Versions Compared

Old Version 70

changes.mady.by.user Angela Ruhstorfer

Saved on

compared with

New Version Current

changes.mady.by.user Angela Ruhstorfer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
InfoThis feature page is only available from version 20.7.1.

Overview

This topic provides instructions on how to enable a global repo configuration which will affect all new repositories to be integrated using either Mend for GitHub.com, Mend for GitHub Enterprise, Mend for Bitbucket Server/Data Center, or Mend for GitLab Server. For information on how to migrating existing repositories to the global configuration, see here. Using this global configuration, you will be able to define a configuration template file (repo-config.json), which can be inherited by all future integrated repositories. You will also be able to define a global configuration (not specific to a repository) file (global-config.json) for your integration. The currently-supported global configuration enables you to define how the user onboarding flow will occur for your integrated repositories.

Prerequisites

Ensure that you have already integrated the relevant repository platform with Mend. If needed, refer to the installation sections of the relevant platform below:

Enabling the Global Configuration

  1. (Only for Self-Managed integrations) Create a new organization (GitHub Enterprise), Group (Gitlab Server), Project (Bitbucket Server/Data Center) named whitesource-config (the name must be exactly as specified here) in your integrated repository platform.

  2. (Only for AzureRepos) This integration is using Global Configuration by default so just follow the installation steps of the Mend for Azure Repos documentation.

  3. Create a new repository named whitesource-config (the name must be exactly as specified here). In Self-Managed integrations, this repository needs to be inside the whitesource-config entity you created in the previous step.

  4. Add the new whitesource-config repository to your integration. Based on your relevant platform, refer to the correct section:

  5. The whitesource-config repository will now contain a README file and two new configuration files (automatically created by the integration), repo-config.json and global-config.json. Configure these files by referring to the following sections and then continue in this procedure.

  6. Add repositories you want Mend to scan, to your integration.

repo-config.json

This configuration template file is a JSON formatted file that will be applied globally to each newly selected integrated repository. It provides configurable parameters for a Mend scan. All new integrated repositories will inherit the configuration set in this file, unless explicitly overridden by a local .whitesource file in the relevant repository. Refer to the following sections for information on which parameters can be added to the repo-config.json file:

global-config.json

This global configuration file is a JSON-formatted file where you can define global configurations for the integration. The following parameters can be provided:

General Parameters

...

Parameter 

...

Type

...

Description

...

Required 

...

Default

...

repoConfigMode

...

String

...

The configuration mode to be used on all integrated repositories. There are three options:

  • createOnboardingPR - Create an onboarding PR/MR containing a .whitesource file with inherited configuration. The integrated repositories will inherit the configuration from the repo-config.json file located inside the whitesource-config repository. The .whitesource configuration file generated in each repository will contain a single parameter settingsInheritedFrom with a value pointing to the repo name and branch in which the repo-config.json file is located.

  • pushWhitesourceFile - A .whitesource configuration file with inherited configuration will immediately be pushed to the default branch of all integrated repositories without creating any onboarding PRs/MRs. The .whitesource configuration file generated in each repository will contain a single parameter settingsInheritedFrom with a value pointing to the repo name and branch in which the repo-config.json file is located.

  • noWhitesourceFile - Integrated repositories will be scanned without creating a .whitesource file or onboarding PR/MR. The integrated repositories will inherit the configuration from the repo-config.json file located inside the whitesource-config repository.

...

Yes

...

createOnboardingPR

...

repoConfigFileName

...

String

...

It is possible to rename the .whitesource configuration file added to an integrated repository.

NOTES:

  • This is currently only supported for newly-integrated repositories. If a repository already includes a .whitesource file, the integration will continue using it.

  • This parameter is ignored when the repoConfigMode is set to noWhitesourceFile.

...

No

...

.whitesource

...

branchProtectionRule

...

Automatically create a “Mend Security Check” branch protection rule for all branches configured by the “baseBrances” property. This will only occur for newly onboarded repositories.

NOTES:

  1. Only valid for the GitHub Enterprise integration.

  2. This will require to add the “Repository administration” to the “Read & Write” permissions to the GitHub application.

Code Block
{
  "branchProtectionRule": {
    "mode": "newInstallations"
  }
}

...

No

...

“none”

...

settingsInheritedFrom

...

Add an option for a regular account repo-config.json or global-config.json file to inherit settings from the whitesource-config account’s global-config.json file. For example, a global-config.json file in {someOrg}/whitesource-config could inherit settings from the whitesource-config/whitesource-config file.

If this parameter is enabled, after creating a whitesource-config file inside the repos of the given organization, it will be automatically populated with the settings from the whitesource-config/whitesource-config file.

NOTE: You can override specific parameters that are relevant only in the specific repository by adding these after this parameter.

Examples:

Using only values defined in the global configuration:

Code Block
"settingsInheritedFrom": "whitesource-config/whitesource-config@master"

Using values defined in the global configuration and overriding the scan settings parameters:

Code Block
"settingsInheritedFrom": "whitesource-config/whitesource-config@master", 
 "issueSettings": {
    "minSeverityLevel": "MEDIUM"
  }

...

No

...

“none”

Ignored Repos (ignoredRepos)

...

Parameter 

...

Type

...

Description

...

Required 

...

Default

...

exactNames

...

Array

...

Provide a list of specific repositories to ignore from the integration. For example:

Code Block
"ignoredRepos": {
  "exactNames": ["user/myrepo", "user/testrepo"]
}

...

No

...

Empty

Account Management

...

Parameter 

...

Type

...

Description

...

Required 

...

Default

...

includedOwners->exactNames

...

Array

...

Define a whitelist of GitHub Organizations and/or GitHub repository owners who can integrate with the Mend integration.

NOTE: This applies to Mend for GitHub Enterprise and Mend for GitHub.com only.

For example:

Code Block
"includedOwners": {
  "exactNames": ["MyOrg", "MyUserName"]
}

...

No

...

Empty

...

allowedUserAccounts->exactNames

...

Array

...

Provide a way to limit the integration to organization accounts and block all or specific user accounts. If the “exactNames” property is empty all user accounts will be blocked. If the object is missing, no limitation on account type will be enforced.

When a blocked account is trying to install the integration it will be automatically uninstalled.

NOTE: Only valid for the GitHub Enterprise integration.

Code Block
{
  "allowedUserAccounts": {
    "exactNames": ["userName1", "userName2"]
  }
}

...

No

...

Null

Manually Triggering Repository Scans

NOTE: Relevant only for Mend for GitHub Enterprise Integration and Mend for GitHub.com Integration.

This feature enables users to manually trigger scans for specific repositories.

In order to trigger the manual scans, a file called scan.json needs to be pushed to the whitesource-config repo. The scan.json file contains a list of repositories to scan:

Code Block
{
  "repositories": [
    {
      "fullName": "orgName1/repoName1",
      "branchName": "main"
    }
  ]
}

The repository list is limited to 10. If there are more than 10, no repositories will be scanned, and a check run will be created.

If a branch name is not specified, the default branch will be scanned.

For each repository in the list, a scan will be triggered (in the latest commit of the specified branch), including the creation of the security check run.

Manual scan logs

When triggering a manual scan it is possible to save the scan logs as a single zip file to a dedicated repository: whitesource-config/ws-logs. To enable this functionality additional flag should be added to the scan.json, uploadScannerLogs set to true.

Example:

Code Block
{
  "repositories": [
    {
      "fullName": "orgName1/repoName1",
      "branchName": "main",
      "uploadScannerLogs": true
    }
  ]
}

NOTE:

  • Name of the zip file: scanner_logs_{SCAN_TOKEN}.zip

  • The name of the ws-logs repo is configurable using the env var WS_LOG_REPO_NAME

  • If the repo whitesource-config/ws-logs does not exist, the manual scan will not run and a check run will explain why:

    Image Removed

Migrating Existing Repositories to the Global Configuration

Info

Performing a migration may slow down the overall responsiveness of the integration. Migration may take a few hours to complete.
For GitHub integrations, when performing a migration on more than 500 repositories, the migration Check Run indicating the status of the migration may not be created due to a GitHub content size limitation.

If you have existing repositories that you want to inherit from the global configuration, do as follows:

  1. Ensure you performed the steps described in Enabling the Global Configuration.

  2. Go to the whitesource-config repository.

  3. Add a new file named migration.json in the default branch.

  4. Inside the file, add the following content (to change parameters and values, refer to the table below):

    Code Block
    {
	"migrationMode": {
		"changeType": "inheritance",
		"openPR": true
	}
}

  5. To run the migration, commit and push the file.
    A Mend Security Check (as part of a Check Run for GitHub.com/GitHub Enterprise, Commit Status for GitLab, and Build Status for Bitbucket Server) will be generated and display a summary of the migrated repositories. In addition, the migration.json file will be deleted after the migration is completed.
    NOTE: In Mend for Bitbucket Server, the migration.json file needs to be manually removed.

Info

For self-hosted organizations, if the migration.json file is pushed from the global configuration repository of a global organization (whitesource-config/whitesource-config), the migration will affect all the integrated organizations. If the migration.json file is pushed from the global configuration repository of a regular organization (regular-org/whitesource-config), the migration will affect only the repositories from this organization.

migration.json File Parameters

...

Parameter

...

Type

...

Description

...

Required?

...

Default

...

migrationMode.changeType

...

String

...

Type of change to perform as part of the migration.

There are two possible values:

  • inheritance - The migrating repositories will inherit from the global configuration

  • deletion - The .whitesource file (if found) will be removed from the migrating repositories. Note the following:

    • This should only be used when repoConfigMode in the global-config.json file has the value noWhitesourceFile. Otherwise, no migration will be performed.

    • In Mend for Bitbucket Server, the deletion option is not available. You will need to manually delete the .whitesource file for each migrated repository.

  • fixInheritance - The migration will update existing inheritedFrom parameter values in repo-level .whitesource configuration files, to the correct whitesource-config repository.

    • This parameter can be used in case the Global Configuration repository was moved or renamed since the initial integration.

...

No

...

inheritance

...

migrationMode.openPR
(Mend for GitHub Enterprise, Mend for GitHub.com, and Mend for Bitbucket Server/Data Center)

migrationMode.openMR
(Mend for GitLab)

...

Boolean

...

Whether an onboarding PR/MR should be created for the migrating repositories.

NOTE: When set to false, every migrating repository that currently contains a .whitesource file will trigger an automatic scan after these are migrated. This may affect overall performance of the integration depending on how many migrating repositories you have.

...

No

...

true

...

migrationMode.triggerScan

...

Boolean

...

Control whether the migration should trigger a scan after completion.

NOTE: this parameter is relevant only when using migrationMode.changeType=inheritance.

...

No

...

true

...

includeRepos

...

Array

...

Provide a list of specific full repository names (owner/repo_name) on which the migration should run.

NOTE: You cannot use includeRepos together with excludeRepos as part of a migration.

Example:

Code Block
"includeRepos": ["whitesource/unified-agent-distribution", "whitesource/jenkins-whitesource-plugin"]

...

No

...

Empty

...

excludeRepos

...

Array

...

Provide a list of specific full repository names (owner/repo_name) on which the migration should not run.

NOTE: You cannot use excludeRepos together with includeRepos as part of a migration.

Example:

Code Block
"excludeRepos": ["whitesource/unified-agent-distribution"]

...

No

...

available at Mend’s new Knowledge Hub, here: Global Repo Configuration