| Table of Contents |
|---|
Overview
Mend Diffend Supply Chain Defender detects and blocks malicious dependency updates.
Diffend Supply Chain Defender acts as a shield between you and the wild world of open-source libraries, allowing you to define policies around the usage of libraries and their versions. Under the hood, Mend runs extensive security checks to find potential vulnerabilities and exploits.
When you run your package manager commands with our plugin, all knowledge, policies and research are combined into one easy-to-understand verdict that you or your security team can use to control and mitigate potential problems before they hit production. The Diffend Supply Chain Defender heuristics learn with each package release, and whenever anything is discovered that could pose a threat to your organization, Mend will notify you about it.
| Info |
|---|
Mend Diffend Supply Chain Defender supports Ruby (Bundler) and JavaScript (Yarn, npm, pnpm). |
...
Navigate to your organization’s projects list.
Click the Setup button.
In the setup view, navigate to the By applying changes manually section.
To set up Mend DiffendSupply Chain Defender, create a .
diffend.ymlfile in the main directory of the project and copy-paste the configuration settings from the UI.
Follow the remaining instructions specific to the package manager you are using.
...
Add our bundler
pluginand ourgemright after the source section of yourGemfile.
bundle installand you are ready to go!
npm setup
Install our Diffend Supply Chain Defender package:
Code Block npm install -g https://my.diffend.io/releases/npm/stable.tgz
Prefix all calls to npm with diffend:
Code Block diffend npm install diffend npm i debug
You can also alias all the npm commands in your shell by putting the presented code in an appropriate file (~/.bash_aliases, ~/.bashrc, ~/.zshrc, ~/.config/fish/config.fish):
Code Block alias npm='diffend npm'
Run
npm installand that is all.
...
Code Block yarn plugin import https://my.diffend.io/releases/yarn/2/stable.js
Run yarn install and you are ready to go!
Running
...
Supply Chain Defender Checks
Mend Diffend Supply Chain Defender plugin runs automatically when the following commands are executed:
...
Whenever you run any of those commands, Mend Diffend Supply Chain Defender will make sure that the packages you are trying to download or use are safe and that they meet all the requirements of the organization. This process is fully automatic and you do not have to do anything.
The secure command can be used as a separate step in a CI/CD pipeline to ensure everything is as expected.
In case Mend Diffend Supply Chain Defender would stop the bundle process, it will exit with an exit code 1 and will print out the security verdict URL that you can visit for more details.
| Info |
|---|
Mend Diffend Supply Chain Defender won't stop the execution of any exec commands. Instead if needed, it will issue a warning verdict on the UI. |
| Info |
|---|
Mend Diffend Supply Chain Defender works automatically each time you run bundle commands. |
...
Security verdicts are an essential part of Mend DiffendSupply Chain Defender. They ensure that all of your organization requirements in the context of each bundle operation are met. That way we can prevent the usage of packages and their versions that could cause engineering and legal harm.
Each aspect that we check has a dedicated component called guard. Guards can be configured as well as disabled in the Security guards settings section of your organization if they don't meet your requirements.
After running, Diffend Supply Chain Defender can give you one of the following verdicts:
...
Note: Direct packages and versions usage override on the verdict page do not work for all the guards yet.
...
| Info |
|---|
Mend Diffend Supply Chain Defender is configurable because a single optimal set of settings does not exist. A lot depends on the type of organization you are in, projects you build, and customers you have. If you have any doubts or need any help figuring out a proper setup for yourself, don't hesitate to contact us. |
...
Setting up maximum verdict for particular commands
When using Mend Diffend Supply Chain Defender in a legacy system, you may notice, that getting things to a stable and secure state may take a while.
To prevent Mend Diffend Supply Chain Defender from blocking all of the commands, you may lower the maximum verdict it reports.
...
Continuous Integration and Delivery environment setup
Mend Diffend Supply Chain Defender protects every crucial bundle command out of the box, but you can still easily set it up as a separate step within your Continuous Integration and Delivery system.
...
Deployment and production environment setup
Mend Diffend Supply Chain Defender requires minimal effort to make it work with the majority of ways you can deploy your applications. If there are no hints below for your way of deployment, it means, that all you need to do is:
...
| Info |
|---|
Notifications are a great way to make sure, that your team becomes aware of emerging vulnerabilities the moment they are detected. |
Connecting Mend
...
Supply Chain Defender to Slack
Navigate to the Notifications settings page of your organization.
Press the
herelink visible in the information box. You will be redirected to the Slack platform settings page.
Select a channel where you want Mend Diffend Supply Chain Defender to post security notifications and press the Allow button.
You will be redirected back to the Mend Diffend Supply Chain Defender notification settings page and a Slack welcome message will be sent to your workspace channel.
Notifications events
Mend Diffend Supply Chain Defender sends messages based on events that occur while protecting your applications. Below you can find a list of the events that trigger notifications, together with their short descriptions and other useful details.
Event name | Event type | Command | Environment | Description |
|---|---|---|---|---|
New bundle state detected | Information |
| Other than | Mend Diffend Supply Chain Defender emits message based on this event whenever you deploy changed to your Awareness of newly updated libraries deployed can help you debug when your new code presents unexpected behaviors. |
New verdict detected | Warning |
| Other than | Mend Diffend Supply Chain Defender emits a message based on this event whenever the verdict associated with your deployment has changed. |
Bundle secure execution alert | Warning |
| Any | Mend Diffend Supply Chain Defender emits a message based on this event whenever there is anything in your |
...
First of all, try to reinstall the plugin by running the following commands in your project root directory:
...
Does Mend Diffend Supply Chain Defender take into consideration Bundler groups?
...
That is why it is essential to use both the plugin and the monitor to integrate Mend Diffend Supply Chain Defender within your CI system.