Mend SCA

Mend SCA (formerly WhiteSource) is an enterprise software composition analysis platform that identifies vulnerabilities, license risks, and quality issues in open-source dependencies.

The platform emphasizes automated remediation and developer-friendly workflows, aiming to reduce the friction that often prevents teams from addressing security issues promptly.

What is Mend SCA?

Mend SCA scans applications to discover all open-source components, including direct dependencies and the transitive dependencies they bring along.

For each component, Mend checks against vulnerability databases and license registries to identify security issues and compliance risks.

What distinguishes Mend from basic vulnerability scanners is its focus on actionability.

The platform provides automated remediation through pull requests that upgrade vulnerable components, prioritizes findings based on reachability analysis (whether vulnerable code is actually executed), and integrates directly into developer workflows through IDE plugins and repository integrations.

Mend has expanded beyond pure SCA through acquisitions of DefenseCode and Xanitizer, adding SAST capabilities to the platform.

This allows organizations to address both first-party code vulnerabilities and third-party dependency risks from a single vendor.

Key Features

Automated Remediation

Mend’s Renovate technology automatically generates pull requests to update vulnerable dependencies.

Unlike simple version bumps, Renovate intelligently groups related updates, respects semantic versioning constraints, and schedules updates to minimize disruption.

The platform also provides merge confidence scores that predict whether an update is likely to break builds, based on aggregated data from millions of updates across the Mend user base.

This helps teams confidently merge security updates without extensive manual testing.

Reachability Analysis

Not every vulnerability in a dependency actually affects your application.

Mend performs reachability analysis to determine whether the vulnerable code path is actually called by your application.

Findings are prioritized accordingly, allowing teams to focus on vulnerabilities that pose genuine risk rather than chasing every CVE.

This analysis examines call graphs and code paths to identify whether vulnerable functions are reachable from application entry points.

Unreachable vulnerabilities are flagged but deprioritized, reducing alert fatigue while maintaining visibility.

License Compliance

Open-source licenses carry obligations that can create legal risk if ignored.

Mend identifies the licenses of all components and flags potential conflicts with your organization’s policies.

The platform understands license compatibility rules and can detect situations where combining components with incompatible licenses creates compliance issues.

License policies can be customized to match organizational requirements, automatically approving or blocking specific license types across all projects.

Container and Cloud-Native Security

Mend extends beyond application dependencies to scan container images, Kubernetes configurations, and infrastructure-as-code files.

This provides visibility into vulnerabilities across the entire deployment stack, from application code through runtime infrastructure.

Container scanning examines base images, OS packages, and application dependencies installed in images, identifying vulnerabilities at every layer.

Installation

CLI Installation

# Install via npm (globally)
npm install -g @mend/cli

# Or via Homebrew (macOS)
brew install mend-io/mend-cli/mend-cli

# Verify installation
mend --version

Running Scans

# Configure API credentials
export MEND_API_KEY="your-api-key"
export MEND_EMAIL="your@email.com"

# Scan current directory
mend sca scan

# Scan specific project with custom configuration
mend sca scan \
  --path ./my-project \
  --scope "project-scope" \
  --product "product-name"

# Generate SBOM
mend sca sbom --format spdx --output sbom.json

# Scan container image
mend image scan my-registry/my-image:latest

Repository Integration

Mend provides native integrations for GitHub, GitLab, Bitbucket, and Azure DevOps that require minimal configuration:

# .mend configuration file (place in repository root)
settingsInheritedFrom: organization/mend-config

# Override specific settings
vulnerabilityAlerts:
  enabled: true
  severity: HIGH

licenseAlerts:
  enabled: true
  allowedLicenses:
    - MIT
    - Apache-2.0
    - BSD-3-Clause

autoRemediation:
  enabled: true
  maxPRs: 5

Integration

GitHub Actions

name: Mend SCA Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install dependencies
        run: npm ci

      - name: Mend SCA Scan
        uses: mend-toolkit/mend-sca-scan-action@v1
        with:
          api-key: ${{ secrets.MEND_API_KEY }}
          user-key: ${{ secrets.MEND_USER_KEY }}
          product-name: ${{ github.repository }}
          project-name: ${{ github.repository }}/${{ github.ref_name }}

      - name: Check for critical vulnerabilities
        run: |
          mend sca scan --severity-threshold CRITICAL --fail-on-severity
        env:
          MEND_API_KEY: ${{ secrets.MEND_API_KEY }}

GitLab CI

stages:
  - build
  - security
  - deploy

variables:
  MEND_API_KEY: $MEND_API_KEY
  MEND_USER_KEY: $MEND_USER_KEY

mend-sca:
  stage: security
  image: node:20
  before_script:
    - npm install -g @mend/cli
  script:
    - npm ci
    - mend sca scan
      --product "$CI_PROJECT_NAME"
      --project "$CI_PROJECT_NAME/$CI_COMMIT_REF_NAME"
      --fail-on-severity HIGH
  artifacts:
    reports:
      sast: mend-report.json
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == "main"

container-scan:
  stage: security
  image: node:20
  before_script:
    - npm install -g @mend/cli
  script:
    - mend image scan $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  rules:
    - if: $CI_COMMIT_BRANCH == "main"

Azure DevOps Pipeline

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

stages:
  - stage: Security
    jobs:
      - job: MendScan
        steps:
          - task: NodeTool@0
            inputs:
              versionSpec: '20.x'

          - script: npm install -g @mend/cli
            displayName: 'Install Mend CLI'

          - script: npm ci
            displayName: 'Install Dependencies'

          - script: |
              mend sca scan \
                --product "$(Build.Repository.Name)" \
                --project "$(Build.Repository.Name)/$(Build.SourceBranchName)"
            displayName: 'Mend SCA Scan'
            env:
              MEND_API_KEY: $(MEND_API_KEY)
              MEND_USER_KEY: $(MEND_USER_KEY)

IDE Integration

Mend provides extensions for developer IDEs:

• VS Code: Real-time vulnerability alerts as you code
• IntelliJ IDEA: Integrated scanning and remediation suggestions
• Visual Studio: .NET-specific vulnerability detection

When to Use Mend SCA

Mend SCA is well-suited for:

• Organizations prioritizing automated remediation who want security fixes delivered as ready-to-merge pull requests
• Teams experiencing alert fatigue who benefit from reachability analysis to focus on exploitable vulnerabilities
• Enterprises with strict license compliance requirements who need comprehensive license detection and policy enforcement
• Companies seeking unified AppSec who want both SCA and SAST from a single vendor

Mend may not be the best fit for small teams with limited budgets seeking free alternatives, organizations already deeply invested in competing platforms like Snyk or Sonatype, or teams that prefer self-hosted solutions over SaaS platforms.