Mend CLI vs Unified Agent

The Mend CLI is a combined security solution, that introduces a holistic and coherent experience by utilizing all Mend scanning capabilities in a single tool/binary. It is the recommended tool for scanning within a CI/CD pipeline or on a developer desktop.

The purpose of this article is to provide examples of when to use Unified Agent instead of the CLI.

Mend CLI Features

• Dependency scanning (SCA) - scans open source components for vulnerabilities (CVEs), license risk, and supply chain vulnerabilities/malicious packages (MSCs)

  • List of supported package managers

  • Source file matching resolution via the extended mode “--e”

• Code scanning (SAST) - scans custom code for weaknesses (CWEs)

  • Full list of supported languages and frameworks

• Container Image scanning - scan container images for operating system and application open source components for vulnerabilities(CVEs) and license risk

• Additional features

  • Ability to receive policy alerts in output using one command --fail-policy

  • Ability to label applications and projects

  • Vulnerability & Policy violation information output in the terminal

  • Produce an update request using --local

  • Centralized version control

When to use the Mend Unified Agent

It is recommended to use the Unified Agent if any of the following are required for SCA scanning as the Mend CLI does not support these use cases, yet. If attempting to compare dependency scan results, it is recommended to follow Comparing Scans Between the Unified Agent and CLI

• Scan development dependencies

• Binary matching

  • While on by default, it is recommended to disable this in the Unified Agent.

• Using one of the following package managers