Mend SCA Scanning Methods Compared
This article compares the three SCA (Software Composition Analysis) scanning mechanisms offered by Mend — Mend CLI, Unified Agent (UA), and Mend Repository Integration — and provides practical guidance for migrating from the Unified Agent to the Mend CLI in CI/CD pipelines.
Overview of the Three Scanning Methods
Mend CLI
The Mend CLI is the next-generation, recommended scanner for pipeline and desktop use. Beyond SCA, it also supports SAST (code scanning), container image scanning, and AI component detection. It is designed to work optimally out of the box, with minimal configuration — the CLI determines the best resolution parameters for each language automatically.
Key characteristics:
Natively supports major ecosystems: Maven, Gradle, sbt, npm, Yarn, pip, conda, uv, Composer, Bundler, Go Modules, Conan, CocoaPods, SwiftPM, and .NET (NuGet).
For package managers not natively supported, the CLI silently falls back to the Unified Agent engine under the hood. Any package manager supported by the UA is reachable through the CLI in this way; however, in this silent fallback mode, UA configuration cannot be customized via config files or environment variables — the CLI automatically detects and applies the required parameters. If you need to fine-tune UA settings, use the explicit UA-via-CLI mode instead.
New SCA features (e.g., reachability analysis) are developed exclusively for the Mend CLI.
Does not support scanning binary files or archive extraction.
Offers a limited, intentionally streamlined set of configuration options — most tuning is automatic.
Does not perform pre-build steps; the application must be built and dependencies installed before scanning.
Unified Agent (UA)
The Unified Agent is the classic, legacy scanner that has been available for many years. It performs SCA analysis only and supports a very broad range of languages and package managers, including many niche ecosystems.
Key characteristics:
Supports a very large number of languages and package managers, including legacy ones (Ant, Bower, Paket, Dep, Godep, Hex, Cabal, R, Bazel, and more).
Offers highly granular configuration with hundreds of parameters, including per-package-manager settings.
Supports binary file matching and archive extraction (configurable via
archiveExtractionDepth).Can perform pre-build steps (
runPreStep) for many package managers.Does not support reachability analysis (the UA had a legacy Mend Prioritize feature for prioritizing findings, but it is no longer being developed — reachability in the Mend CLI is the recommended successor) or project/application labeling.
Currently supported, but no longer receives new SCA feature development.
Mend Repository Integration
The Mend Repository Integration (e.g., Mend for GitHub Enterprise) provides automated SCA scanning triggered by repository events (pushes, pull requests). It relies on an orchestrator layer known as the sca-wrapper, which delegates scanning to either the Unified Agent or the Mend CLI depending on the language.
Key characteristics:
The orchestrator primarily uses the Unified Agent for any language it supports natively.
For languages or package managers not supported by the UA but supported by the Mend CLI (e.g., Conan, uv), the CLI is used instead.
For self-hosted instances of the repo integration, the sca-wrapper orchestrator must be explicitly activated by setting the
MEND_SCA_ORCHESTRATOR_ENABLED=trueenvironment variable in the scanner container. If not activated, all scans will use the Unified Agent exclusively. Note: enabling the orchestrator is also a hard requirement for using the Reachability feature in the repo integration — without it, reachability analysis will not run.Some UA configuration defaults differ from the standalone UA (see Unified Agent Configuration for Native Integration). Notable differences:
aggregateModulesis alwaystrue(one project per branch).projectPerFolderis alwaysfalse.npm.ignoreScriptscannot be set tofalse(security restriction).Pre-step execution (
runPreStep) is enabled by default for most package managers.
Before the actual scan, the integration runs a Pre-Scan Builder (PSB) stage that automatically prepares the scanning environment. The PSB detects manifest files, verifies private registry connectivity, configures package managers, and executes pre-build commands. This means environment setup that you would manage manually when running the standalone UA in a pipeline is handled automatically in the repo integration.
Supports binary matching and archive scanning (same capabilities as the standalone UA).
Supports reachability analysis when enabled in the integration configuration (requires the sca-wrapper orchestrator to be active — see above).
Fine-tuning the underlying UA scanning parameters is possible by setting
configModetoLOCALin the repo integration settings and providing a localwhitesource.config(or.whitesource.config) file in the repository root. This allows overriding specific UA parameters for the scan.
