Overview of the Unified Agent
The Unified Agent is a Java command-line tool that scans directories' open source components for vulnerable libraries and source files, as well as license compliance, and uploads the results to the Mend web application. The Unified Agent scans 200+ languages (source and binary files), and seamlessly integrates with repositories, multiple package managers, build tools, containerized environments, and CI/CD tools.
The process begins with setting up the Unified Agent to scan. There are several methods (in this order of precedence): Command-line parameters, environment variables, configuration file, or leave the config file's default values. See here for more information regarding these methods.
The Unified Agent scanning works the following way: Directories are scanned using GLOB patterns to identify the open-source components, whereupon the Unified Agent checks each new component against product/project level policies and organizational policies (note that no source code is scanned - only descriptive information is sent to mend). Policies are created to alert organizations to act based on predetermined actions and criteria, such as rejecting/accepting a component based on its license type. If any components were rejected by a policy, the Unified Agent provides a policy violation exit code, which can be used to fail a build.
At the end of the Unified Agent's scan, it aggregates the information and uploads it to the Mend web application, where it is presented in an Organization/Product/Project hierarchy, enabling you to view and analyze the scan results.
Mend administrators can configure several integrations of the Unified Agent with third-party components.
To use the Unified Agent, refer to the following sections:
To get started with the Unified Agent, refer here.
For configuration parameters, refer here.
For best practices when running the unified agent, refer here.
For advanced topics (supported file extensions, exit codes, etc.), refer here.
For configuration parameters regarding native integrations (Azure DevOps and Repo integrations), refer here.