Mend
Summary
Mend is an automated application security and remediation platform. It can be used to drive insights into static & software composition analysis. Both Mend SAST and SCA products are supported.
Setup
Mend SAST
In order to connect Cortex to your Mend instance, you’ll need to create an API token, and add it under Settings → Mend SAST. Additionally, you'll need your organization name, which can be found in the SAST interface under Administration → Organizations.
Mend SCA
In order to connect Cortex to your Mend instance, you’ll need the Organization API Key which can be found in the SCA interface under the Integrate tab. You'll need to select your organization type: For GLOBAL, use the “Global Organization” key from the Mend integration page. For SINGLE, use the “Organization” key from the Mend integration page. Once located, add it under Settings → Mend SCA. Next, add your User Key found in Mend under User Profile and the User Keys section.
Depending on the server URL in your Mend integration (under Organization), set the URL type:
- NEW if the server URL is
saas.mend.io
- LEGACY if the server URL is
saas.whitesourcesoftware.com
- CUSTOM if using a dedicated instance, and set the Custom URL field as your server URL
If you do not see the settings page you're looking for, you likely don't have the proper permissions and need to contact your admin.
If you're using a self-hosted instance of Mend, you'll need to
verify that your Cortex instance is able to reach the Mend instance.
We route our requests through a static IP address. Reach out to support at
help@cortex.io to receive details about our static IP.
If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your Mend instance.
Advanced configuration
If you’re unable to expose your Mend instance to be reachable by Cortex, you can set up a Custom Integration Webhook.
Registration
Discovery
By default, Cortex will use your associated Git repository (e.g. repo-name
) as the "best guess" for the Mend application name for SAST and Mend project name for SCA.
If your repository names don’t cleanly match the Mend SAST application names or Mend SCA project names, you can override this in the Cortex Service Descriptor.
Entity descriptor
If you need to override automatic discovery, you can define the following block in your Cortex entity descriptor.
x-cortex-static-analysis:
mend:
applicationIds:
- mend_id_1
- mend_id_2
projectIds:
- project_id_1
- project_id_2
The application IDs can be found in the Mend SAST web interface. The project IDs can be found in the Mend SCA web interface.