Skip to main content
Skip table of contents

Mend CLI Self-Contained Mode

Note: As of July 2024, the self-contained CLI can only be used for SCA and Containers.
SAST is not currently supported.

Overview

The self-contained mode of the Mend CLI addresses 2 main business requirements:

  1. Compliance with some companies' security directives, that prohibit downloading executables into the company’s pipelines. These directives usually require for executables to be downloaded, tested and approved before being incorporated into the pipeline. The executables must remain unchanged for the duration of their inclusion in the company’s CI/CD.

  2. Some companies may opt not to upload some scan results to the Mend.io servers at the end of the scan and instead keep the scan output on local storage, so they can be manipulated before eventually being uploaded to the Mend.io servers.

If your company fits this description, the Self-Contained Mode of the Mend CLI is the solution for you.

What's New?

  1. The ability to run the SCA and/or Container CLI subcomponents in a self-contained mode means the CLI will use local executables to scan and won’t download them or any other executables during its run. 

  2. With this mode you are able to run the CLI without write permissions on the executables folder. 

  3. This mode enables you to run a scan and save the output to a file that can later be used as a base for a scan, with or without uploading it to the server.

Prerequisites

Please review the general Mend CLI Prerequisites before moving on to the “Getting it done” part.

Getting it done

Download the Self-Contained CLI

Self-Contained Mode (run without downloading executables)

  1. Download the .tar file.

  2. Extract the .tar file.

  3. The .tar will contain the Mend CLI executable, mend (mend.exe on Windows). This is the file the user will interact with.

  4. The bin folder is where the CLI subcomponents (e.g. SCA) are kept.

  5. At this stage, the user needs to define the following: 

    1. mend / mend.exe needs to be accessible. 

    2. The user will need to authenticate. 

      1. The user need to specify the environment URL; it will not be listed in a selection menu as is the case in the standard login.

    3. MEND_INSTALL_DIR > to the bin folder.
      Example:

      image-20240409-110031.png

    4. Optional: MEND_BASE_DIR > location at which the cli will save the config and logs.
      Example:

      image-20240409-110153.png

NOTE: This mode still requires authentication to Mend.io and cannot be used in an air gap environment. For air-gap scenarios where no authentication is a requirement, refer to the Local Scan Mode section below.

Local Scan Mode (run with no internet connectivity)

The local scan mode removes the need for authentication, as well as the need to get the scan configuration from the server.

The ‘--local’ flag 

Running the CLI with the --local flag triggers a resolution and generates a local dependencies list file that can be used as a base for a future scan.

Use this flag to run a scan without communicating with the Mend.io servers.

Example:

image-20240409-105851.png

To save the file to a different location, use the existing flag --export-results:

image-20240409-113314.png

The ‘--file’ flag 

Running CLI with the --file flag triggers a scan based on the pre-generated file that will provide a list of vulnerabilities and update the project in the Mend servers.

To run a scan on a base file:

  1. Run the CLI with --update to update the Mend.io server

  2. Run the CLI without --update to get the output in the terminal or export results.

image-20240409-113433.png

Notes

  1. Reachability is currently not supported. 

  2. The Self-Contained mode doesn’t support automatic updates.

image-20240409-105538.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close