Mend SCA CLI Self-Contained Mode
Note: As of July 2024, the self-contained CLI can only be used for SCA and Containers.
SAST is not currently supported.
Overview
The self-contained mode of the Mend CLI addresses 2 main business requirements:
Compliance with some companies' security directives, that prohibit downloading executables into the company’s pipelines. These directives usually require for executables to be downloaded, tested and approved before being incorporated into the pipeline. The executables must remain unchanged for the duration of their inclusion in the company’s CI/CD.
Some companies may opt not to upload some scan results to the Mend.io servers at the end of the scan and instead keep the scan output on local storage, so they can be manipulated before eventually being uploaded to the Mend.io servers.
If your company fits this description, the Self-Contained Mode of the Mend CLI is the solution for you.
What's New?
The ability to run the SCA and/or Container CLI subcomponents in a self-contained mode means the CLI will use local executables to scan and won’t download them or any other executables during its run.
With this mode you are able to run the CLI without write permissions on the executables folder.
This mode enables you to run a scan and save the output to a file that can later be used as a base for a scan, with or without uploading it to the server.
Prerequisites
Please review the general Mend CLI Prerequisites before moving on to the “Getting it done” part.
Getting it done
Download the Self-Contained CLI
Self-Contained Mode (run without downloading executables)
Download the .tar file.
Extract the .tar file.
The .tar will contain the Mend CLI executable, mend (mend.exe on Windows). This is the file the user will interact with.
The bin folder is where the CLI subcomponents (e.g. SCA) are kept.
At this stage, the user needs to define the following:
mend / mend.exe needs to be accessible.
The user will need to authenticate.
The user need to specify the environment URL; it will not be listed in a selection menu as is the case in the standard login.
MEND_INSTALL_DIR > to the bin folder.
Example:Optional: MEND_BASE_DIR > location at which the cli will save the config and logs.
Example:
NOTE: This mode still requires authentication to Mend.io and cannot be used in an air gap environment. For air-gap scenarios where no authentication is a requirement, refer to the Local Scan Mode section below.
Local Scan Mode (run with no internet connectivity)
The local scan mode removes the need for authentication, as well as the need to get the scan configuration from the server.
The ‘--local’ flag
Running the CLI with the --local
flag triggers a resolution and generates a local dependencies list file that can be used as a base for a future scan.
Use this flag to run a scan without communicating with the Mend.io servers.
Example:
To save the file to a different location, use the existing flag --export-results
:
The ‘--file’ flag
Running CLI with the --file
flag triggers a scan based on the pre-generated file that will provide a list of vulnerabilities and update the project in the Mend servers.
To run a scan on a base file:
Run the CLI with
--update
to update the Mend.io serverRun the CLI without
--update
to get the output in the terminal or export results.
Notes
Reachability is currently not supported.
The Self-Contained mode doesn’t support automatic updates.