Mend SCA

Mend SCA (formerly WhiteSource) is an enterprise SCA platform that combines vulnerability scanning with automated remediation powered by Renovate technology.

As the Sonatype 2026 State of the Software Supply Chain report continues to document open-source malware as a nation-state-scale threat across public registries, automated SCA with fast remediation has become essential.

The platform generates pull requests to fix vulnerable dependencies, scores each update with merge confidence data, and uses reachability analysis to filter out vulnerabilities in code paths your application never calls.

Named a Strong Performer in The Forrester Wave: Software Composition Analysis, Q4 2024 — Forrester’s most recent published SCA Wave at time of writing — Mend has expanded beyond pure SCA through acquisitions of DefenseCode and Xanitizer, adding SAST capabilities to the platform.

What is Mend SCA?

Mend scans applications to discover all open-source components, checks them against vulnerability databases and license registries, and then does something most scanners skip: it tells you which vulnerabilities actually matter and fixes them for you.

Key features

Supported ecosystems

Automated remediation

Mend’s Renovate technology automatically generates pull requests to update vulnerable dependencies. Unlike simple version bumps, Renovate groups related updates, respects semantic versioning constraints, and schedules updates to minimize disruption.

Merge confidence scores predict whether an update will break your build based on aggregated data from millions of updates.

Reachability analysis

Mend examines call graphs and code paths to identify whether vulnerable functions are reachable from application entry points. Unreachable vulnerabilities are flagged but deprioritized, letting teams focus on genuine risks.

License compliance

Mend identifies all component licenses and flags conflicts with organizational policies. The platform understands compatibility rules and detects situations where combining components with incompatible licenses creates compliance issues.

Policies automatically approve or block specific license types across all projects.

Container scanning

Mend extends beyond application dependencies to scan container images, Kubernetes configurations, and IaC files. Container scanning examines base images, OS packages, and application dependencies at every layer.

SBOM generation and transitive dependency analysis

Mend exports SBOMs in both SPDX and CycloneDX formats, and every scan type — application dependencies, container images, Kubernetes manifests — feeds into the same inventory that the SBOM draws from. Teams that need SBOMs for compliance obligations (Executive Order 14028, FedRAMP, regulated-industry contracts) can export per-project or per-organization artifacts without running a separate generator.

Transitive dependency analysis is where most of the interesting work happens. Mend walks the full dependency tree beyond what is declared in your lockfile, resolving indirect packages that ship as part of direct dependencies’ own dependency graphs. A vulnerability pulled in three levels deep still surfaces as a finding, with the introduction path made explicit so you can tell whether the CVE comes from something your team controls or from a library several maintainers removed.

Reachability analysis, described in the Key features section above, layers on top of the transitive walk — it is what lets Mend flag a transitive finding as unreachable even when the component itself is technically present. The combination cuts the raw “CVE is in your tree” finding list down to the subset that your application actually exercises, without losing the underlying inventory for audit.

Installation

CLI Installation

# Install via npm (globally)
npm install -g @mend/cli

# Verify installation
mend --version

Running Scans

# Configure API credentials
export MEND_API_KEY="your-api-key"
export MEND_USER_KEY="your-user-key"

# Scan current directory
mend dep

# Scan specific project
mend dep --dir ./my-project --scope "ORG//APP//PROJ"

# Scan container image
mend image my-registry/my-image:latest

Repository Integration

Mend provides native integrations for GitHub, GitLab, Bitbucket, and Azure DevOps that require minimal configuration:

# .mend configuration file (place in repository root)
settingsInheritedFrom: organization/mend-config

# Override specific settings
vulnerabilityAlerts:
  enabled: true
  severity: HIGH

licenseAlerts:
  enabled: true
  allowedLicenses:
    - MIT
    - Apache-2.0
    - BSD-3-Clause

autoRemediation:
  enabled: true
  maxPRs: 5

Integration

GitHub Actions

name: Mend SCA Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install dependencies
        run: npm ci

      - name: Install Mend CLI
        run: npm install -g @mend/cli

      - name: Run Mend SCA scan
        env:
          MEND_USER_KEY: ${{ secrets.MEND_USER_KEY }}
          MEND_API_KEY: ${{ secrets.MEND_API_KEY }}
        run: mend dep --dir . --scope "ORG//APP//PROJ"

GitLab CI

stages:
  - build
  - security
  - deploy

variables:
  MEND_API_KEY: $MEND_API_KEY
  MEND_USER_KEY: $MEND_USER_KEY

mend-sca:
  stage: security
  image: node:20
  before_script:
    - npm install -g @mend/cli
  script:
    - npm ci
    - mend dep --dir . --scope "ORG//APP//PROJ" --strict
  artifacts:
    reports:
      sast: mend-report.json
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == "main"

container-scan:
  stage: security
  image: node:20
  before_script:
    - npm install -g @mend/cli
  script:
    - mend image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  rules:
    - if: $CI_COMMIT_BRANCH == "main"

