Silent Rollout for Repository Integrations

Reason for Silent Rollout

The default installation process for Mend Repository Integrations can be disruptive. By creating pull requests with a .whitesource file and checkruns in every scanned repository, it can clutter the development workflow, especially if other pipelines are already using the Source Code Management (SCM) system for existing pipelines. In these cases, those pipelines might get blocked until the "Mend Security Check" finishes. To avoid this interruption, Mend recommends a "silent rollout" approach, where scans are still performed but the results are only reflected within the Mend UI. This allows development teams to review the findings at their own pace without any immediate changes to their code repositories.

Here are the steps required to achieve this:

Initial Setup - Creating an initial configuration repository.
Integration Installation - Only give the integration access to the configuration repository
Repository Configuration - Set the appropriate settings in the global configuration repository.
Integration Rollout - Giving the integration access to desired repositories.
Gradual Implementation - Gradually implement repositories, slowly implementing issue creation, PR creation, and blocking builds.

Initial Setup

If you are using the Mend Developer Platform for BitBucket Cloud, then no files will need to be created. All configuration is done from the Platform itself.

If your organization requires branch protection rules on all repositories, do not worry, you can copy and paste the configurations from the example repository into yours.

First, create a dedicated repository named whitesource-config before installing the Mend Repository Integration. If your organization requires branch protection rules, then the organization should be configured to allow the Mend Bot to bypass branch protection rules (if this goes against your organization's policies, then these files can still be created manually):

Mend for Github.com

The following instructions to create a RuleSet will create a branch protection rule while allowing the Mend Bot to bypass these restrictions. These should be used in place of a branch protection rule and not alongside them.

Go to your whitesource-config repository → Settings → Rules → Rulesets
Create a new RuleSet with the following information:
- Ruleset Name: Mend Bot Bypass
- Enforcement Status: Active
- Bypass list: Mend for GitHub.com App
- Target branches: <your default branch>
- Rules:
  - Restrict deletions
  - Require a pull request before merging (add any extra rules needed here).
  - Block force pushes

Mend for Azure Repos

Go to your whitesource-config project → Project Settings → Repositories → whitesource-config → Security tab
Click on your Mend Bot user
Bypass policies when pushing: Allow

Mend for BitBucket Cloud

Bypassing Branch Protection Rules is not supported in Mend for Bitbucket Cloud as the Bitbucket app is what executes the integration. It is recommended to manually create the files yourself before installing the integration.

Mend Developer Platform for BitBucket Cloud

For Mend Developer Platform for BitBucket Cloud, a whitesource-config repository is not needed.

Integration Installation

When installing the Integration, It is important to ensure the Mend Repository Integration will only have access to the whitesource-config repository. Otherwise, it will immediately begin scanning all accessible repositories, potentially overwhelming the system.

Mend Developer Platform for BitBucket Cloud works different from other repository integrations and does not require a whitesource-config repository, this integration should be installed on a test repository of your choosing.

Afterwards, install and configure the integration to only access whitesource-config following the specific instructions for your SCM below:

Mend for GitHub.com

Follow the appropriate steps to Install Mend for GitHub.com.
- choose “Only select repositories” when installing the app
Add the whitesource-config repository to the list.

Mend for Azure Repos

Follow the appropriate steps to Install Mend for Azure Repos.
Go to the whitesource-config project created for this and go to “Project Settings”
Go to the Users and add the Bot user created for the purposes of the integration as a Project Administrator.

Mend for BitBucket Cloud

Follow the appropriate steps to Install Mend for Bitbucket Cloud (old integration).
The whitesource-config project/repository should have been created during installation.
You can use includedRepos.exactNames = [ "whitesource-config/whitesource-config" ] to denote that no other repositories should be on-boarded.

Mend Developer Platform for BitBucket Cloud

Follow the appropriate steps to Install Mend Developer Platform for Bitbucket Cloud.
- When specifying repositories, specify “Only selected repositories” and select your test repository.
- When choosing the scan behavior, specify “Scan Only”.

Hold off on giving the integration permissions on other repositories for now. After giving the integration access to this repository, then two new files will be created, a global-config.json and a repo-config.json. These two files make up the global configuration for your integration, and will house all of the defaults for all repositories that are scanned.

Repository Configuration

For complete examples of each repo-config.json file, please refer to the mend-examples repository.

This configuration file describes the default settings that every repository will take. If your repo-config.json file has already been created, then you will need to edit the contents of the file to add some settings. Some of these settings will be the same across all repository integrations:

issueSettings.minSeverityLevel = "NONE"
remediateSettings.workflowRules.enabled = false

Afterwards, one section of settings differs across all of the repository integrations:

Mend for Github.com

checkRunSettings.vulnerableCheckRunConclusionLevel="NONE"

Mend for Azure Repos

pullRequestStatusSettings.vulnerablePullRequestStatus="NONE"

Mend for BitBucket Cloud

buildSettings.createBuildStatus=false

Mend Developer Platform for BitBucket Cloud

These settings should not need to be changed if you set “Scan Only” in the scan behavior when installing.

These settings should not be considered comprehensive. If other settings such as “Host Rules” for Private Registry Access are required as well, then please add those to this configuration.

Global Configuration

Initially, the global-config.json file has repoConfigMode="createOnboardingPR" in it. This should be changed to: repoConfigMode="nowhitesourceFile", which will prevent any “On-boarding Pull Requests” from getting created upon giving the integration access to a repository. If the repository needs its own settings that override the global configuration, a .whitesource file can still be created and used as normal.

