Use the Mend CLI SCA policy check for build control
Overview
You can set a build to fail if an SCA component violates a policy defined by your organization within the Mend Application by configuring your pipeline to check for Exit Code 9 from the Mend CLI.
Note: This article specifically covers the usage and support of the Mend CLI’s policy check violation feature. For general information on the SCA engine of the Mend CLI, check out these articles:
Getting it done
Prerequisites before using the fail policy check with the Mend CLI SCA scan
We recommend avoiding breaking builds unless you have carefully defined your policies and change management processes, as this can cause significant disruptions to existing workflows and create opposition to these changes.
The following prerequisites are required before running a Mend CLI SCA scan to fail on policy violations:
Provide the Mend CLI with access to read your application’s source code on a file system.
Define a policy within the Mend Application or via the SCA API 2.0.
Run the Mend CLI SCA scan fail policy check
To configure the Mend CLI SCA scan to fail when a defined policy is violated, run the following command:
mend dep||dependencies --fail-policyAt this point you can add your own custom code to handle the failed scan. See example (bash):
# Run the scan command with fail-policy
mend dep --fail-policy
# Check the exit code and take action if it's 9
if [ $? -e 9 ]; then
echo "Dependencies scan found policy violation"
# Add error handling logic here
exit 1 # Terminate the pipeline process
fi
# The process continues if no policy violation was detected
echo "Pipeline process continues..."
Note: Backwards compatibility is supported for the previously used mend sca command. However, we recommend switching to the updated command at your earliest availability.