Wrapping up Mend for Github.com Rollout
This document will focus on executing the onboarding decisions made following documents:
Mend Platform Rollout Overview
Cloud Repository Rollout
Setting up the Mend UI for Github.com Integration
Configure and Enable Mend for Github.com
Enabling Results Consumption in Mend For Github.com
Please read the previous documents prior to continuing.
Retrieving Scan Logs
When running into issues with scans, the scan logs are a helpful tool for troubleshooting. To retrieve scan logs within the each GitHub Organization create a “ws-logs” repository and add give the Mend app access to the repository to the integration
These logs can only be retrieved by running a manual scan from your global configuration repository. instructions for how to manually trigger a scan can be found in our Mend for GitHub.com documentation.
Enable Mend for Pilot Repositories
Once a Global configuration has been set up and all the desired settings have been set, it is time to start rolling out Mend to your pilot teams by adding their code repositories to the integration. By default, the integration is set to allow for development teams to “opt-in” by accepting a pull request to add a .whitesource
configuration file to their repositories that will inherit from your global configuration. Once a developer accepts this pull request, Mend will start a scan of the base branch of that repository.
It is recommended to select up to 10 repositories that give a good representation of your tech stack and giving the Mend for Github.com App access to the repositories. Giving the Mend App specific access to the repository is the only way to feasibly provide specific access to a small number of repositories.
Next Steps
Congratulations on completing your Mend for Github.com Rollout! From here the recommended next steps would be to collect feedback from your pilot teams and tweak the integration based on feedback. Once ready, you can give the App access to all repositories if using a phased approach or turn on result consumption features if using a silent approach.
For configuration options that are more specific to individual preference and use cases see Mend for GitHub.com Advanced Configurations
If you are using Private Registries, the integration will need to be configured to provide the scanner access to those registries. See Configure Mend for GitHub.com to resolve your private dependencies for the initial set up.
The document Analyze your Results in the Mend Platform will give you a better understanding of how to view and triage your results from within the Mend Platform while Prioritizing Findings gives a high level overview of where to start addressing your findings.
Creating automation workflows will allow you enforce company policies around vulnerabilities or licenses, create Jira issues or send emails to the right teams if new critical vulnerability is discovered.
For SAST Scans you can customize the Code Scan configurations to set up path exclusions or adjust CWE severities to match your policies.
If you wish to scan Container Images, Mend has two options to scan your images detailed inContainer Image Scans - Registry vs. Pipeline