Skip to main content
Skip table of contents

Configure the Mend CLI for SCA

Overview

Configuring the Mend CLI for an SCA scan can be done via command line parameters.

Tip: For inline assistance, use the mend dep||dependencies -h or mend dep||dependencies --help commands.

Getting it done

Configure the Mend CLI SCA scan via command line parameters

You can configure the Mend CLI SCA scan at runtime by adding flags to the mend dep or( || ) the mend dependencies command. The usage of the mend dep|dependencies command is as follows:

CODE
mend dep||dependencies [flags]

Note: Backwards compatibility is supported for the previously used mend sca command. However, we recommend switching to the updated command at your earliest availability.

Reference

Mend CLI SCA parameters

The Mend CLI SCA parameters provided below are organized alphabetically within each of their relevant contexts.

Mend CLI SCA - General scan parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: -d, --dir

Optional. Specify the target directory for the Mend CLI SCA scan.

Current directory (“.") will be scanned.

Command Line: -e, --extended

Optional. Perform a file system scan for source files, in addition to the package manager-based dependencies resolution.

Note: The Mend CLI SCA file system scan does not support the scanning of binaries (i.e. JAR, ZIP, DLL).

Only the package manager dependency resolution is enabled.

Command Line: --no-default-exclusions

Environment Variable:
MEND_DEP_NO_DEFAULT_EXCLUSIONS

Optional. Disable the Mend pre-defined folder exclusions, allowing these folders to be included in the Mend CLI SCA scan.

Mend pre-defined folder exclusions:
.git, test, tests, example, examples, doc, docs, packages, site-packages

Environment Variable: MEND_SCA_PATH_EXCLUSIONS

Optional. Define directories to be excluded from the Mend CLI scan via a comma-separated list using glob format. These directories will append the default exclusions (unless --no-default-exclusions is in use).

Note: Using this variable will append the default exclusions. The default exclusions remain in effect unless --no-default-exclusions is used.

No additional folders are excluded except for the default exclusions.

Command Line: --strict

Optional. Fail the Mend CLI SCA command if any resolution step fails.

Scan will complete regardless of the resolution steps' success.

Command Line: --reachability
Environment Variable: MEND_SCA_REACHABILITY

(Beta) Optional. Compute reachability for each CVE. Reachability will be computed for supported programming languages only. The scan may take longer.

No reachability scan will be performed. Minimal CLI version: 24.3.1

Mend CLI SCA - Log parameters

Tip: The Mend CLI SCA scan logs can be found locally in the .mend/logs/sca directory.

Parameter

Description

Mend CLI Default Behavior

Environment Variable: MEND_LOG_LEVEL

Optional. Define the verbosity of the Mend CLI SCA scan log files. The available values are:

  • INFO - Includes basic scan behavior.

  • DEBUG - Includes verbose information that is needed for diagnosing issues.

  • WARNING - Includes unexpected behaviors that happened during the CLI scan, but it was still able to complete successfully.

  • ERROR - Includes information on CLI functionalities that are not working and are preventing it from working properly.

Note:

  • SCA Log files are only generated when a scan error occurs for the CLI SCA solution.

  • The MEND_LOG_LEVEL variable only impacts the generated log file and does not affect the terminal output of the CLI.

  • For troubleshooting, we recommend setting the MEND_LOG_LEVEL to DEBUG as it provides the most log verbosity.

The Mend CLI log files are set to the INFO log-level value.

Mend CLI SCA - Policy parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: --fail-policy

Optional. Enable the Mend CLI policy check to fail the scan if an open-source component is found that violates a policy defined within your Mend organization, returning an Exit Code 9.

The policy check is enabled and findings are provided, however, the Mend CLI scan does not fail even if a violation occurs.

Mend CLI SCA - Terminal view parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: --format

Optional. Set the scan result format within the terminal. The supported formats are:

  • text - Output Mend CLI results within the terminal using formatted tables and lists.

  • json - Output Mend CLI results within the terminal using JSON syntax.

Mend CLI outputs scan results within the terminal in text format.

