Package: Invicti AppSec Enterprise (on-premise, on-demand)
Mend SCA integration
Invicti AppSec supports Mend (formerly WhiteSource) as an SCA (Software Composition Analysis) scanner. This guide explains how to activate and configure the Mend integration.
Mend is an enterprise-grade software composition analysis platform that helps organizations manage open-source security, license compliance, and code quality risks. It provides continuous monitoring of open-source components and automated policy enforcement.
This Mend SCA integration works with API v2 (/api/v2.0). Ensure your Mend instance supports the v2 API before configuring this integration.
Prerequisites
Before starting the integration, ensure you have the following information from your Mend account:
| Field | Description | Required |
|---|---|---|
| Username | Your Mend account email address | Yes |
| User Key | Your Mend user key for API authentication | Yes |
| Api Key | The organization API key from your Mend account | Yes |
| URL | Your Mend instance URL (e.g., https://saas.mend.io) | Yes |
| Insecure | Skip SSL certificate verification (not recommended for production) | No |
Get Credentials (on Mend Side)
- Log in to your Mend account.
- Navigate to Administration > Integration to find the organization API Key.
- Go to your Profile settings to find your User Key.
- Your Username is the email address associated with your Mend account.
- The URL is your Mend instance base URL (e.g.,
https://saas.mend.iofor SaaS or your on-premises URL).
Get credentials
- Log in to your Mend account.
- Go to Administration > Integration for the organization API Key.
- Go to Profile settings for your User Key.
- Note your Username (email) and instance URL.
- Copy and save all credentials securely.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the SCA Tab
On the Integrations page, you will see the Scanners section with multiple tabs. Click on the SCA tab.
Step 3: Find and Activate Mend
Scroll through the list of SCA scanners to find Mend.
- If Mend is not activated, you will see an "Activate" button. Click it to enable the integration.
- If Mend is already activated, you will see a toggle switch in the ON position and a "Deactivate" button, along with a gear icon for configuration.
The scan method badge on the Mend card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Mend card to open the configuration panel.
This Mend SCA integration works with API v2 (/api/v2.0).
Fill in the required fields:
- Username: Enter your Mend account email address.
- User Key: Paste your Mend user key.
- Api Key: Paste the organization API key from your Mend account.
- URL: Enter your Mend instance URL (e.g.,
https://saas.mend.io). - Insecure: Enable this checkbox only if your Mend instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click the "Test Connection" button at the bottom of the configuration panel to verify that the provided credentials and URL are correct.
- If the connection is successful, the integration is ready to use.
- If the connection fails, verify your Username, User Key, Api Key, and URL values.
- For existing integrations, you can use the "Retest Connection" button at the top of the panel.
Step 6: Advanced Settings (Optional)
Click on "Advanced Settings" to expand additional options:
| Setting | Description | Default |
|---|---|---|
| Allow team leads to scan this instance | Permits team leads to trigger scans using this Mend instance | Off |
| Allow team leads to create new instances | Permits team leads to create additional Mend instances | Off |
After modifying advanced settings, click "Save Advanced Settings" to apply changes.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the SCA tab under Scanners |
| 3 | Find Mend and click Activate (if not already active) |
| 4 | Click the gear icon and fill in Username, User Key, Api Key, URL, and optionally Insecure |
| 5 | Click Test Connection to verify |
| 6 | (Optional) Configure Advanced Settings for team lead permissions |
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center