Enable Results Consumption for Developer Platform for Bitbucket Cloud
This document assumes you have read the following documents:
Mend Platform Rollout Overview
Cloud Repository Rollout
Setting up the Mend UI for the Develop Platform Integration
Configure and Enable Developer Platform for Bitbucket Cloud
Please read those documents prior to continuing
Modify Results Consumption Settings
Results consumption settings are enabled by default. If opting out of a specific set of results consumption, use the “off” settings to disable the desired sections.
For Open-Source Licensing Checks and Issues, Policies need to be created on the Legacy SCA UI. For guidance on creating policies see Creating Policies for Mend Repository License Checks
Renovate
Set up a Global Renovate Repository
While most features can be configured from the Developer Platform, Renovate is a developer tool first and foremost. It is designed to be customized in each repository to the taste of the developers using it. Renovate configuration will have no impact on the security related features of Mend and only impact how the automated package updates are handled. In order to ease the customization of Renovate across your organization a global renovate configuration repository is recommended. This repository will be able to provide defaults that can be inherited by your development teams. This repository can be named anything but a recommended structure would be <workspace>-global-renovate-config
.
This repository does not need to be set up in the Developer Platform so the 6-8 hour sync for new repositories does not apply.
Smart Merge
Smart Merge is the preferred setting for Renovate and should be considered the default. Since Renovate is configured on each repository individually, it is important to provide a file that all configurations can inherit.
Create a
smart-merge.json
file in your global renovate repositoryAdd the following to your
smart-merge.json
fileCODE{ "packageRules": [ { "groupName": "Mend: high confidence minor and patch dependency updates", "matchUpdateTypes": ["minor", "patch"], "matchConfidence": ["very high", "high"] }, { "matchConfidence": ["low"], "dependencyDashboardApproval": true, "commitMessagePrefix": "[LOW] " }, { "matchConfidence": ["neutral"], "dependencyDashboardApproval": true, "commitMessagePrefix": "[NEUTRAL] " } ] }
The above configuration combines high-confidence minor and patch grouping with low-confidence suppression
Add the following to your
"extends"
block in therenovate.json
file of your test repository, replaceyour-workspace-name
andyour-global-renovate-repository-name
with the correct valuesCODE"extends": [ "local>your-workspace-name/your-global-renovate-repository-name:smart-merge" ]
For more information on Smart Merge Control, see Renovate Smart Merge Control Implementation Examples
config:recommended
The below setting is a base recommendation for configuring Renovate and will enable the Dependency Dashboard in Bitbucket (if issues are enabled) and provide merge confidence data. It will lock pull requests in the dependency dashboard for approval so that no automatic pull requests occur which in turn might trigger builds causing a “big bang” when installing the integration.
"extends": [
"config:recommended",
"mergeConfidence:all-badges",
":dependencyDashboardApproval"
]
Off
Renovate can be turned off by disabling it from the Developer Platform interface. For instructions on how to edit the settings within the Developer Platform see Configure Mend Developer Platform for SCA.
Issues
Issues in Bitbucket cloud are disabled by default for all new repositories. To receive issues from Mend, Issues need to be enabled on the Bitbucket Repository. For information on how to enable issues within Bitbucket, see the Atlassian documentation: Enable an issue tracker
Informative
If opening issues for developers, it is recommended to give all details as the issues are grouped by direct dependency. This is the default for the Developer Platform and does not need to be configured.
Off
Issues need to be disabled for Open-Source Security, Code Security, and Open-Source Licensing be turned off by disabling it from the Developer Platform interface. For instructions on how to edit the settings within the Developer Platform see Configure Mend Developer Platform for SCA.
Security Gates
Decide if commits should receive a failure based on findings information which can be used with Bitbucket Merge Checks to block pull requests based on Mend findings.
Blocking
Blocking is enabled by default in the Developer Platform. For SCA, any finding will caused a failed status check, while for SAST the threshold for failing a SAST status check is defaulted to high and can be adjusted.
Off
It is recommended to set the "Conclusion status"
to "Success"
to prevent blocking status checks in order to show the Mend scan is still occurring and developers can access the results within the status check.
Next Steps
Wrap up rollout by setting up scan log retrieval and enabling Mend for your development teams by following: Wrapping up Developer Platform for Bitbucket Cloud Rollout