Security and Features of Mend for Azure Repos vs Pipeline
Overview
Mend provides a variety of tools to help companies shift left and help their developers keep their applications secure. The level of access needed for a service user is a common concern of companies implementing tooling into their environments. This article goes over the difference between scanning with Mend for Azure Repos Integration and running a scan with the Unified Agent in the Pipeline combined with other tools to shift left. A table with the differences between the integrations is provided at the bottom of the documentation.
Mend for Azure Repos
Mend for Azure Repos is the simplest way to shift left and provide your developers with feedback directly in the tool they use every day. It provides features such as automatic remediation, work item creation, feedback directly inside pull requests, as well as the ability to block pull request merges in the event of a new vulnerability getting introduced in a branch.
Required Permissions
PAT Token
Mend for Azure Repos utilizes a service user in order to interact with the Azure repositories. The service user will create pull requests and work items based on the results of a Mend scan. The PAT token permissions are needed in order for the integration to access the API endpoints it requires.
Mend for Azure Repos requires one of the following PAT Token configurations:
Full Scope:
Organization → All accessible organizations
Scopes → Full Access
Reduced Scope:
Organization → All Accessible Organizations
Work Items → Read & Write
Code → Read & Write
Tokens → Read & Manage
With the reduced scope pat token, the integration loses the ability to write commit comments which can provide finer grained feedback to your developers, they will still get commit statuses stating whether the scan has vulnerabilities or has passed. With only commit status, developers and the security team currently lose the ability to troubleshoot scans easily with strictMode=warning.
The Mend integration needs the “All Accessible Organizations” option checked specifically. This is different then manually clicking every single organization because this creates something called a “full-scoped PAT” which has a different permission set.
NOTE: If you do not see “All Accessible Organizations” available in the Organizations drop down, you might have a policy in place with Azure Active Directory that prevents the creation of a global PAT. The Mend user will need to be allowed access to create a Global PAT. The Mend Service User will never be able to access an org it hasn’t been explicitly added to.
Project Permissions
The Mend Service user needs to be added as a Project Administrator to each project you wish to scan. This level of permission is required for the integration to create the service hooks needed to detect events that will trigger a scan and create pull requests.
Pipeline
If the permissions needed for Mend for Azure repos are too broad, you can achieve a similar setup using a combination of 3 different Mend tools.
Scanning in the Pipeline with the Unified Agent or Mend CLI
Using the customized Professional Services script to create work items
Renovate to keep dependencies up to date
Required permissions for Mend pipeline scanning vary and are documented with each tool. For details, see the additional links below.
Scanning your open source packages
Scanning your open source packages can be easily added to an existing build pipeline with either the Mend CLI or the Mend Unified Agent. Which tool you use depends on what languages need to be supported. The Unified Agent currently has support for more languages and is more configurable. You can see the languages supported in the additional links section. Mend Professional Services team has provided examples of how to add either scanner to your existing pipeline YAML file that can be found in the Additional Links section.
Permissions
Mend Scanners do not need Azure permissions in order to run. If you have the “Enforce User Level Access” setting enabled under the “Integrate” tab of your Mend UI, you will need a user key in order for the scanner to send results to the Mend UI. We recommend you utilize a service user for this authentication which can be managed here.
Additional Links
Getting Stated With the Unified Agent
Mend Toolkit Azure Pipeline Example
Professional Services tool for Work items
The Mend Professional Services team has created a pipeline script to turn your Mend SCA results into work items. This will allow your developers to consume the results within their repo integration instead of going over to the Mend UI. You can find information on the tool and how to install it here.
Permissions
PAT Token:
Work Items → Read & Write
Project and Team → Read & Write
Project level Permissions:
Create Tag Definition → Allow
Manage Project Properties → Allow
View Permissions for this node → Allow
Renovate for PRs
Mend Renovate can be installed in another Azure pipeline to keep your open source dependencies up to date automatically. Documentation for Renovate can be found here.
Permissions
PAT Token:
Code → Read & Write
Project level Permissions:
View Permissions for this node → Allow
Repository Permissions:
Contribute → Allow
Contribute to pull requests → Allow
Create branch → Allow
Read → Allow
Quick Reference
Mend for Azure Repos Full Scope PAT | Mend for Azure Repos Reduced Scope PAT | Pipeline Scan + Work item script + Renovate | |
|---|---|---|---|
Permissions | PAT Token
Project level
| PAT Token
Project level
| PAT Token
Project level
Repository Permissions
|
Work Item Generation | Yes | Yes | Yes with Work Item Script |
Automated PRs | Yes | Yes | Yes with Renovate |
Mend Security Checks | Yes | Yes | No |
Feedback on Commit Status | Yes | Yes | No |
Feedback on Commit Comments | Yes | No | No |