Azure DevOps Pipeline

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

stages:
  - stage: Security
    jobs:
      - job: MendScan
        steps:
          - task: NodeTool@0
            inputs:
              versionSpec: '20.x'

          - script: npm install -g @mend/cli
            displayName: 'Install Mend CLI'

          - script: npm ci
            displayName: 'Install Dependencies'

          - script: |
              mend dep --dir . --scope "ORG//APP//PROJ"
            displayName: 'Mend SCA Scan'
            env:
              MEND_API_KEY: $(MEND_API_KEY)
              MEND_USER_KEY: $(MEND_USER_KEY)

IDE Integration

Mend provides extensions for developer IDEs:

• VS Code: Real-time vulnerability alerts as you code
• IntelliJ IDEA: Integrated scanning and remediation suggestions
• Visual Studio: .NET-specific vulnerability detection

Mend CLI and container scanning

The @mend/cli package is the primary scan vector — it handles application dependency scans, container image scans, and the upload to the Mend platform in the same binary. CVE detection in dependencies happens inside the CLI: it resolves each component, queries Mend’s aggregated vulnerability database (NVD plus proprietary research), and attaches the reachability verdict before syncing findings to the SaaS console. The container mode (mend image <registry>/<image>:<tag>) extends the same CVE-detection pipeline to base-image OS packages and application layers, which is where the “mend container scanning” query volume is coming from.

Ticketing, policy, and dependency update automation

Beyond scanning, Mend integrates with Jira for automated ticket creation on policy violations and syncs with GitHub Enterprise, GitLab, Bitbucket, and Azure DevOps for repository-level findings. Dependency update automation is handled through the Renovate engine Mend.io maintains — Renovate’s continuous dependency-refresh loop is Mend’s differentiator from security-only SCA tools, because update PRs arrive on a cadence rather than only when a CVE is disclosed. Merge confidence scoring plugs into both the security fix PRs and the Renovate refresh PRs, so the build-break prediction applies to every upgrade the platform proposes.

Setup

When to use Mend SCA

Mend SCA fits teams that want automated remediation and reachability-based prioritization from a single platform.

Strengths:

• Automated fix PRs powered by Renovate technology
• Merge confidence scoring from aggregated CI data
• Reachability analysis reduces alert noise
• License compliance with policy enforcement
• Container and IaC scanning included

Limitations:

• Commercial only, no free tier. Median annual contract: $96,000 (range: $11,000–$177,000)
• SaaS-first; limited self-hosted options
• Newer SAST capabilities less mature than dedicated SAST tools

How it compares:

For more on integrating SCA into your pipeline, see the guides on SCA in CI/CD and software supply chain security.

Mend SCA alternatives

A few SCA tools compete directly with Mend, each from a different angle.

Snyk Open Source

Snyk Open Source is the developer-first default with a real free tier and broader ecosystem coverage. Pick Snyk when fast onboarding and per-developer self-serve pricing matter more than Renovate-style update cadence. See also the Mend SCA vs Snyk comparison for a side-by-side.

Black Duck

Black Duck is the closest enterprise-parity alternative, with deeper licence analysis and binary/snippet scanning that matter for M&A due diligence. Mend is more developer-friendly; Black Duck is more legal-audit-ready.

Aikido

Aikido publishes predictable per-developer pricing that some teams prefer over Mend’s contact-sales model. Aikido bundles SCA, SAST, container, IaC, and secrets under one subscription — similar scope to Mend’s platform with a smaller, developer-priced footprint.

Socket

Socket focuses on malicious-package detection through behavioural analysis of install scripts and runtime behaviour. Pick Socket when supply-chain-attack prevention matters more than broader CVE and licence coverage; most teams run it alongside a full SCA rather than instead of one.

Endor Labs

Endor Labs pushes reachability further than Mend’s call-graph model, focusing on function-level analysis across 40+ languages. Endor competes most directly with Mend on the “only exploitable CVEs” pitch for reachability-heavy workflows.

For a broader view, see the Mend alternatives guide, open-source SCA tools, and the SCA tools overview.

Mend SCA pricing

Mend does not publish SCA pricing on mend.io. The pricing page routes every request through a contact-sales flow and there is no self-serve checkout or published plan table. As of 2026-04-24, no free developer tier exists — the legacy WhiteSource free community edition was retired during the Mend rebrand.

Packaging generally follows two shapes. On the legacy WhiteSource side, customers paid by seat with SCA, licence compliance, and container scanning bundled together. On the newer Mend platform, the company sells a per-developer platform subscription that bundles SCA, SAST, and container into one price rather than breaking them out as separate SKUs. Expect to negotiate on developer count, deployment model (SaaS-first with limited self-hosted options), and whether you also take the Mend SAST and container modules.

For directional figures on what real customers pay, the frontmatter on this page references Vendr’s aggregated contract data — see the Vendr footnote. Per site policy I do not publish a fixed list price here because Mend does not publish one publicly.

Frequently Asked Questions

* Pricing data from Vendr — anonymized contract values from real buyer transactions.