ci: add Mend scan workflow for SAST and SCA

esolitos · esolitos · commit b03de2f06585 · 2025-11-11T09:30:38.000+01:00
diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml
@@ -0,0 +1,65 @@
+name: Mend Scan
+
+on:
+  workflow_dispatch:
+  schedule: [cron: "0 0 * * 0"] # Weekly on Sundays at midnight
+
+  # For PRs we only trigger if the workflow file itself is changed, for testing purposes.
+  pull_request:
+    branches: [master]
+    paths:
+      - .github/workflows/mend.yml
+
+env:
+  MEND_APP_NAME: "vespa-engine"
+  MEND_PROJECT_NAME: "vespa"
+
+jobs:
+  sast:
+    name: SAST Vespa Engine
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Mend SAST
+        uses: vespa-engine/gh-actions/mend-sast@marlon/feat/add-mend-scan-workflow
+        with:
+          mend-user: ${{ secrets.MEND_EMAIL }}
+          mend-api-key: ${{ secrets.MEND_USER_KEY }}
+
+          mend-app-name: ${{ env.MEND_APP_NAME }}
+          mend-project-name: ${{ env.MEND_PROJECT_NAME }}
+          # Do not send SAST updates on PRs
+          # update: ${{ contains(fromJson('["workflow_dispatch","schedule"]'), github.event_name) }}
+          update: true # Temporarily always send SAST updates
+
+          # Scan only: C++, Java
+          scan-name: "Vespa @ ${{ github.ref_name }} (${{ github.sha }})"
+          target-directory: "./"
+          enabled-engines: "12,101"
+
+  sast-cli:
+    name: SAST Vespa CLI
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Mend SAST
+        uses: vespa-engine/gh-actions/mend-sast@marlon/feat/add-mend-scan-workflow
+        with:
+          mend-user: ${{ secrets.MEND_EMAIL }}
+          mend-api-key: ${{ secrets.MEND_USER_KEY }}
+
+          mend-app-name: ${{ env.MEND_APP_NAME }}
+          mend-project-name: ${{ env.MEND_PROJECT_NAME }}
+          # Do not send SAST updates on PRs
+          # update: ${{ contains(fromJson('["workflow_dispatch","schedule"]'), github.event_name) }}
+          update: true # Temporarily always send SAST updates
+
+          # Scan only: C++, Java
+          # Scan only: Go
+          scan-name: "Vespa CLI @ ${{ github.ref_name }} (${{ github.sha }})"
+          target-directory: "client/go"
+          enabled-engines: "18"
