Configure Mend Bolt for GitHub

[mend-bolt-for-github]

Welcome to Mend Bolt for GitHub (formerly WhiteSource). This is an onboarding PR to help you understand and configure settings before Mend starts scanning your repository for security vulnerabilities.

🚦 Mend Bolt for GitHub will start scanning your repository only once you merge this Pull Request. To disable Mend Bolt for GitHub, simply close this Pull Request.

---

What to Expect

This PR contains a '.whitesource' configuration file which can be customized to your needs. If no changes were applied to this file, Mend Bolt for GitHub will use the default configuration.

Before merging this PR, Make sure the Issues tab is enabled. Once you merge this PR, Mend Bolt for GitHub will scan your repository and create a GitHub Issue for every vulnerability detected in your repository.

If you do not want a GitHub Issue to be created for each detected vulnerability, you can edit the '.whitesource' file and set the 'minSeverityLevel' parameter to 'NONE'.

---

❓ Got questions? Check out Mend Bolt for GitHub docs.
If you need any further assistance then you can also request help here.

[entelligence-ai-pr-reviews]

EntelligenceAI PR Summary

This PR adds a Mend (WhiteSource) security scanning configuration file to enable automated dependency vulnerability scanning.

• Introduced .whitesource configuration file for Mend security scanning
• Configures check runs at failure level with diff display mode
• Enables vulnerability issue reporting for all severities starting from LOW
• Scopes scanning to dependency-type vulnerabilities

---

Confidence Score: 5/5 - Safe to Merge

Safe to merge — this PR introduces a .whitesource configuration file to enable Mend Bolt dependency vulnerability scanning with no changes to application logic, runtime code, or existing configuration files. The configuration correctly scopes scanning to dependency-type vulnerabilities, sets the check run failure level appropriately, and enables reporting across all severities from LOW upward, which is a sensible default for a new security integration. No review comments were generated and no substantive issues were identified during analysis.

Key Findings:

• The .whitesource file is a static configuration artifact with zero runtime impact — it only instructs the Mend Bolt GitHub App how to behave during CI scans, so there is no risk of introducing bugs or regressions.
• Enabling vulnerability reporting starting from LOW severity is a conservative and appropriate default for a new security scanning setup; it ensures no issues are silently ignored during initial adoption.
• The issueSettings scoped to DEPENDENCY type correctly limits noise to actionable dependency vulnerabilities rather than broader code-level findings, reflecting a deliberate and reasonable scoping decision.

Files requiring special attention

• .whitesource

[entelligence-ai-pr-reviews]

Walkthrough

This PR introduces a Mend (WhiteSource) security scanning configuration file to the repository. The configuration defines dependency vulnerability scanning behavior, including failure-level check runs with diff display mode, and enables issue reporting for all severities starting from LOW, specifically targeting dependency-type vulnerabilities.

Changes

File(s)	Summary
.whitesource	Added Mend (WhiteSource) security scanning configuration defining dependency vulnerability scan settings, failure-level check runs, diff display mode, and issue reporting for all severities from LOW upward.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    title Mend Dependency Scan Configuration Flow

    participant Repo as Repository
    participant Mend as "Mend Scanner"
    participant GH as "GitHub Check Runs"
    participant Issues as "Issue Tracker"

    Note over Repo, Issues: Configuration: displayMode=diff,
minSeverityLevel=LOW, issueType=DEPENDENCY

    Repo->>Mend: Trigger scan on PR/push
    activate Mend

    Mend->>Mend: Scan dependencies
    Note right of Mend: baseBranches: []
(scan all branches)

    Mend->>GH: Publish Check Run results
    activate GH
    Note right of GH: useMendCheckNames: true
conclusionLevel: failure (if vulnerable)
displayMode: diff

    alt Vulnerabilities found
        GH-->>Repo: Check Run = failure
    else No vulnerabilities
        GH-->>Repo: Check Run = success
    end
    deactivate GH

    opt Severity >= LOW and type = DEPENDENCY
        Mend->>Issues: Create dependency issue
        activate Issues
        Issues-->>Mend: Issue created
        deactivate Issues
    end

    Mend-->>Repo: Scan complete
    deactivate Mend

Loading