feat: add GitHub Actions for Mend CLI image, code and dependency scan

Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: esolitos

mend-image/README.md

@@ -0,0 +1,13 @@
+# Mend Image Scan Action
+
+## Usage
+
+```yaml
+- uses: vespa-engine/gh-actions/mend-image@main
+  with:
+    image-name: "docker.io/vespaengine/vespa:latest"
+    mend-api-key: ${{ secrets.MEND_API_KEY }}
+    mend-user: ${{ secrets.MEND_USER }}
+    mend-app-name: "my-app-name"
+    mend-project-name: "my-project-name"
+```

mend-image/action.yml

@@ -0,0 +1,147 @@
+name: Image Scan with Mend CLI
+description: Run Mend container image scanning on your images
+
+inputs:
+  image-name:
+    description: "Container image to scan (e.g., alpine:latest, myregistry.io/app:v1.0)"
+    required: true
+
+  mend-app-name:
+    description: "Mend Application Name"
+    required: true
+
+  mend-project-name:
+    description: "Mend Project Name"
+    required: true
+
+  mend-api-key:
+    description: "Mend API Key (pass from secrets)"
+    required: true
+
+  mend-user:
+    description: "Mend User Email (pass from secrets)"
+    required: true
+
+  mend-url:
+    description: "Mend Server URL"
+    required: false
+    default: "https://saas-eu.mend.io"
+
+  local-pull:
+    description: "Pull from local Docker only (true/false)"
+    required: false
+    default: "false"
+
+  fail-on-policy-violation:
+    description: "Fail build on policy violations (true/false)"
+    required: false
+    default: "true"
+
+  log-level:
+    description: "Log level (INFO, DEBUG, WARNING, ERROR)"
+    required: false
+    default: "INFO"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install Mend CLI
+      shell: bash
+      env:
+        ARCH: ${{ contains(fromJson('["X86", "X64"]'), runner.arch) && 'amd64' || 'arm64' }}
+      run: |
+        CLI_URL="https://downloads.mend.io/cli/linux_${ARCH}/mend"
+        echo "📥 Downloading Mend CLI from ${CLI_URL}"
+        curl -fsSL "${CLI_URL}" -o /tmp/mend
+        sudo mv /tmp/mend /usr/local/bin/mend
+        sudo chmod +x /usr/local/bin/mend
+        mend version
+
+    - name: Run Mend Image Scan
+      shell: bash
+      id: scan
+      env:
+        # Authentication variables
+        MEND_USER_KEY: ${{ inputs.mend-api-key }}
+        MEND_EMAIL: ${{ inputs.mend-user }}
+        MEND_URL: ${{ inputs.mend-url }}
+
+        # Scope
+        MEND_APP: ${{ inputs.mend-app-name }}
+        MEND_PROJ: ${{ inputs.mend-project-name }}
+
+        MEND_LOG_LEVEL: ${{ inputs.log-level }}
+      run: |
+        echo "🐳 Starting Mend Image Scan..."
+        echo "Image: ${{ inputs.image-name }}"
+        echo "Application: ${MEND_APP}"
+        echo "Project: ${MEND_PROJ}"
+
+        mend_args=(
+          "--non-interactive"
+          "--scope" "${MEND_APP}//${MEND_PROJ}"
