Configure the Mend CLI for IaC

Overview

Configuring the Mend CLI for a IaC scan can be done via command line parameters.

Getting it done

Configure the Mend CLI IaC scan via command line parameters

You can configure the Mend CLI IaC scan at runtime by adding flags to the mend iac command. The usage of the mend iac command is as follows:

CODE

mend iac my-iac-folder [flags]

2024-08-07_15-08-34 (1)-20240807-190907.gif

Reference

Mend CLI IaC parameters

Mend CLI IaC - Report parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: --filename

Optional. Generate a report locally of the Mend CLI Container Image scan results using the defined file name. The --filename and --format parameters are used together for the creation of this file.

Report generation is disabled.

Command Line: --format

Optional. When used together with --filename, define the format of the locally-generated report file.

When used alone, define the format of the terminal output.

The supported values are:

json
sarif
xml
text

Report generation is disabled.

Mend CLI IaC - Terminal view parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: --filter

Optional. Filter findings by the CVSS score severity value. The supported values are:

critical - CVSS 3 score of 9.0 - 10.0
high - CVSS 3 score of 7.0-8.9
medium - CVSS 3 score of 4.0-6.9
low - CVSS 3 score of 0.1-3.9
none - CVSS 3 score of 0.0

All vulnerability severity levels are shown in the scan results.

Command Line: -h, --help

Optional. Display the available parameters for the mend iac command.

N/A

Command Line: --non-interactive

Optional. Mend CLI will run in non-interactive mode, suppressing use of colors, progress bar and any other graphic features in STDOUT.

Mend CLI output to STDOUT includes use of colors and progress bars, which are irrelevant in non-interactive session and may cause issues in some environments.

Mend CLI IaC - Upload parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: --no-upload

Optional. Run the Mend CLI scan offline. This parameter disables the upload of the scan results to the Mend Application.

The Mend CLI will update your results within the Mend Platform Application.

Command Line: -s, --scope

Optional. Set the scan scope for your image by specifying the hierarchy for the Mend Platform Application.

The supported formats are:

Full hierarchy: -s ORG//APP//PROJ
Partial hierarchy: -s APP//PROJ
Single hierarchy: -s PROJ

Examples of --scope configuration:

Application-Project scope:
CODE
```
mend iac my-iac-folder -s MyApp//MyProj
```

Org-Application-Project scope with spaces:

CODE

mend iac my-iac-folder -s "My Org//My App//My Proj"

For Mend CLI scans that do not update the Mend Application, the --scope parameter is still used to direct the Mend CLI on the scope to use for the policy check.

Notes:

Only organization administrators can set scopes and view the Mend Platform Application.
Non-org admin users can still scan images with the Mend CLI, but won’t have their results sent to the Mend Platform Application if --scope is set.
As a result of running a Mend CLI scan with the --scope parameter, an empty project with the same name is also created in the Mend SCA UI. Deleting this project in the Mend SCA UI will delete the project within the Mend Platform Application.
If your Org/App/Proj names include spaces, make sure to set the --scope value within commas ("My Project").
You are able to set the Org scope to any Mend organization that the current user signed in as (via mend auth login) has access to.
If you set an application or project name in --scope that does not exist in the organization prior to the run, it will be created in the Mend Mend Platform Application after the Mend CLI completes the scan.

Within the Mend Platform Application, scans are tiered under an organization → application → project hierarchy.

Scan results are available only on the CLI output at this stage.

If --scope is not set, the scan results will be sent and categorized within the Mend Platform Application as follows:

The organization currently logged into from the mend auth login command setup.

Tip: Use the Mend CLI mend auth info command to see what organization you are connected to.

An application will default to My IAC Application
A project will be created and named after the folder’s name <FolderName>.

Mend CLI IaC - Offline parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: `--local`	Optional. Save your scan results locally. The default file is saved in the .mend folder. Specific path can be defined using the --export-results flag.	Scan results will be saved locally.
Command Line: `--update`	Optional. Update the Mend application with your scan results. Should be followed by the --file flag to specify the specific local scan results.	The Mend application will get updated with your scan results.
Command Line: `--file`	Optional. Specify a path to the local scan results file.

Mend CLI IaC-supported frameworks

The following frameworks are supported by the Mend CLI for IaC scans:

Terraform .tf (Multi Cloud)
Cloud Formation (AWS)
K8s (YAML)
Helm
Dockerfiles

Mend CLI IaC exit codes

Note: For a comprehensive overview of Mend CLI IaC exit codes, please refer to our Mend CLI Exit Codes article.