Command Line: -h, --help

Optional. Display the available parameters for the mend dep|dependencies command.

Use this parameter on-demand to display the available parameters for the mend sca command.

Command Line: --non-interactive

Optional. Mend CLI will run in non-interactive mode, suppressing use of colors, progress bar and any other graphic features in STDOUT.

Mend CLI output to STDOUT includes use of colors and progress bars, which are irrelevant in non-interactive session and may cause issues in some environments.

Mend CLI SCA - Upload parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: -s, --scope

Optional. Set the scan scope for your project by specifying the hierarchy for the Mend Core. The --scope of the scan is only applicable when also including the --update parameter.

The supported formats are:

  • Full hierarchy: -s "ORG//PROD//PROJ"

  • Partial hierarchy: -s "PROD//PROJ"

  • Single hierarchy: -s "PROJ"

Examples of --scope configuration:

  • Product-Project scope with single quotes:

    CODE
    mend dep -s 'MyProd//MyProj' -u
  • Org-Product-Project scope with double quotes:

    CODE
    mend dep -s "My Org//My Prod//My Proj" -u

The wild card character “*” can be used for any of the hierarchy levels. The default Mend CLI behavior will be used for any “*”.

  • Product-Project scope using “*”:

CODE
mend dep -s '*//MyProj' -u

“CLI” will be the product used or created in place of the “*”.

  • Org-Product-Project scope using “*”:

CODE
mend dep -s "*//My Prod//*" -u

The organization currently logged into from the mend auth login command setup will be used for the first “*” and for the second “*”, the project will be created and named after either:

  • The folder specified in the --dir command.

  • If --dir is not specified, the name will be the directory where the Mend CLI ran from.

For Mend CLI scans that do not update the Mend Core, the --scope parameter is still used to direct the Mend CLI on the scope to use for the policy check.

Note:

  • Make sure to set the --scope value within either single or double quotes ('My Project' or “My Project").

  • You are able to set the Org scope to any Mend organization that the current user signed in as (via mend auth login) has access to.

  • If you set a product or project name in --scope that does not exist in the organization prior to the run, it will be created in the Mend Core after the Mend CLI completes the scan if you have the necessary permissions/role.

Within the Mend Core, scans are tiered under an organization → product → project hierarchy.

If --scope is not set, the scan results will be sent and categorized within the Mend Core as follows:

  • The organization currently logged into from the mend auth login command setup.

Tip: Use the Mend CLI mend auth info command to see what organization you are connected to.

  • A product will be created and named “CLI".

  • A project will be created and named after either:

    • The folder specified in the --dir command.

    • If --dir is not specified, the name will be the directory where the Mend CLI ran from.

Command Line: -u, --update

Optional. Update the inventory of the project within the Mend Core.

Scan results are not sent to the Mend SCA Core application.

Command Line: --label-proj <label>

Optional. Add a Mend Platform project label to the scanned project. Set of comma-separated labels is also supported.

Note:

  • This is applicable for the Mend Platform users only.

  • Label will be assigned only when --update flag is used.

No label applied

Command Line: --label-app <label>

Optional. Add a Mend Platform application label to the scanned application. Set of comma-separated labels is also supported.

Note:

  • This is applicable for the Mend Platform users only.

  • Label will be assigned only when --update flag is used.

No label applied

Command Line: --local

Optional. The scan output will be saved to a local file and won't update your project in the application. The local file will be saved in the same directory as your Mend CLI with a default name. You may select a different location or filename by specifying it using --export-results.

 

The scan output will not be saved locally.

 

Mend CLI SCA - Supported Languages

Mend CLI SCA dependency resolution

Language

Package Manager

Details

C#

NuGet

Prerequisites:

  • Build your C# project prior to the Mend CLI scan using either the nuget install or dotnet build commands.

Supported dependency file(s): One of the following sets:

  • .csproj and project.assets.json

  • .csproj and packages.config and packages.lock.json

  • packages.config and packages.lock.json

Notes:

  • By default, the Mend CLI filters out System Packages for NuGet projects. As a result, these packages will not appear in the scan results. 

