Skip to main content
Skip table of contents

Mend for GitHub.com Advanced Configurations

Removing Opt-in Approach

To remove the “opt-in” style of the onboarding pull request, set one of the two following configuration modes in the global-config.json inside your global configuration:

  • "repoConfigMode": "pushwhitesourceFile"

    • pushes .whitesource file directly into the repository with no pull request

  • "repoConfigMode": "nowhitesourceFile"

    • Removes .whitesource file requirement for Mend to scan the repository

      • If planning to override settings for individual repositories, a .whitesource file can be added manually.

For more information on the different repoConfigMode options see global-config.json - General Parameters in the Mend for Github.com documentation.

Excluding Repositories from the Integration as an Exception

There are use cases for not scanning a particular repository with Mend. For example, a repository for an internal tool that is never released. Having this information in the Mend UI will clog up the results from your deployed applications.

To exclude a repository from being scanned, the setting "ignoredRepos" needs to be set in to the global-config.json of your global configuration

CODE 
"ignoredRepos": {
  "exactNames": ["myorg/myrepo", "myorg/testrepo"]
}

Scanning Additional Branches

These settings currently only impact SCA scanning. While SAST has a baseBranches configuration setting, it currently only supports one value. To scan additional branches for SAST, a pipeline integration will need to be used.

Depending on your development flow, scanning more than the just the default branch may be needed to capture the full risk posture of a specific application. Mend has two ways to scan additional branches in the repository: Base Branches and Release Branches. These can be configured in the repo-config.json of your global repository. For most use cases, It is recommended to use Release Branches.

Release Branches

When Release Branches are configured, Mend will upload the results of release branches to the Mend UI but it will not create issues or pull requests to those branches. This can be useful for tracking specific releases of the application for compliance without creating additional noise within the repository.

Pros

Cons

Release tracking in the UI

No information about release located in Repo

Regex matching to match versioning structure of teams

Separate configuration to allow for stricter requirements

JSON 
"scanSettings": {
  "releaseBranches": ["v.*"]
}

Base Branches

Base Branches are treated the same way of the default branch in the Mend Repository. In addition to the results being uploaded the UI, Issues will be created for vulnerabilities found on the branches, and Renovate Pull Requests will be created to updates the libraries on these branches. This can be useful if multiple releases are maintained in parallel.

The default configuration of this setting is: "baseBranches":[].

When the array is empty, the integration will scan the default branch. When modifying this setting, it is important to also add the default branch name of your repositories to prevent an interruption to your scanning.

Pros

Cons

Information in the Repo and UI

Noisy

Exact matches only

CODE 
"scanSettings": {
  "baseBranches": ["v1.0", "main", "dev"]
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close