Scanning in the Pipeline for SCA
Overview
In today’s fast-paced software development landscape, ensuring the security and compliance of your code is crucial. Incorporating Software Composition Analysis (SCA) into your CI/CD pipeline can help you identify and mitigate vulnerabilities in open-source components. At Mend, we offer two powerful scanner agents designed to integrate seamlessly into your development workflow: The Mend CLI and the Mend Unified Agent. This overview will help you understand their capabilities and guide you in choosing the right tool for your needs.
Mend CLI
The Mend CLI is a unified tool that leverages all of Mend’s scanning capabilities in a single, efficient binary. It is designed for flexibility and ease of use, making it an excellent choice for CI/CD pipelines and developer desktops.
Key Features of Mend CLI
Dependency Scanning (SCA): Detects vulnerabilities (CVEs), license risks and supply chain vulnerabilities/malicious packages (MSCs) in open-source components.
Code Scanning (SAST): Analyzes custom code to identify weaknesses (CWEs).
Container Image Scanning: Inspects container images for operating system and application open-source component vulnerabilities (CVEs) and license risks.
Policy Alerts: Receive immediate policy alerts in the output using the
--fail-policy
command.
Project Labeling: Easily label applications and projects for better organization.
Vulnerability Information: Displays detailed vulnerability and policy violation information directly in the terminal.
Update Requests: Generate update requests using the
--local
option.
Centralized Version Control: Maintain consistent versions across your projects.
For a detailed list of supported package managers and programming languages, please refer to our Mend CLI documentation.
Mend Unified Agent
The Mend Unified Agent is tailored for specific use cases not yet supported by the Mend CLI. If your project requirements align with the scenarios below, the Unified Agent is the preferred choice.
Key Features of Mend Unified Agent
Development Dependencies Scanning: Includes development dependencies in your SCA scans.
Binary Matching: By default, the Unified Agent performs binary matching, which can be disabled if needed.
Extensive Package Manager Support: Supports additional package managers, including:
JavaScript: Bower, PNPM, Lerna
Java: Ant
Python: pipenv, Poetry, Conda
Objective C: CocoaPods
Rust: Cargo
C#: Paket
Elixir/Erlang: Hex
Haskell: Cabal
Go: Dep, Godep, Vndr, Gogradle, Govendor, Gopm, Glide
Other Languages: R, HTML, OCaml, Bazel
For a comprehensive comparison between the Mend CLI and Unified Agent, and guidance on when to use each, please visit our Mend Unified Agent documentation.
Choosing the Right Tool
Selecting the right scanner agent depends on your specific needs and the requirements of your development environment. The Mend CLI offers a holistic scanning solution ideal for most use cases within CI/CD pipelines and development desktops. However, if your project requires scanning development dependencies or uses package managers not supported by the CLI, the Unified Agent is the better option.
By integrating the appropriate Mend scanning tool into your pipeline, you can enhance the security and compliance of your code, ensuring robust protection against vulnerabilities and risks associated with open-source components.
For further assistance and detailed documentation, please refer to our dedicated pages on Mend CLI and Mend Unified Agent.