+        )
+
+        # Add local-pull flag if enabled
+        if [[ "${{ inputs.local-pull }}" == "true" ]]; then
+          mend_args+=("--local-pull")
+        fi
+
+        # Add fail-policy flag if enabled
+        if [[ "${{ inputs.fail-on-policy-violation }}" == "true" ]]; then
+          mend_args+=("--fail-policy")
+        fi
+
+        set +e
+        mend image "${{ inputs.image-name }}" "${mend_args[@]}"
+        exit_code=$?
+
+        # Save exit code for next step
+        echo "app-name=${MEND_APP}" >> $GITHUB_OUTPUT
+        echo "proj-name=${MEND_PROJ}" >> $GITHUB_OUTPUT
+        echo "mend-exit=$exit_code" >> $GITHUB_OUTPUT
+        echo "cli-args=${mend_args[*]}" >> $GITHUB_OUTPUT
+
+    - name: Process Scan Results
+      shell: bash
+      env:
+        MEND_APP: "${{ steps.scan.outputs.app-name }}"
+        MEND_PROJ: "${{ steps.scan.outputs.proj-name }}"
+        CLI_ARGS: "${{ steps.scan.outputs.cli-args }}"
+        SCAN_EXIT_CODE: "${{ steps.scan.outputs.mend-exit }}"
+      run: |
+        printf '## 🐳 Image Scan for %s//%s\n' "${MEND_APP}" "${MEND_PROJ}" >> $GITHUB_STEP_SUMMARY
+        printf '\n\n' >> $GITHUB_STEP_SUMMARY
+        printf '**Image URI:** `%s`\n' "${{ inputs.image-name }}" >> $GITHUB_STEP_SUMMARY
+        printf '**Application:** %s\n' "${MEND_APP}" >> $GITHUB_STEP_SUMMARY
+        printf '**Project:** %s\n' "${MEND_PROJ}" >> $GITHUB_STEP_SUMMARY
+        printf '\n\n' >> $GITHUB_STEP_SUMMARY
+
+        case $SCAN_EXIT_CODE in
+          0)
+            echo "### ✅ Success" >> $GITHUB_STEP_SUMMARY
+            echo "Image scan completed successfully with no policy violations." >> $GITHUB_STEP_SUMMARY
+            ;;
+          1)
+            echo "### ❌ Invalid Configuration" >> $GITHUB_STEP_SUMMARY
+            echo "An invalid configuration parameter was passed. Check for typos in the parameters." >> $GITHUB_STEP_SUMMARY
+            ;;
+          2)
+            echo "### ❌ Connection Error" >> $GITHUB_STEP_SUMMARY
+            echo "Unable to access the update or license details from the Mend server URL. Check internet connection." >> $GITHUB_STEP_SUMMARY
+            ;;
+          9)
+            echo "### ⚠️ Policy Violation" >> $GITHUB_STEP_SUMMARY
+            echo "Image scan results contain vulnerabilities that contravene the defined policy." >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Please review the findings in the Mend platform." >> $GITHUB_STEP_SUMMARY
+            ;;
+          *)
+            echo "### ❌ Error" >> $GITHUB_STEP_SUMMARY
+            echo "Image scan failed with exit code: ${SCAN_EXIT_CODE}" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Check the Mend CLI documentation for exit code details." >> $GITHUB_STEP_SUMMARY
+            ;;
+        esac
+
+        exit $SCAN_EXIT_CODE