Integration Rollout

After completing these steps, the Mend Repository Integration will automatically scan all accessible repositories. Be aware that cloud-based deployments are limited to 6 concurrent scans. So, for a large number of repositories, the initial scan process might take some time.

Once the above configuration files are created properly, then you are ready to start rolling out repositories. Here are some steps to do this for each SCM system:

Mend for Github.com

Go to your GitHub Organization → Settings → GitHub Apps → Mend for GitHub.com → Configure
Scroll down to “Repository Access”, choose “Only select repositories” and select a few repositories for initial testing.
Click Save.

The “Mend for GitHub.com” Repository Integration will start scanning the repositories that you have selected, and after a short period of time you should start seeing SCA results in the Mend UI. Once you have confirmed that the scans are executing properly, then you can set the “Repository access” to “All repositories” and continue to monitor the integration from there.

Mend for Azure Repos

Go to a couple of different projects that you would like to start scanning and add the Service User that was created to the project as a Project Administrator. These projects will be used for testing.
After a short period of time you should start seeing SCA results in the Mend UI.
If you would like to control which apps are accessible to the integration from the

Once you have confirmed that the scans are executing properly, then you can add the Service User to your other projects and continue to monitor the integration from there.

If the service user is added to a project and no scan is created in the Mend Platform, then it is possible that the integration needs it’s projects synced. To do this go to: Mend UI → Gear Icon in the Top Right → Integrations → Azure Repos → Sync Projects.

Mend for BitBucket Cloud

Go to your whitesource-config repository.
Add a couple of different repositories into the includedRepos.exactNames = [] JSON array for testing.
- This should be in the format of: "workspaceName/repositoryName".
After a short period of time you should start seeing SCA results in the Mend UI.

Once you have confirmed that the scans are executing properly, then you can add more repositories to the integration. Once you are confident the scans are running properly, then you can onboard all repositories by changing includedRepos.exactNames to ignoredRepos.exactNames = []. If you want the integration to not scan specific repositories, then add them to that list.

Mend Developer Platform for BitBucket Cloud

Go to a couple of different repositories from within the platform → Select Settings → Open-Source Security → Enable to start onboarding repositories to scan.

Once you have confirmed that the scans are executing properly, then you can enable more repositories. Once you are confident all repositories will be scanned without issue, then you can enable all repositories.

Gradual Implementation

After the Mend Repository integration has finished scanning all of your repositories, then users can slowly start introducing check statuses for the scans, issues for vulnerabilities, and fix pull requests as well. The proper way to do this would be to create a .whitesource file in the repositories that are ready for it, and override any settings that are in the repo-config.json file. For instance:

Mend for Github.com

JSON

{
  "settingsInheritedFrom": "<gh-org>/whitesource-config@main",
  "checkRunSettings": {
    "vulnerableCheckRunConclusionLevel": "success"
  },
  "issueSettings": {
    "minSeverityLevel": "CRITICAL"
  },
  "remediateSettings": {
    "workflowRules": {
      "enabled": true
    }
  }
}

This configuration will:

Turn on checkruns, but not make them fail if Security Vulnerabilities are present.
Only report on Critical Vulnerabilities in checkruns due to the setting checkRunSettings.failOnVulnerabilityMinSeverity=CRITICAL in the repo-config.json.
Override issueSettings.minSeverityLevel=NONE to CRITICAL, which will only open up issues for security vulnerabilities that have “CRITICAL” severity.
Override remediateSettings.workflowRules.enabled=false to true, which will allow remediate to open up fix pull requests for the vulnerabilities detected from the scans.

Mend for Azure Repos

JSON

{
  "settingsInheritedFrom": "<azdo-project>/whitesource-config@main",
  "pullRequestStatusSettings": {
    "vulnerablePullRequestStatus": "success"
  },
  "issueSettings": {
    "minSeverityLevel": "CRITICAL"
  },
  "remediateSettings": {
    "workflowRules": {
      "enabled": true
    }
  }
}

This configuration will:

Turn on check statuses, but not make them fail if Security Vulnerabilities are present.
Only report on Critical Vulnerabilities in checkruns due to the setting issueSettings.minSeverityLevel=NONE to CRITICAL, this will also only open up issues for security vulnerabilities that have “CRITICAL” severity.
Override remediateSettings.workflowRules.enabled=false to true, which will allow remediate to open up fix pull requests for vulnerabilities detected from the scans.

Mend for BItBucket Cloud

JSON

{
  "settingsInheritedFrom": "<bb-workspace>/whitesource-config@main",
  "buildSettings": {
    "createBuildStatus": true,
    "failBuilds": false
  },
  "issueSettings": {
    "minSeverityLevel": "CRITICAL"
  },
  "remediateSettings": {
    "workflowRules": {
      "enabled": true
    }
  }
}

This configuration will:

Turn on check statuses, but not make them fail if Security Vulnerabilities are present.
Only report on Critical Vulnerabilities in checkruns due to the setting issueSettings.minSeverityLevel=NONE to CRITICAL, this will also only open up issues for security vulnerabilities that have “CRITICAL” severity.
Override remediateSettings.workflowRules.enabled=false to true, which will allow remediate to open up fix pull requests for vulnerabilities detected from the scans.

For the Developer Platform, changing settings is slightly different. Instead you just need to change the sliders in the specific repository that are necessary. For instance:

Mend Developer Platform for BitBucket Cloud

In the future, once all teams are confident that their repositories will work with a specific setting, then that setting can be migrated to the repo-config.json file, and removed from the repositories' local .whitesource files, or for the Developer Platform, implement the setting at the workspace level.