Configure Mend Bolt for GitHub

[mend-bolt-for-github]

Welcome to Mend Bolt for GitHub (formerly WhiteSource). This is an onboarding PR to help you understand and configure settings before Mend starts scanning your repository for security vulnerabilities.

🚦 Mend Bolt for GitHub will start scanning your repository only once you merge this Pull Request. To disable Mend Bolt for GitHub, simply close this Pull Request.

---

What to Expect

This PR contains a '.whitesource' configuration file which can be customized to your needs. If no changes were applied to this file, Mend Bolt for GitHub will use the default configuration.

Before merging this PR, Make sure the Issues tab is enabled. Once you merge this PR, Mend Bolt for GitHub will scan your repository and create a GitHub Issue for every vulnerability detected in your repository.

If you do not want a GitHub Issue to be created for each detected vulnerability, you can edit the '.whitesource' file and set the 'minSeverityLevel' parameter to 'NONE'.

---

❓ Got questions? Check out Mend Bolt for GitHub docs.
If you need any further assistance then you can also request help here.

---

EntelligenceAI PR Summary

Added Mend (formerly WhiteSource) security scanning configuration via a new .whitesource file to enable automated vulnerability detection in dependencies, license compliance monitoring, and supply chain security.

[entelligence-ai-pr-reviews]

📝 Walkthrough

This PR introduces a new .whitesource configuration file to enable Mend security scanning for the Crystal programming language repository. Mend (formerly WhiteSource) is a security scanning tool that helps detect vulnerabilities in dependencies, monitors open source license compliance, and improves the overall security posture of the codebase.

The configuration enables automated scanning with failure conditions when vulnerabilities are detected, making it an important addition to the CI/CD pipeline. While the configuration is functional, there are a few minor improvements that could be made to optimize its effectiveness and reduce potential noise from low-severity alerts.

📊 Changes

File	Change
.whitesource	Added new configuration file for Mend security scanning

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    title Mend Security Scanning Process Flow

    actor Developer
    participant GitRepo as "Git Repository"
    participant CI as "CI/CD Pipeline"
    participant MendScanner as "Mend Scanner"
    participant MendAPI as "Mend API"
    participant CheckRun as "GitHub Check Run"
    participant PRView as "PR Diff View"

    Developer->>GitRepo: Create/Update PR
    GitRepo->>CI: Trigger CI workflow
    
    CI->>MendScanner: Start security scan
    
    Note over MendScanner: Using configuration:
    Note over MendScanner: - Empty baseBranches
    Note over MendScanner: - Failure on vulnerabilities
    Note over MendScanner: - Diff display mode
    Note over MendScanner: - Custom Mend check names
    
    MendScanner->>MendScanner: Scan dependencies
    
    alt Vulnerabilities found
        MendScanner->>MendAPI: Report vulnerabilities
        
        Note over MendAPI: Filter issues based on:
        Note over MendAPI: - Min severity: LOW
        Note over MendAPI: - Issue type: DEPENDENCY
        
        MendAPI->>CheckRun: Create check run with "failure" conclusion
        CheckRun-->>PRView: Display vulnerabilities in diff view
        PRView-->>Developer: Show security findings
    else No vulnerabilities
        MendScanner->>MendAPI: Report clean scan
        MendAPI->>CheckRun: Create check run with "success" conclusion
        CheckRun-->>PRView: Display success status
        PRView-->>Developer: Show PR is safe to merge
    end

Loading

🔒 Security Analysis

• Vulnerabilities: 0
• Bugs: 0
• Code Smells: 0
• Security Hotspots: 0

Caution

1 comment is outside the diff range and can't be posted inline due to platform limitations.

⚠️ View Outside Diff Range Comments (1)

🟡 Medium Medium Priority  ·  1 issue

.whitesource  ·  1 comment

1. Lines 21 · Style

The file ends without a newline character which may cause formatting inconsistencies in some tools and editors

Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

{
  "scanSettings": {
    "baseBranches": []
  },
  "checkRunSettings": {
    "vulnerableCheckRunConclusionLevel": "failure",
    "displayMode": "diff",
    "useMendCheckNames": true
  },
  "issueSettings": {
    "minSeverityLevel": "MEDIUM",
    "issueType": "DEPENDENCY"
  }
}

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[entelligence-ai-pr-reviews]

Correctness: The baseBranches array is empty which means Mend will use default branch scanning behavior instead of explicitly specifying which branches to scan

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	"baseBranches": []
	{
	"scanSettings": {
	"baseBranches": ["master", "main"],
	"configMode": "AUTO"
	},
	"checkRunSettings": {
	"vulnerableCheckRunConclusionLevel": "failure",
	"displayMode": "diff",
	"useMendCheckNames": true
	},
	"issueSettings": {
	"minSeverityLevel": "MEDIUM",
	"issueType": "DEPENDENCY"
	}
	}

[entelligence-ai-pr-reviews]

Performance: The minSeverityLevel is set to "LOW" which will report all vulnerabilities including low-severity ones, potentially creating noise

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	"minSeverityLevel": "LOW",
	{
	"scanSettings": {
	"baseBranches": []
	},
	"checkRunSettings": {
	"vulnerableCheckRunConclusionLevel": "failure",
	"displayMode": "diff",
	"useMendCheckNames": true
	},
	"issueSettings": {
	"minSeverityLevel": "MEDIUM",
	"issueType": "DEPENDENCY"
	}
	}

[entelligence-ai-pr-reviews]

Correctness: Missing configMode setting to explicitly control scan behavior

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	{
	"scanSettings": {
	"baseBranches": []
	},
	"checkRunSettings": {
	"vulnerableCheckRunConclusionLevel": "failure",
	"displayMode": "diff",
	"useMendCheckNames": true
	},
	"issueSettings": {
	"minSeverityLevel": "LOW",
	"issueType": "DEPENDENCY"
	}
	}
	{
	"scanSettings": {
	"baseBranches": [],
	"configMode": "AUTO"
	},
	"checkRunSettings": {
	"vulnerableCheckRunConclusionLevel": "failure",
	"displayMode": "diff",
	"useMendCheckNames": true
	},
	"issueSettings": {
	"minSeverityLevel": "MEDIUM",
	"issueType": "DEPENDENCY"
	}
	}

[entelligence-ai-pr-reviews]

Correctness: Only "DEPENDENCY" issues are configured, consider adding "LICENSE" or "POLICY" if relevant to project needs