CircleCI Mend-Scan Orb
Overview
CircleCi is a continuous integration development practice that is used by software teams allowing them to build, test and deploy applications on multiple platforms in an easier and faster method.
Orbs are CircleCI configuration packages that can be shared across projects. Orbs allow you to make a single bundle of jobs, commands, and executors.
The Mend-Scan Orb is a simple tool that extracts descriptive information from the open source libraries located on your file system and integrates them with Mend.
By using Mend-Scan Orb, you can automatically detect all open source components in your code, while running your build. You can configure real time alerts on security risks, policy pitfalls, and software bugs. The orb integrates fully into your build process, regardless of your programming languages or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against Mend’s constantly-updated definitive database of open source repositories.
Prerequisites
Registered Mend Account
CircleCI CLI is installed and deployed
The relevant package manager must be installed. For details, see Getting Started with the Unified Agent .
Deploying CircleCI Mend-Scan Orb
In order to keep your API token secure, Mend creates a ‘context’ in CircleCI. Contexts provide a mechanism for securing and sharing environment variables across projects. The environment variables are defined as name/value pairs and are injected at runtime.
From the CircleCI interface, click Settings > Context, and click Create Context:
Add a new variable for the Mend API Token (you can find the API token on the Integrate tab).
Create a configuration file with the required parameters for the scan, and set the Configuration file name (including the file path) as a value for the config_file_path parameter.
Add a comma-separated list of directories and/or files to scan.
Commit and push to view the scan results.
In order to view the status, go to the CircleCI GUI and click jobs. Click the relevant job and verify that a success message is displayed.
You have the option to view the logs, and then navigate to the Mend GUI. The URL for the scan result link is indicated in the logs.
You can view the compliance and security data for the project that was scanned on the Mend Dashboard.
Related Unified Agent Parameters
The following are relevant Unified Agent parameters for this type of scan:
Parameter | Description | Required | Default Value | Type |
|---|---|---|---|---|
api_key | Unique identifier of the organization. Can be retrieved from the admin page in your Mend account. | Yes | No default value | String |
directory | Comma-separated list of directories and / or files to scan. | No | . | String |
config_file_path | Configuration file name (including file path). | No |
| String |
commands_file_path | Install commands file (including file path). | No |
| String |
Additional examples for CI/CD pipelines can be found at https://github.com/mend-toolkit/mend-examples/tree/main/CI-CD .