Integrate Mend Results into Backstage
Overview
Mend.io is integrated with Backstage, the open-source framework for building developer portals. This integration enables proactive application risk management for developers and security teams directly in Backstage.
The plugin empowers developers to code securely by automatically checking for security vulnerabilities with every code commit. Developers can review and address newly introduced vulnerabilities by Mend.io directly in Backstage, reducing the overall application security risk and delivering more secure applications.
Getting it done
Prerequisites
Plugin Compatibility: The plugin has been successfully tested with Backstage v1.46.1. If you are using a newer version of Backstage, please file an issue through the GitHub repository, and Backstage will provide guidance on the best integration practices for your specific version.
This plugin works with SCM like Github, Bitbucket Cloud, Azure Repo and Gitlab.
The entity for a repository must be present within Backstage to see the Mend results. Use the Backstage Integrations guide to register your repositories on your Backstage instance; Integration will only register the repository if it contains a
catalog-info.yamlfile.You need appropriate access permissions to an entity in Backstage to view its Mend results within Backstage.
Note: The Backstage frontend plugin will not function without the backend plugin.
Install Mend Plugin for Backstage
You can download the Mend Plugin from the Backstage Marketplace:
From your Backstage root directory, run the following commands:
yarn --cwd packages/app add @backstage-community/plugin-mend
yarn --cwd packages/backend add @backstage-community/plugin-mend-backendThe Mend Plugin also supports the Spotify Portal. Please use the same npm packages to install the plugin into the portal. Further details about how to install a plugin can be found in the Portal documentation.
Retrieve your Activation Key from the Mend Platform
Log into your organization via the Mend Platform.
Note: Make sure you are an organization administrator.Navigate to the settings “cog” icon → Integrations:
Click on the Backstage card. Then, click on the Generate Activation Key button that appears to get your activation key for the Backstage Integration:
Copy and save this value for the next step.
Configure Mend Plugin for Backstage
Configure your Mend Activation Key in your local app-config.yaml or production app-config.production.yaml file:
mend:
activationKey: ${YOUR_ACTIVATION_KEY_HERE}Add the Mend tab to your entity page:
In your packages/app/src/components/Catalog/EntityPage.tsx file:
// ... other imports here
import { MendTab } from '@backstage-community/plugin-mend';
// ... other components
const serviceEntityPage = (
<EntityLayout>
<EntityLayout.Route path="/" title="Overview">
// ... other elements
<EntityLayout.Route path="/mend" title="mend.io">
<MendTab />
</EntityLayout.Route>
// ... other elements
</EntityLayout.Route>
</EntityLayout>
// ...
);
// ...Add the Mend page to your routes:
In your packages/app/src/App.tsx file:
// ... other imports here
import { MendPage } from '@backstage-community/plugin-mend';
// ... other components
const routes = (
<FlatRoutes>
<Route path="/" element={<Navigate to="catalog" />} />
<Route path="/catalog" element={<CatalogIndexPage />} />
// ... other elements
<Route path="/mend" element={<MendPage />} />
// ... other elements
</FlatRoutes>
// ...
);
// ...Add the Mend sidebar button:
In your packages/app/src/components/Root/Root.tsx file:
// ... other imports here
import { MendSidebar } from '@backstage-community/plugin-mend';
// ... other components
export const Root = ({ children }: PropsWithChildren<{}>) => (
<SidebarPage>
<Sidebar>
// ... other elements
<MendSidebar />
// ... other elements
</Sidebar>
{children}
</SidebarPage>
// ...
);
// ...Add the Mend backend plugin:
In your packages/backend/src/index.ts file:
backend.add(import('@backstage-community/plugin-mend-backend'));
Note: The Backstage frontend plugin will not function without the backend plugin.
Configure Mend Plugin Permissions (Optional)
The Mend plugin for Backstage offers methods to construct conditional permissions, an additional top layer for filtering projects, which can be integrated into your Organization’s Permission Policy.
Provide a list of project IDs to the plugin. This will enable it to filter projects.
Use the
excludeproperty to fine-tune the filtering behavior, ensuring precise control over which projects are included or excluded from the permission set.
To filter the mend projects, use the following configuration in your local app-config.yaml or production app-config.production.yaml file:
Here is a sample:
mend:
activationKey: ${YOUR_ACTIVATION_KEY_HERE}
permissionControl:
ids:
- <project-uuid-1> # Project UUID to filter
- <project-uuid-2> # Another project UUID
exclude: true # Set to true for blocklist mode, false for allowlist modeConfigure Mend Plugin for Spotify Portal
Note: Ensure you have Administrator access before configuring the Mend plugin.
Navigate to the Plugins section.
Click on the Mend Plugin. This will redirect you to the Mend configuration page.
Enter your Mend activation key in the
activationKeyconfiguration field.(Optional) Configure the Permission Control section as needed to filter Mend projects using ids.
After completing the configuration, click the Save button.
Click the Start button and wait until you see the message confirming that the plugin has been successfully installed.
Once completed, you will be able to see the Mend plugin on the sidebar navigation.
Review the Code Findings Results in Backstage
The Mend.io plugin for Backstage provides two views for display. You can use these views to visualize your data.
Project Overview
This view showcases the integrated project list along with statistics derived from these projects.
Findings Overview
This view presents the project's security findings and detailed statistics derived from these findings.
