Configure and Enable Mend for Github.com

This document will focus on executing the onboarding decisions made following documents:

Mend Platform Rollout Overview
Cloud Repository Rollout
Setting up the Mend UI for Github.com Integration

Please read the previous documents prior to continuing.

Setting Up the Mend Integration

The repository integration can be onboarded either silently or by pushing a configuration file into the repository for Mend to scan. This section will go over the benefits of both approaches and one should be selected prior to implementing the repo integration.

Silent Rollout

To implement Silent Rollout see Silent Rollout for Repository Integrations

Phased Rollout

Set up a Global Configuration

To reduce noise, before the integration is installed:

• Create a repository named whitesource-config - This repository will house your global configuration.

  • Make sure that there are no branch-protection rules on the repository.

• Follow the documentation to install Mend for GitHub.com

  • Make sure the integration only has access to the whitesource-config repository

  • Do not give app access to other repositories yet

After installing the app on this repository, then two new files will be created, a global-config.json and a repo-config.json. These two files make up the global configuration for your integration and will house all of the defaults for all repositories that are scanned.

(Optional) Multiple GitHub Organizations Only - Setting up a single Global config for all GitHub Organizations

For each additional GitHub organization, create a whitesource-config repository, install the Mend for GitHub app, and update the repo-config.json to inherit from the original whitesource-config repo. The original whitesource-config repo must be Public.

The below example shows how to configure the repo-config.json in OrgB if OrgA is configured first.

{
  "settingsInheritedFrom": "OrgA/whitesource-config@main"
}

Enabling Mend SCA Features

Modify the repo-config.json with the following information as these settings should always be enabled

Update the scanSettings{} section

• Add "enableLicenseViolations": true to enable License policy checks

  • Policies need to be created on the Legacy SCA UI. For guidance on creating policies see Creating Policies for Mend Repository License Checks

• Add "enableReachability": true to enable Reachability Analysis

• Add "exploitability": true to enable Public Exploits

Update the checkRunSettings{} section

• Add "strictMode": "failOnWarning" to enable partial scan warnings. These will help with troubleshooting issues within your scan.

The above configuration is the minimum recommended configuration for starting out with SCA. For all SCA configurations see Configure Mend for GitHub.com for SCA

Enabling Mend SAST

Modify the repo-config.json with the following information to enable SAST scanning.

Update the "scanSettingsSAST"{} section

• Change "enableScan":false to true to enable SAST scanning

• Change "scanPullRequests":false to true to enable scanning on pull requests

The above configuration is the minimum recommended configuration for starting out with SAST. For all SAST configurations see Configure Mend for GitHub.com for SAST

Enabling Code Source for Image Scanning

Modify the repo-config.json with the following information to enable SAST scanning.

Update the "imageSettings"{} → "imageTracing": {} section

• Change "enableImageTracingPR":false to true to enable automatic pull requests for Image Tracing Labels

• Change "addDockerfilePath":false to true to add the relative path of the Dockerfile within the repository as a label in the image

• Change "addRepositoryCoordinates":false to true to add the repository URL as a label in the Dockerfile

For a more in-depth explanation of Code Source see Configure Mend for GitHub.com Code Source

Next Steps

Modify your result consumption settings by following: Enabling Results Consumption in Mend For Github.com