Cloud Repository Rollout

This document assumes you have read the following document:

Mend Platform Onboarding Overview

Please read the previous document prior to continuing

Overview

Using the Cloud Repository integration is a great way to set up Mend and build security into your development process. However, rolling out the repository integration can be noisy and disruptive to teams who are unprepared for the integration.

To reduce disruption to your development flow, Mend has two recommended approaches to rolling out the integration:

• Silent - Results are initially only uploaded to the UI to get a handle on current security posture. Once teams are aware of the integration, enable desired features as needed

• Informative/Phased - Rollout Mend with all desired features to selected pilot teams to work out issues and understand how developers want Mend to interact with their workflow.

This document will provide a high level overview of both decisions and their various pros/cons to help make informed decisions around your Mend Rollout. Specific implementation instructions for each approach can be found in the guide for the individual Source Control Management systems.

Rollout Strategy

The repository integration can be onboarded either silently or by pushing a configuration file into the repository for Mend to scan. This section will go over the benefits of both approaches and one should be selected prior to implementing the repo integration.

Silent Rollout

Silent Rollout will allow the Mend integration to scan your repositories without creating pull requests and issues for your development teams. When initially rolling out Mend, this can be disruptive for development teams that are not prepared for the integration to take place.

Phased Approach

Phased Approach Rollout will allow you to shift-left with AppSec by providing results from a Mend scan directly inside the repository while minimizing disruptions to development teams. This approach starts with an “opt-in” by pilot teams accepting an onboarding pull request created by the repo integration.

After a sufficient number of pilot teams have accepted the pull request and are happy with settings. It is recommended to roll out to all teams by pushing the .whitesource file directly

Considerations While Setting Up The Integration

During the rollout process, it is important to note that some activities may require involving other teams within your organization (DevOps, Security, Development, etc.). To make the process smoother, we recommend that you review these in advance and initiate their processing in parallel while you navigate the rollout flow described in this document.

Private Registries

• A Private Registry is a self-managed host for internally developed and open-source libraries.

  • Common Private Registries are JFrog Artifactory, Azure Artifacts, or Github Packages.

  • If you are not certain whether you are using private registries, please consult with your development teams on where they are getting the libraries used in their application.

• If the repositories you are planning to scan rely on private registries for package dependency resolution, you will be required to generate an access token for each private registry. This is necessary to ensure accurate scan results.

• If your private registry is walled behind a private network, you will need to consider allowing inbound traffic to it from Mend’s specific IP addresses. Please contact our Support team to obtain a list of the required IP addresses to whitelist in this case. This is not required if you use a cloud-based private registry solution (e.g., GitHub Packages, Azure Artifacts, JFrog Artifactory Cloud, etc.)

Next Steps

After deciding your rollout approach, proceed to setting up the integration for your source control management system.

Rollout Mend for GitHub.com

Rollout Mend Developer Platform for Bitbucket Cloud