mend-sast/README.md

@@ -0,0 +1,12 @@
+# Mend Code Scan Action
+
+## Usage
+
+```yaml
+- uses: vespa-engine/gh-actions/mend-sast@main
+  with:
+    mend-app-name: "vespa-engine"
+    mend-project-name: "MyProject"  # Optional
+    mend-api-key: ${{ secrets.MEND_API_KEY }}
+    mend-user: ${{ secrets.MEND_USER }}
+```

mend-sast/action.yml

@@ -0,0 +1,207 @@
+name: Code Scan with Mend CLI
+description: Run Mend SAST security scanning on your codebase
+
+inputs:
+  mend-app-name:
+    description: "Mend Application Name"
+    required: true
+
+  mend-project-name:
+    description: "Mend Project Name"
+    required: true
+
+  mend-api-key:
+    description: "Mend API Key (pass from secrets)"
+    required: true
+
+  mend-user:
+    description: "Mend User Email (pass from secrets)"
+    required: true
+
+  scan-name:
+    description: "Name of the scan"
+    required: false
+    default: ""
+
+  update:
+    description: "Update results to Mend (true/false)"
+    required: false
+    default: "true"
+
+  target-directory:
+    description: "Target directory to scan, relative to GitHub workspace"
+    required: false
+    default: ""
+
+  log-level:
+    description: "Log level (INFO, DEBUG, WARNING, ERROR)"
+    required: false
+    default: "INFO"
+
+  secrets-detection:
+    description: "Enable secrets detection (true/false)"
+    required: false
+    default: "true"
+
+  incremental-scan:
+    description: "Enable incremental scan (true/false)"
+    required: false
+    default: ${{ github.event_name == 'pull_request' }}
+
+  github-upload:
+    description: "Upload results to GitHub Code Scanning Alerts (true/false)"
+    required: false
+    default: "true"
+
+  enabled-engines:
+    description: |
+      **Recommended:** Comma-separated list of SAST engine IDs (e.g., '101,108' for Java and JavaScript). Omit for auto-recognition.
+      Useful ones: Ruby(5), C/C++(12), Go(18), Java(101), Python(104), JavaScript(108)
+      [See documentation for complete list](https://docs.mend.io/platform/latest/configure-the-mend-cli-for-sast#ConfiguretheMendCLIforSAST-Mend-CLI-SAST-supported-languages-and-engine-IDsMendCLISAST-supportedlanguagesandengineIDs)
+    required: false
+    default: ""
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install Mend CLI
+      shell: bash
+      env:
+        ARCH: ${{ contains(fromJson('["X86", "X64"]'), runner.arch) && 'amd64' || 'arm64' }}
+      run: |
+        CLI_URL="https://downloads.mend.io/cli/linux_${ARCH}/mend"
+        echo "📥 Downloading Mend CLI from ${CLI_URL}"
+        curl -fsSL "${CLI_URL}" -o /tmp/mend
+        sudo mv /tmp/mend /usr/local/bin/mend
+        sudo chmod +x /usr/local/bin/mend
+        mend version
+
+    - name: Run Mend Code Scan
+      shell: bash
+      id: scan
+      env:
+        # Authentication variables
+        MEND_USER_KEY: ${{ inputs.mend-api-key }}
+        MEND_EMAIL: ${{ inputs.mend-user }}
+        MEND_URL: https://saas-eu.mend.io
+
+        # Scope
+        MEND_APP: ${{ inputs.mend-app-name }}
+        MEND_PROJ: ${{ inputs.mend-project-name }}
+
+        # Scan configuration
+        MEND_SAST_TARGET_DIRECTORY: ${{ github.workspace }}/${{ inputs.target-directory }}
+        MEND_LOG_LEVEL: ${{ inputs.log-level }}
+        MEND_SAST_ENGINES: ${{ inputs.enabled-engines }}
+
+        MEND_SAST_TIMEOUT_TOTAL: "3600"
+        MEND_SAST_SCAN_RETRIES: "3"
+
+      run: |
+        mend_args=(
+          "--non-interactive"
+          # Mend Organization in scope is assumed from API key
+          "--scope" "${MEND_APP}//${MEND_PROJ}"
+        )
+
+        if [[ -n "${{ inputs.scan-name }}" ]]; then
+          mend_args+=("--name" "${{ inputs.scan-name }}")
+        fi
+
+        if [[ "${{ inputs.update }}" != "true" ]]; then
+          mend_args+=("--no-logs")
+        fi
+
+        if [[ "${{ inputs.secrets-detection }}" == "true" ]]; then
+          mend_args+=("--secrets-detection")
+        fi
+
+        if [[ "${{ inputs.incremental-scan }}" == "true" ]]; then
+          mend_args+=("--inc")
+        fi
+
+        if [[ "${{ inputs.github-upload }}" == "true" ]]; then
+          mend_args+=(
