Skip to main content
Skip table of contents

Enable Results Consumption for Developer Platform for Bitbucket Cloud

Modify Results Consumption Settings

Results consumption settings are enabled by default. If opting out of a specific set of results consumption, use the “off” settings to disable the desired sections.

For Open-Source Licensing Checks and Issues, Policies need to be created on the Legacy SCA UI. For guidance on creating policies see Creating Policies for Mend Repository License Checks

Renovate

Set up a Global Renovate Repository

While most features can be configured from the Developer Platform, Renovate is a developer tool first and foremost. It is designed to be customized in each repository to the taste of the developers using it. Renovate configuration will have no impact on the security related features of Mend and only impact how the automated package updates are handled. In order to ease the customization of Renovate across your organization a global renovate configuration repository is recommended. This repository will be able to provide defaults that can be inherited by your development teams. This repository can be named anything but a recommended structure would be <workspace>-global-renovate-config.

This repository does not need to be set up in the Developer Platform so the 6-8 hour sync for new repositories does not apply.

Smart Merge

Smart Merge is the preferred setting for Renovate and should be considered the default. Since Renovate is configured on each repository individually, it is important to provide a file that all configurations can inherit.

  • Create a smart-merge.json file in your global renovate repository

  • Add the following to your smart-merge.json file

    CODE
    { 
       "packageRules": [
         {
          	 "groupName": "Mend: high confidence minor and patch dependency updates",
          	 "matchUpdateTypes": ["minor", "patch"],
          	 "matchConfidence": ["very high", "high"]
         },
          {
          	 "matchConfidence": ["low"],
          	 "dependencyDashboardApproval": true,
             "commitMessagePrefix": "[LOW] "
          },
          {
          	 "matchConfidence": ["neutral"],
          	 "dependencyDashboardApproval": true,
             "commitMessagePrefix": "[NEUTRAL] "
          }
       ]
    }
    • The above configuration combines high-confidence minor and patch grouping with low-confidence suppression

  • Add the following to your "extends" block in the renovate.json file of your test repository, replace your-workspace-name and your-global-renovate-repository-name with the correct values

    CODE
    "extends": [
          "local>your-workspace-name/your-global-renovate-repository-name:smart-merge"
        ]

For more information on Smart Merge Control, see Renovate Smart Merge Control Implementation Examples

config:recommended

The below setting is a base recommendation for configuring Renovate and will enable the Dependency Dashboard in Bitbucket (if issues are enabled) and provide merge confidence data. It will lock pull requests in the dependency dashboard for approval so that no automatic pull requests occur which in turn might trigger builds causing a “big bang” when installing the integration.

CODE
  "extends": [
      "config:recommended",
      "mergeConfidence:all-badges",
      ":dependencyDashboardApproval"
    ]
  

Off

Renovate can be turned off by disabling it from the Developer Platform interface. For instructions on how to edit the settings within the Developer Platform see Configure Mend Developer Platform for SCA.

Issues

Issues in Bitbucket cloud are disabled by default for all new repositories. To receive issues from Mend, Issues need to be enabled on the Bitbucket Repository. For information on how to enable issues within Bitbucket, see the Atlassian documentation: Enable an issue tracker

Informative

If opening issues for developers, it is recommended to give all details as the issues are grouped by direct dependency. This is the default for the Developer Platform and does not need to be configured.

Default Configuration of the Developer Platform for Issues
  • Open-Source Security

    • Issues

      • Enabled

      • Vulnerability Range

        • 0-10

      • Grouping rule

        • Dependency

  • Open-Source Licensing

    • Issues

      • Enable

  • Code Security

    • Issues

      • Enabled

Off

Issues need to be disabled for Open-Source Security, Code Security, and Open-Source Licensing be turned off by disabling it from the Developer Platform interface. For instructions on how to edit the settings within the Developer Platform see Configure Mend Developer Platform for SCA.

Security Gates

Decide if commits should receive a failure based on findings information which can be used with Bitbucket Merge Checks to block pull requests based on Mend findings.

Blocking

Blocking is enabled by default in the Developer Platform. For SCA, any finding will caused a failed status check, while for SAST the threshold for failing a SAST status check is defaulted to high and can be adjusted.

Default configuration of the Developer Platform for Status Checks
  • Open-Source Security

    • Checks

      • Enabled

      • Conclusion status

        • Failure

  • Open-Source Licensing

    • Checks

      • Enable

      • Conclusion status

        • Failure

  • Code Security

    • Conclusion status

      • Failure

    • Severity Threshold

      • High

    • Scan Pull Requests

      • Enabled

Off

It is recommended to set the "Conclusion status" to "Success" to prevent blocking status checks in order to show the Mend scan is still occurring and developers can access the results within the status check.

Recommended configurations for turning off Status Checks
  • Open-Source Security

    • Checks

      • Enabled

      • Conclusion status

        • Success

  • Open-Source Licensing

    • Checks

      • Enable

      • Conclusion status

        • Success

  • Code Security

    • Conclusion status

      • Success

    • Scan Pull Requests

      • Enabled

Next Steps

Wrap up rollout by setting up scan log retrieval and enabling Mend for your development teams by following: Wrapping up Developer Platform for Bitbucket Cloud Rollout

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.