Skip to main content
Skip table of contents

Security and Features of Mend for Azure Repos vs Pipeline

Overview

Mend provides a variety of tools to help companies shift left and help their developers keep their applications secure. The level of access needed for a service user is a common concern of companies implementing tooling into their environments. This article goes over the difference between scanning with Mend for Azure Repos Integration and running a scan with the Unified Agent in the Pipeline combined with other tools to shift left. A table with the differences between the integrations is provided at the bottom of the documentation.

Mend for Azure Repos

Mend for Azure Repos is the simplest way to shift left and provide your developers with feedback directly in the tool they use every day. It provides features such as automatic remediation, work item creation, feedback directly inside pull requests, as well as the ability to block pull request merges in the event of a new vulnerability getting introduced in a branch.

Required Permissions

PAT Token

Mend for Azure Repos utilizes a service user in order to interact with the Azure repositories. The service user will create pull requests and work items based on the results of a Mend scan. The PAT token permissions are needed in order for the integration to access the API endpoints it requires.

Mend for Azure Repos requires one of the following PAT Token configurations:

Full Scope:

  • Organization → All accessible organizations

  • Scopes → Full Access

Reduced Scope:

  • Organization → All Accessible Organizations

  • Work Items → Read & Write

  • Code → Read & Write

  • Tokens → Read & Manage

With the reduced scope pat token, the integration loses the ability to write commit comments which can provide finer grained feedback to your developers, they will still get commit statuses stating whether the scan has vulnerabilities or has passed. With only commit status, developers and the security team currently lose the ability to troubleshoot scans easily with strictMode=warning.

The Mend integration needs the “All Accessible Organizations” option checked specifically. This is different then manually clicking every single organization because this creates something called a “full-scoped PAT” which has a different permission set.

NOTE: If you do not see “All Accessible Organizations” available in the Organizations drop down, you might have a policy in place with Azure Active Directory that prevents the creation of a global PAT. The Mend user will need to be allowed access to create a Global PAT. The Mend Service User will never be able to access an org it hasn’t been explicitly added to.

Project Permissions

The Mend Service user needs to be added as a Project Administrator to each project you wish to scan. This level of permission is required for the integration to create the service hooks needed to detect events that will trigger a scan and create pull requests.

Pipeline

If the permissions needed for Mend for Azure repos are too broad, you can achieve a similar setup using a combination of 3 different Mend tools.

  • Scanning in the Pipeline with the Unified Agent or Mend CLI

  • Using the customized Professional Services script to create work items

  • Renovate to keep dependencies up to date

Required permissions for Mend pipeline scanning vary and are documented with each tool. For details, see the additional links below.

Scanning your open source packages

Scanning your open source packages can be easily added to an existing build pipeline with either the Mend CLI or the Mend Unified Agent. Which tool you use depends on what languages need to be supported. The Unified Agent currently has support for more languages and is more configurable. You can see the languages supported in the additional links section. Mend Professional Services team has provided examples of how to add either scanner to your existing pipeline YAML file that can be found in the Additional Links section.

Permissions

Mend Scanners do not need Azure permissions in order to run. If you have the “Enforce User Level Access” setting enabled under the “Integrate” tab of your Mend UI, you will need a user key in order for the scanner to send results to the Mend UI. We recommend you utilize a service user for this authentication which can be managed here.

Mend CLI VS Unified Agent

Getting Stated With the Unified Agent

Scan with the Mend CLI

Mend CLI Supported Languages

Mend Toolkit Azure Pipeline Example

Professional Services tool for Work items

The Mend Professional Services team has created a pipeline script to turn your Mend SCA results into work items. This will allow your developers to consume the results within their repo integration instead of going over to the Mend UI. You can find information on the tool and how to install it here.

Permissions

PAT Token:

  • Work Items → Read & Write

  • Project and Team → Read & Write

Project level Permissions:

  • Create Tag Definition → Allow

  • Manage Project Properties → Allow

  • View Permissions for this node → Allow

Renovate for PRs

Mend Renovate can be installed in another Azure pipeline to keep your open source dependencies up to date automatically. Documentation for Renovate can be found here.

Permissions

PAT Token:

  • Code → Read & Write

Project level Permissions:

  • View Permissions for this node → Allow

Repository Permissions:

  • Contribute → Allow

  • Contribute to pull requests → Allow

  • Create branch → Allow

  • Read → Allow

Quick Reference

Mend for Azure Repos Full Scope PAT

Mend for Azure Repos Reduced Scope PAT

Pipeline Scan + Work item script + Renovate

Permissions

PAT Token

  • Organization → All accessible organizations

  • Scopes → Full Access

Project level

  • Project Administrator

PAT Token

  • Organization → All accessible organizations

  • Work Items → Read & Write

  • Code → Read & Write

  • Tokens → Read & Manage

Project level

  • Project Administrator

PAT Token

  • Code → Read & Write

  • Work Items → Read & Write

  • Project and Team → Read & Write

Project level

  • Create Tag Definition → Allow

  • Manage Project Properties → Allow

  • View Permissions for this node → Allow

Repository Permissions

  • Contribute → Allow

  • Contribute to pull requests → Allow

  • Create branch → Allow

  • Read → Allow

Work Item Generation

Yes

Yes

Yes with Work Item Script

Automated PRs

Yes

Yes

Yes with Renovate

Mend Security Checks

Yes

Yes

No

Feedback on Commit Status

Yes

Yes

No

Feedback on Commit Comments

Yes

No

No

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.