  • Consider using the Mend Unified Agent, which provides an option to include System Packages in the scan for NuGet projects. For more information please refer to our Getting Started with the Unified Agent article. 

Go

Go Modules

Prerequisites:

  • Go Modules must be installed locally where the Mend CLI will run.

Supported dependency file(s): go.mod

Java

Gradle

Prerequisites:

  • Build your Java project prior to the Mend CLI scan using the gradle buildcommand.

  • Gradle can either be installed locally or called using wrapper (gradlew) on the machine where the Mend CLI will run.

Supported dependency file(s): build.gradle

Specifications:

  • Gradle Wrapper is supported by the Mend CLI.

Java

Maven

Prerequisites:

  • Build your Java project prior to the Mend CLI scan using the mvn clean install command.

  • Maven can either be installed locally or called using a wrapper (mvnw) on the machine where the Mend CLI will run.

Supported dependency file(s): pom.xml

Specifications:

  • Maven Wrapper is supported by the Mend CLI.

  • The test and provided dependency scopes are excluded by the Mend CLI scan.

JavaScript

NPM

Prerequisites:

  • Build your JavaScript project prior to the Mend CLI scan using the npm install command to generate the corresponding lock file and/or create the node_modules folder.

Supported dependency file(s): One of the following sets:

  • package.json and package-lock.json

  • package.json and node_modules folder

  • package.json and npm-shrinkwrap.json

Specifications:

  • The Mend CLI supports both lockfileVersion 2 and 3 formats for the package-lock.json file.

  • The dev dependency scope is excluded by the Mend CLI scan.

  • Peer dependencies (peerDependencies) are included in the Mend CLI scan.

  • An npm-shrinkwrap.json will always be parsed. If a package-lock.json file exists alongside it, only npm-shrinkwrap.json will be parsed.

JavaScript

Yarn

Prerequisites:

  • Build your JavaScript project prior to the Mend CLI scan using the yarn install command to generate the corresponding lock file.

Supported dependency file(s): package.json and yarn.lock

PHP

Composer

Prerequisites:

  • Build your PHP project prior to the Mend CLI scan using the composer install command to generate the corresponding lock file(s).

Supported dependency file(s): composer.json and composer.lock

Python

pip

Prerequisites:

  • Build your Python project prior to the Mend CLI scan using the pip install command.

  • pip must be installed locally where the Mend CLI will run.

  • If your pip project uses a virtual environment, run the Mend CLI within the activated environment.

Supported dependency file(s): requirements.txt

Ruby

Bundler

Prerequisites:

  • Build your Ruby project prior to the Mend CLI scan using the bundle install command to generate the corresponding lock file.

  • Bundler must be installed locally where the Mend CLI will run.

Supported dependency file(s): Gemfile and Gemfile.lock

Scala

SBT

Prerequisites:

  • Build your Scala project prior to the Mend CLI scan using the sbt compile command.

Supported dependency file(s): sbt files

Specifications:

  • SBT 1.X is supported

  • Only runtime and compile dependencies are supported

  • target and project folders in the same location as .sbt files are excluded from the scan

NOTE: SBT has various known and well documented GitHub issues. Some of these issues might also affect the success and/or accuracy of the Mend SCA scan.

Swift

SPM

Prerequisites:

  • Build your Swift project prior to the Mend CLI scan using the swift package resolve command to generate the corresponding lock file.

Supported dependency file(s): Package.swift

Specifications:

  • The Mend CLI supports both Package.resolved 1 and 2 formats.

Mend CLI SCA file system scan

Note: The Mend CLI SCA file system scan does not support the scanning of binaries (i.e. JAR, ZIP, DLL).

The Mend CLI scan supports the following languages and their source files for the SCA file system scan: Supported File Formats - Source.

Mend CLI SCA exit codes

Note: For a comprehensive overview of Mend CLI SCA exit codes, please refer to our Mend CLI Exit Codes article.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.