Pipeline Scanning: UA vs. Mend CLI
When scanning in a CI/CD pipeline, you choose either the Mend CLI or the Unified Agent. The table below summarizes the key behavioral differences — understanding these is essential both for choosing between the two and for planning a migration.
Aspect | Mend CLI | Unified Agent |
|---|---|---|
Scan types | SCA, SAST, Containers, AI components | SCA only |
Configuration philosophy | Minimal — automatic optimization | Granular — hundreds of parameters |
Native language support | Major ecosystems (see support matrix) | Very broad, including legacy ecosystems |
Fallback for unsupported languages | Silently uses UA engine internally | N/A |
Binary matching | Not supported | Supported |
Archive extraction | Not supported | Supported (configurable depth 0–10) |
Reachability analysis | Supported (Java, JS, Python, C/C++, C#) | Not supported (legacy Prioritize feature, no longer developed) |
Pre-build steps | Not performed — build before scanning | Configurable per package manager |
Module aggregation | Always aggregates by default | Requires explicit |
Dev dependencies | Excluded by default ( | Included by default for many ecosystems |
File system scan (source matching) | Opt-in via | Enabled by default ( |
New feature development | Active | No new features |
For additional details, see Mend CLI vs Unified Agent.
Migrating from UA to Mend CLI
For pipeline users, Mend recommends transitioning to the Mend CLI. The migration is straightforward for most common use cases, but the behavioral differences above mean some configuration adjustments are needed. Full migration guide: Migrating to the Mend CLI from the Unified Agent.
Step 1: Replace the Scanner Binary
Replace the UA download/execution step in your pipeline with the Mend CLI download.
Step 2: Set Authentication
The Mend CLI uses environment variables for authentication (the UA supports this as well — see Configuring the UA by Environment Variables). The key authentication mapping is:
UA Parameter | Mend CLI Environment Variable | Notes |
|---|---|---|
|
| Organization identifier |
|
| User-specific key |
N/A |
| Email associated with the Mend account |
|
| Server endpoint (e.g., |
Step 3: Map Your Configuration
Use the --scope flag to set the organization, application, and project: -s "org//app//project".
Ensure your project is fully built and dependencies are installed before running the Mend CLI scan. The CLI does not execute pre-build steps.
Parameter Translation Reference
The tables below map the most commonly used UA configuration parameters to their Mend CLI equivalents. Many UA parameters have no CLI counterpart because the CLI handles them automatically — where that is the case, the default CLI behavior is noted.
General Scanning Parameters
UA Parameter | Mend CLI Equivalent | Notes |
|---|---|---|
|
| Target directory for the scan (defaults to current directory) |
|
| The "product" concept maps to "application" in the CLI scope hierarchy |
|
| Project is the third segment of the scope |
|
| CLI exits with code 9 on policy violations |
| N/A | The CLI always uploads when |
|
| CLI default is local-only (no upload) — add |
|
| Generates a local dependencies file without server connectivity; upload later via |
|
| Fail if any resolution step encounters an error |
| Enabled by default | CLI resolves all detected package managers; disable specific ones via |
|
| Accepts: INFO, DEBUG, WARNING, ERROR |
|
| CLI logs to |
Include/Exclude and File Patterns
UA Parameter | Mend CLI Equivalent | Notes |
|---|---|---|
|
| CLI uses glob-format comma-separated paths; built-in exclusions cover common patterns ( |
Default folder exclusions |
| Use this flag to disable the CLI's built-in exclusions if you need to scan test/docs/example directories |
|
| The CLI does not perform file system scanning by default — use |
| Default behavior | The CLI does not scan source files unless |
Dependency Handling
UA Parameter | Mend CLI Equivalent | Notes |
|---|---|---|
|
| CLI excludes dev dependencies by default |
| Default behavior | CLI always aggregates modules |
| Default behavior | CLI always aggregates modules |
|
| Enabled by default for all PMs. Pattern applies to all supported package managers (e.g., |
|
| Comma-separated list of Gradle configurations to exclude |
|
| Exclude specific Maven modules/subprojects (e.g., |
Output and Reporting
