Mend

Overview

Mend is an automated application security and remediation platform. Integrate Cortex with Mend to drive insights into potential vulnerabilities in your code and your third-party libraries.

Cortex supports integrating with:

Mend Static Application Security Testing (SAST): This product scans for vulnerabilities in the code you write.
Mend Software Composition Analysis (SCA): This product scans for vulnerabilities in your third-party libraries.

How to configure Mend with Cortex

See the tabs below for instructions on configuring Mend SAST and Mend SCA.

Prerequisite

Before getting started, create an API token in Mend.

If you're using a self-hosted instance of Mend, you'll need to verify that your Cortex instance is able to reach the Mend instance. We route our requests through a static IP address. Reach out to support at help@cortex.io to receive details about our static IP. If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your Mend instance.

Configure the integration in Cortex

In Cortex, navigate to the Mend settings page:
1. In Cortex, click your avatar in the lower left corner, then click Settings.
2. Under "Integrations", click Mend.
Click Add configuration.
Configure the Mend SAST integration form:
- API token: Enter the API token you created in Mend.
Click Save.

Prerequisite

Before getting started, create an Organization API key and a user key in Mend.

Configure the integration in Cortex

In Cortex, navigate to the Mend settings page:
1. In Cortex, click your avatar in the lower left corner, then click Settings.
2. Under "Integrations", click Mend.
Click Add configuration.
Configure the Mend SCA integration form:
- Organization type: Select Global or Single.
- Organization API token: Enter your Global organization key or a single organization key.
  - This can be found in Mend SCA under the Integrate tab.
- User key: Enter your Mend user key.
  - This can be found in Mend under User profile > User keys.
- URL type: Select your Mend URL type depending on the server URL for your Mend instance.
  - Select NEW if the server URL is saas.mend.io.
  - Select LEGACY if the server URL is saas.whitesourcesoftware.com.
  - Select CUSTOM if using a dedicated instance.
- Custom URL: If using a dedicated instance, enter your Mend server URL.
Click Save.

Advanced configuration

If you’re unable to expose your Mend instance to be reachable by Cortex, you can set up a Custom Integration Webhook.

How to connect Cortex entities to Mend

Discovery

By default, Cortex will use your associated Git repository (e.g. repo-name) as the "best guess" for the Mend SAST application name and the Mend SCA project name.

If your repository names don’t cleanly match the Mend SAST application names or Mend SCA project names, you can override this in the Cortex Service Descriptor.

Editing the entity descriptor

x-cortex-static-analysis:
  mend:
    applicationIds:
      - mend_id_1
      - mend_id_2
    projectIds:
      - project_id_1
      - project_id_2

The application IDs can be found in the Mend SAST web interface.

A project ID can be found in the Mend SCA web interface; while viewing the project, the ID appears in the URL after project;id=.

Expected results

Entity pages

From the Overview tab on an entity page, you can find vulnerabilities in the Code and Security block.

In the left sidebar of an entity, click Code & security > Mend to view the total number of vulnerabilities, a risk score, and a list of vulnerabilities including the risk rating and creation date.

Scorecards and CQL

With the Mend integration, you can create Scorecard rules and write CQL queries based on Mend projects and applications.

See more examples in the CQL Explorer in Cortex.

Check if Mend project is set

Check if entity has a registered Mend project

Definition: mend (==/!= null): Boolean

Examples

In a Scorecard, you can write a rule to make sure an entity has a Mend project set:

mend != null

Vulnerabilities

List of vulnerabilities, filterable on risk and source

Definition: mend.vulnerabilities(): List

Examples

In a Scorecard, you can write a rule to make sure an entity has fewer than 10 vulnerabilities from both SAST and SCA sources:

mend.vulnerabilities(source = ["SAST", "SCA"]).length < 10

You can write a rule to make sure an entity has fewer than 3 vulnerabilities with a risk level of "Medium" or "High":

mend.vulnerabilities(risk = ["Medium", "High"]).length <= 3

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: help@cortex.io, or open a support ticket in the in app Resource Center
Chat: Available in the Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Last updated 11 days ago

Overview

How to configure Mend with Cortex

Prerequisite

Configure the integration in Cortex

Prerequisite

Configure the integration in Cortex

Advanced configuration

How to connect Cortex entities to Mend

Discovery

Editing the entity descriptor

Expected results

Entity pages

Scorecards and CQL

Examples

Examples

Still need help?​

Still need help?