+            "--report"
+            # Format extension is appended by CLI
+            "--filename" "mend"
+            "--formats" "sarif"
+          )
+        fi
+
+        set +e
+        mend sast "${mend_args[@]}"
+        exit_code=$?
+
+        # Save exit code for next step
+        echo "app-name=${MEND_APP}" >> $GITHUB_OUTPUT
+        echo "proj-name=${MEND_PROJ}" >> $GITHUB_OUTPUT
+        echo "mend-exit=$exit_code" >> $GITHUB_OUTPUT
+        echo "cli-args=${mend_args[*]}" >> $GITHUB_OUTPUT
+
+        # Export options not exposed via CLI args
+        echo "engines=${MEND_SAST_ENGINES}" >> $GITHUB_OUTPUT
+
+
+    - name: Upload SARIF Report
+      if: ${{ inputs.github-upload == 'true' && steps.scan.outputs.mend-exit != '' }}
+      uses: github/codeql-action/upload-sarif@v4
+      with:
+        sarif_file: 'mend.sarif'
+        category: 'Mend SAST'
+
+    - name: Process Scan Results
+      shell: bash
+      env:
+        MEND_APP: "${{ steps.scan.outputs.app-name }}"
+        MEND_PROJ: "${{ steps.scan.outputs.proj-name }}"
+        CLI_ARGS: "${{ steps.scan.outputs.cli-args }}"
+        SCAN_EXIT_CODE: "${{ steps.scan.outputs.mend-exit }}"
+
+        ENABLED_ENGINES: "${{ steps.scan.outputs.engines }}"
+        MEND_ENGINES_DOC_URL: "https://docs.mend.io/platform/latest/configure-the-mend-cli-for-sast#ConfiguretheMendCLIforSAST-Mend-CLI-SAST-supported-languages-and-engine-IDsMendCLISAST-supportedlanguagesandengineIDs"
+      run: |
+        printf '## 🔍 SAST Scan for %s//%s\n' "${MEND_APP}" "${MEND_PROJ}" >> $GITHUB_STEP_SUMMARY
+        printf '\n\n' >> $GITHUB_STEP_SUMMARY
+        printf '**Run Arguments:** `%s`\n' "${CLI_ARGS}" >> $GITHUB_STEP_SUMMARY
+        printf '**Enabled [Engine IDs (ref. docs)](%s):** %s\n' "${MEND_ENGINES_DOC_URL}" "${ENABLED_ENGINES}" >> $GITHUB_STEP_SUMMARY
+        printf '\n\n' >> $GITHUB_STEP_SUMMARY
+
+        case "${{ steps.scan.outputs.mend-exit }}" in
+          0)
+            echo "### ✅ Success" >> $GITHUB_STEP_SUMMARY
+            echo "Scan completed successfully with no policy violations." >> $GITHUB_STEP_SUMMARY
+            ;;
+          1)
+            echo "### ❌ Invalid Configuration" >> $GITHUB_STEP_SUMMARY
+            echo "An invalid configuration parameter was passed. Check for typos in the parameters." >> $GITHUB_STEP_SUMMARY
+            ;;
+          2)
+            echo "### ❌ Connection Error" >> $GITHUB_STEP_SUMMARY
+            echo "Unable to access the update or license details from the Mend server URL. Check internet connection." >> $GITHUB_STEP_SUMMARY
+            ;;
+          4)
+            echo "### ❌ Unsupported Language" >> $GITHUB_STEP_SUMMARY
+            echo "Unable to detect a supported language within the project based on the file extensions provided." >> $GITHUB_STEP_SUMMARY
+            ;;
+          7)
+            echo "### ❌ Permission Error" >> $GITHUB_STEP_SUMMARY
+            echo "Could not create a cache subdirectory. Check that the Mend CLI permissions include 'create'." >> $GITHUB_STEP_SUMMARY
+            ;;
+          9)
+            echo "### ⚠️ Policy Violation" >> $GITHUB_STEP_SUMMARY
+            echo "Results contain too many vulnerabilities, which contravenes the defined policy." >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Please review the findings in the Mend platform." >> $GITHUB_STEP_SUMMARY
+            ;;
+          10)
+            echo "### ❌ Scanning Engine Failure" >> $GITHUB_STEP_SUMMARY
+            echo "A scanning engine stalled or failed." >> $GITHUB_STEP_SUMMARY
+            ;;
+          *)
+            echo "### ❌ Unknown Error" >> $GITHUB_STEP_SUMMARY
+            echo "Scan failed with exit code: ${SCAN_EXIT_CODE}" >> $GITHUB_STEP_SUMMARY
+            ;;
+        esac
+
+        exit $SCAN_EXIT_CODE

mend-sca/README.md

@@ -0,0 +1,12 @@
+# Mend Dependency Scan Action
+
+## Usage
+
+```yaml
+- uses: vespa-engine/gh-actions/mend-sca@main
+  with:
+    mend-app-name: "vespa-engine"
+    mend-project-name: "MyProject"  # Optional
+    mend-api-key: ${{ secrets.MEND_API_KEY }}
+    mend-user: ${{ secrets.MEND_EMAIL }}
+```