Existing SAST Customer - Changing Pipelines from Legacy Mend SAST UI to Mend Platform
Overview
When scanning custom code with the Mend CLI, there are a couple of settings needed for the results to appear on the Mend Platform. This document will go over the required changes to move your Mend SAST scans to the Mend Platform
Replace the API Key with a User Key
To send scans to the Mend Platform, a User Key will need to be generated from the Mend Platform. This key should be used to authenticate for the Mend CLI instead of the API key that was used for Mend SAST. The steps to generate a User Key in the Mend Platform can be found here.
The user needs to have at least “Scan Manager” permissions in order to scan and send data to the UI.
Mend highly recommends creating a service user when using the Mend CLI to scan. To create a service user, see Managing Service Users
Replace the --app parameter with --scope
If your pipeline is using --app
to specify the application the scan is associated with, this will need to be changed to --scope
. Applications have a different meaning in Mend Platform than they did in Mend SAST. In the Mend SAST, you had a three tiered system of Org -> Application -> Scans. In the Mend Platform, Applications are one tier higher and have been replaced by projects. The hierarchy goes Org -> Application -> Projects -> Scans.
The format of the --scope
variable is similar to --app
: <org_name>//<application_name>//<project_name>
. If the provided application/project are not present on the Mend Platform, a new application/project will be created.
If a shorter scope is provided, the values lower in the hierarchy will be set. --scope test_app//test_project
will set the application name and the project name. A single scope will set only the project. If no scope is provided, the organization will be last org the user using the CLI signed into, the application will be set to repo organization name as specified in the .git/config file and the project will be named after the directory the CLI is ran from unless --dir is specified.
Remove MEND_ORGANIZATION Environment Variable
The Mend CLI has an environment parameter MEND_ORGANIZATION
that will specify the organization the results are sent to. This can be accomplished with the --scope
parameter which will allow for more flexible execution. If using a service user, the organization will default to the org the service user is created for removing the need to use the MEND_ORGANIZATION
environment variable.