Scan your open source components (SCA) with the Mend CLI
Overview
The Mend CLI Software Composition Analysis (SCA) engine performs an extensive analysis of the open-source components within your application to detect CVE vulnerabilities as well as MSC vulnerabilities for malicious packages.
Use cases for scanning your SCA components with the Mend CLI
Let’s look at the following real-life examples that industry personas commonly run into:
As an AppSec Manager, you are in charge of the decision-making for selecting a tool that can detect vulnerable packages in your teams' open-source components, provide fixed version options, and the ability to identify malicious packages before they can cause harm. You also want to define your organization’s policies that can be utilized to control your teams' builds. Finally, you want to monitor the security posture of your organization’s open-source components in the form of dashboards.
As a DevOps Engineer, you are tasked with implementing a security tool into your teams' CI/CD solutions that can provide insights on vulnerabilities and malicious packages in your teams' open-source components directly within the pipeline console.
Mend’s Answer: Utilizing the Mend CLI SCA scan, you can effortlessly assess your open-source components for security vulnerabilities, potential malicious packages, and libraries that violate your organization’s defined policies. The results are conveniently presented in a well-organized table format within the Mend CLI or via dashboards in the Mend Application.
Getting it done
Prerequisites before getting started with the Mend CLI SCA scan
The following prerequisites are required before running a Mend CLI SCA scan:
Provide the Mend CLI with access to read your application’s source code on a file system
Mend SCA will not upload your full source code to the cloud. It only stores as much information as necessary to help you understand the reachability of detected security vulnerabilities.
Configure your Mend CLI SCA scan
The Mend CLI SCA scan is configurable via command line parameters. To learn more, visit our Configure the Mend CLI for SCA article.
To learn more about the support languages for SCA, visit the relevant Supported Languages section.
Run your Mend CLI SCA scan
To trigger the Mend CLI SCA scan, execute one of the following commands:
mend dep||dependencies
Note: Backwards compatibility is supported for the previously used mend sca
command. However, we recommend switching to the updated command at your earliest availability.
The format of the mend dep||dependencies
command is as follows:
mend dep||dependencies [flags]
View the steps of your Mend CLI SCA scan
The Mend CLI has two default steps you will see it complete before it displays its findings from the SCA scan:
Step Name | Description |
---|---|
| The Mend CLI is scanning your directory for SCA vulnerabilities and malicious packages. |
| If any vulnerabilities are found, the Mend CLI reaches out to the Mend Application for the information on these vulnerabilities to prepare them for the scan summary. |
View your Mend CLI SCA scan results
Visit our View the results of your Mend CLI SCA scan article for more details on how to navigate the SCA findings provided by the Mend CLI.
Reference
Mend CLI SCA features
In this article, we cover the instructions on how to kick off a base Mend CLI SCA scan. We also offer examples of the Mend CLI SCA feature(s) below: