Repository integration & deployment
A Mend.io FAQ
General questions
Why is repository integration a best practice?
The repository is the optimal place in the software development life cycle to deploy software composition analysis (SCA). This is because it is impossible to enforce policies earlier in development (for instance, when scanning in the IDE), and it is harder to remediate vulnerabilities when scans are implemented later, in the pipeline.
What benefits will I get from deploying in the repository?
Mend customers on average see a 74 percent reduction in mean time to remediation (MTTR) from scanning in the repository (versus pipeline scans). They are also able to remediate 3x more vulnerabilities on average. Repository integration also makes it easy to enforce policies for scanning, remediation, and open source license use.
If we already scan in the pipeline, should we start scanning in the repository?
This is an excellent idea – with repository scanning, many vulnerabilities and licensing issues can be fixed (often automatically), so fewer vulnerabilities will be identified only at the pipeline stage. This significantly reduces time and cost of remediating vulnerabilities and puts pipeline scanning where it belongs – as a final step to make sure no vulnerabilities have been introduced after the repository stage.
How does repository integration impact business risk?
By enforcing scans when developers push code and enforcing license policies within the Mend.io UI, security teams can greatly reduce business risk from vulnerabilities, malicious package supply chain compromises, and open source license violations.
Deployment & scaling
How can customers set up a Mend SCA repository integration?
We have an extensive knowledge base to ensure you have all the resources you need for getting started with the repository integration:
Need additional help? Reach out to your CSM and we can partner with you to ensure you have everything you need.
How quickly can we roll out Mend SCA in the repository?
Cloud hosted Mend.io repository integrations can be initially deployed in hours or days, allowing you to start scanning and enforcing policies quickly. Self-hosted integrations typically take longer.
How fast can we scale a Mend.io repository integration?
We have designed all our Mend.io repository integrations with full enterprise scaling capabilities in mind. While the exact time depends on the specifics of a customer’s needs and existing technology stack, customers have been able to deploy to as many as 10,000 or more developers in under a week.
How can I integrate Mend SCA findings into Jira?
Mend SCA offers full Jira integrations to enable automatic issue creation and ensure that Mend.io scan results can be rapidly integrated into existing ticketing workflows.
Will Mend assist us in moving our scans to the repository?
Working in partnership with your CSM, Mend.io can work with your team and bring in resources from our side to ensure a successful migration. The CSM will work with the implementation team, sales engineers, and support to ensure you have a clear rollout plan, provide recommendations for your environment and business goals, and work with you on any questions or issues that could arise during implementation.
Features & capabilities
Which repositories are supported by Mend?
Mend currently offers integrations with GitHub.com, GitHub Self-Hosted, GitLab Self-Hosted, Azure DevOps Services, BitBucket Server, BitBucket Data Center, and BitBucket Cloud.
Where do developers see the alerts? Do they need to log in to the Mend.io web UI, or are the alerts visible in the repository environment?
Developers can both see and act on alerts from their repository, regardless of which repository Mend SCA is integrated with. Remediation suggestions and automated fixes are available directly from the repository, ensuring that developers don’t need to change their context to fix their code.
Does the repository integration include Prioritize?
Prioritize, the Mend.io feature that uses patented reachability path analysis to identify non-exploitable vulnerabilities that developers can safely ignore, is expected to become available in Mend.io repository integrations later in 2023.
Does Mend.io offer automatic fixes in the repository?
Yes. Developers can create automatic pull requests that use Mend SCA remediation guidance to fix a vulnerability. These pull requests can be heavily automated and bundled based on the level of confidence that they will not break the build.