource-config" repo; there should be a global-config.json and a repo-config.json.

  2. Within your "whitesource-config" repo and create, commit, and merge the scan.json file with the following settings:

    CODE
    {
      "repositories": [
        {
          "fullName": "Azure_Project_Name1/repoName1",
          "branchName": "main",
          "uploadScannerLogs": true
        }
      ]
    }

Note: The parameter uploadScannerLogs should be set to true within the scan.json in order to generate Mend for Azure Repos manual scan logs.

  1. Once you merge this commit with the scan.json, this will trigger the manual scan on both the "master" and "dev" branches.
    In the commit, you will see the Status as PENDING. Once the manual scan is completed, you will see a commit message stating "The manual scan(s) process completed successfully", with a status of TRIGGERED.

    1. You will also see another commit stating that the scan.json has been deleted, as the manual scan process completed.

  2. Go to the "ws-logs" repo. There you will find:

    1. A commit with the following message: "Added log files for scan token X". You can download the ZIP folder from here. (This scan token is also helpful to us in Support for troubleshooting).

    2. Two ZIP folders within the "Files" of the "ws-logs" repo.

  3. These ZIP folders contain the scan log for each branch (“dev” and “master”), which is titled "unified-agent-log.txt".

Note

  • The format of the scanZIP file name is scanner_logs_{SCAN_TOKEN}.zip.

  • If the ws-logs repository does not exist, the manual scan will not run and the following check run will be created, explaining the reason:

Reference

scan.json Parameters (repositories)

Parameter

Type

Description

fullName

String

Required. Provide a list of specific repositories to trigger the manual scan on. For example:

CODE
"fullName": "Azure_Project_Name1/repoName1"

branchName

String

Optional. Default Value: Your Azure DevOps Repos "default" branch. Specify the branch(es) to be scanned.

scanType

String

Optional. By default, the scan.json file only triggers manual SCA scans.

CODE
"scanType": "sca"

uploadScannerLogs

Boolean

Optional. Default Value: false. The available parameter values are:

  • true - Save the logs from the triggered scan as a single zip folder in the dedicated ws-logs repository

  • false - No logs are saved for the triggered scan

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.