UA Parameter | Mend CLI Equivalent | Notes |
|---|---|---|
JSON output via config |
| CLI defaults to table output |
|
| Exports results to a JSON file |
|
| Tagging syntax differs |
N/A |
| Project/app labeling is CLI-only (deprecated in favor of |
Docker / Container Scanning
UA Parameter | Mend CLI Equivalent | Notes |
|---|---|---|
|
| Container scanning is a separate CLI command, not part of |
Proxy Configuration
UA Parameter | Mend CLI Equivalent | Notes |
|---|---|---|
|
| CLI uses standard environment variables |
| (included in proxy URL) | e.g., |
| (included in proxy URL) | e.g., |
UA Features with No Mend CLI Equivalent
The following UA capabilities have no direct equivalent in the Mend CLI. If your workflow depends on these, you may need to retain the UA for those specific use cases or adjust your approach:
UA Feature | Status in Mend CLI |
|---|---|
Binary file matching | Not supported |
Archive extraction ( | Not supported |
| Not supported |
Per-package-manager | Not supported — build externally before scanning |
| Not supported — CLI always overrides |
| Not supported |
| Not supported |
| Not supported — CLI determines optimal resolution parameters automatically |
| Not supported |
If you need any of these UA-specific features but want to use the Mend CLI as your single entry point, you can run a UA scan through the CLI. In this mode, the scan is exactly equivalent to running the standalone UA — including full support for UA configuration via config files and environment variables (unlike the CLI's silent fallback mode, where UA configuration cannot be customized). Note that package managers that are only supported by the Mend CLI natively (e.g., Conan, uv) will not be available. See Use the Mend CLI to Run a Unified Agent Scan.
Example: Before and After
Unified Agent pipeline step:
java -jar wss-unified-agent.jar \
-apiKey $WS_APIKEY \
-product MyProduct \
-project MyProject \
-d /path/to/code \
-c whitesource.configWith whitesource.config:
checkPolicies=true
forceUpdate=true
maven.aggregateModules=true
npm.includeDevDependencies=false
fileSystemScan=falseEquivalent Mend CLI pipeline step:
export MEND_URL=https://saas.mend.io
export MEND_EMAIL=user@example.com
export MEND_USER_KEY=$MEND_USER_KEY
mend dep -u --fail-policy -s "MyOrg//MyProduct//MyProject" -d /path/to/codeNo additional config file is needed — the CLI defaults already match the UA configuration shown above (modules are aggregated, dev dependencies are excluded, and file system scanning is off by default).
Repository Integration Scanning
Within the repo integration, you do not choose which scanner runs — the sca-wrapper orchestrator decides:
UA is used for the majority of languages that the UA supports natively (Java/Maven, Java/Gradle, JavaScript/npm, Python/pip, Ruby, Go, PHP, C#/.NET, etc.).
Mend CLI is used only for ecosystems not supported by the UA but supported by the CLI (e.g., Conan, uv).
This means the repo integration generally behaves like the Unified Agent with integration-specific default overrides. If you need to fine-tune scanning parameters (e.g., includes, excludes, archiveExtractionDepth, or per-package-manager settings), set configMode to LOCAL and provide a whitesource.config file in the repository.
If you observe differences between repo integration results and standalone UA scans, these are typically caused by: (1) differences in configuration default values between the two contexts, (2) differences in the package manager versions available in the scanning environment (either in PATH or in the scanner container image), and (3) how scanner-level package manager settings are configured (e.g., python.path, python.pipPath). Aligning these factors across environments will produce consistent results.
Quick-Reference: Choosing the Right Method
Scenario | Recommended Method |
|---|---|
CI/CD pipeline scanning (standard ecosystems) | Mend CLI |
Reachability analysis needed | Mend CLI |
Binary matching or archive extraction needed | Unified Agent (or Mend CLI wrapping UA) |
Legacy/niche package manager (Ant, Bower, Paket, Bazel, etc.) | Mend CLI — silently falls back to the UA engine for any UA-supported language; for fine-grained UA configuration, use the explicit UA-via-CLI mode |
Automated repo-level scanning (push/PR triggers) | Repository Integration |
Fine-tuned repo integration scanning | Repository Integration with |