Scan your open source components (SCA) with the Mend CLI

Overview

The Mend CLI Software Composition Analysis (SCA) engine performs an extensive analysis of the open-source components within your application to detect CVE vulnerabilities as well as MSC vulnerabilities for malicious packages.

Use cases for scanning your SCA components with the Mend CLI

Let’s look at the following real-life examples that industry personas commonly run into:

As an AppSec Manager, you are in charge of the decision-making for selecting a tool that can detect vulnerable packages in your teams' open-source components, provide fixed version options, and the ability to identify malicious packages before they can cause harm. You also want to define your organization’s policies that can be utilized to control your teams' builds. Finally, you want to monitor the security posture of your organization’s open-source components in the form of dashboards.
As a DevOps Engineer, you are tasked with implementing a security tool into your teams' CI/CD solutions that can provide insights on vulnerabilities and malicious packages in your teams' open-source components directly within the pipeline console.

Mend’s Answer: Utilizing the Mend CLI SCA scan, you can effortlessly assess your open-source components for security vulnerabilities, potential malicious packages, and libraries that violate your organization’s defined policies. The results are conveniently presented in a well-organized table format within the Mend CLI or via dashboards in the Mend Application.

Getting it done

Prerequisites before getting started with the Mend CLI SCA scan

The following prerequisites are required before running a Mend CLI SCA scan:

Download the Mend CLI
Authenticate your login for the Mend CLI
Provide the Mend CLI with access to read your application’s source code on a file system

Mend SCA will not upload your full source code to the cloud. It only stores as much information as necessary to help you understand the reachability of detected security vulnerabilities.

Configure your Mend CLI SCA scan

The Mend CLI SCA scan is configurable via command line parameters. To learn more, visit our Configure the Mend CLI for SCA article.

To learn more about the support languages for SCA, visit the relevant Supported Languages section.

Run your Mend CLI SCA scan

To trigger the Mend CLI SCA scan, execute one of the following commands:

CODE

mend dep||dependencies

Note: Backwards compatibility is supported for the previously used mend sca command. However, we recommend switching to the updated command at your earliest availability.

The format of the mend dep||dependencies command is as follows:

CODE

mend dep||dependencies [flags]

View the steps of your Mend CLI SCA scan

The Mend CLI has two default steps you will see it complete before it displays its findings from the SCA scan:

Step Name	Description
`Scanning`	The Mend CLI is scanning your directory for SCA vulnerabilities and malicious packages.
`Retrieving`	If any vulnerabilities are found, the Mend CLI reaches out to the Mend Application for the information on these vulnerabilities to prepare them for the scan summary.

View your Mend CLI SCA scan results

Visit our View the results of your Mend CLI SCA scan article for more details on how to navigate the SCA findings provided by the Mend CLI.