EntelligenceAI PR Summary

This PR adds a Mend (WhiteSource) security scanning configuration file to automate dependency vulnerability detection and reporting.

• Introduced .whitesource configuration file for Mend security scanning
• Configured check run failures triggered on vulnerability detection
• Enabled diff display mode for vulnerability results
• Set issue reporting threshold to LOW severity, capturing all severity levels (LOW, MEDIUM, HIGH, CRITICAL)

Confidence Score: 5/5 - Safe to Merge

Safe to merge — this PR introduces a .whitesource configuration file that enables Mend Bolt security scanning with sensible defaults, including LOW severity threshold to capture all vulnerability levels and diff display mode for clear reporting. The configuration is purely additive infrastructure with no impact on application logic, runtime behavior, or existing code paths. No issues were identified in the review, and the settings chosen (fail on vulnerability detection, report all severities) reflect a conservative and security-conscious posture appropriate for a production codebase.

Key Findings:

• The .whitesource file is a declarative configuration with no executable code, eliminating any risk of introducing logic bugs or runtime errors.
• Setting minSeverityLevel to LOW ensures the broadest possible vulnerability coverage, which is the correct conservative default for a security scanning tool.
• The checkRunFailure setting being enabled means the CI pipeline will actively block merges on detected vulnerabilities, which strengthens the security posture of the repository rather than weakening it.

Walkthrough

This PR introduces a Mend (WhiteSource) security scanning configuration file to enable automated dependency vulnerability scanning. The configuration sets up check run failures on detected vulnerabilities, enables diff display mode, and configures issue reporting for all severity levels starting from LOW.

Changes

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Repo as "GitHub Repository"
    participant Mend as "Mend Scanning Service"
    participant CI as "GitHub Check Runs"
    participant Issues as "Issue Tracker"

    Note over Repo: mendupdater.json config added
    Note over Repo: scanSettings, checkRunSettings,<br/>issueSettings defined
    Repo->>Mend: Trigger scan on PR / base branch
    activate Mend

    Mend->>Repo: Read mendupdater.json config
    Repo-->>Mend: scanSettings { baseBranches: [] }<br/>checkRunSettings { displayMode: "diff",<br/>useMendCheckNames: true }<br/>issueSettings { minSeverity: LOW,<br/>issueType: DEPENDENCY }

    Mend->>Mend: Run dependency scan

    alt Vulnerable dependencies found
        Mend->>CI: Create Check Run (Mend check name)<br/>conclusion: "failure"
        Note right of CI: Display mode: diff<br/>(only show new issues)
        CI-->>Mend: Check run created
        Mend->>Issues: Report issues<br/>minSeverity >= LOW, type: DEPENDENCY
        Issues-->>Mend: Issues logged
    else No vulnerabilities found
        Mend->>CI: Create Check Run<br/>conclusion: "success"
        CI-->>Mend: Check run created
    end

    deactivate Mend
    Mend-->>Repo: Scan complete