MergeBase SCA


MergeBase Vulnerability Scanner

MergeBase is an SCA extension (software composition analysis) that scans your applications within Jenkins. It helps your development teams identify dangerous and insecure library versions early. Your results will be displayed in your own web-based dashboard.

Visit our website to sign up or contact us for more info.

Key Benefits

  • Supports all your DevOps languages: Javascript, Python, C#, Go, Ruby, Java, and more.
  • Don't waste time chasing false positives; Mergebase has the lowest false positive rate in the industry!
  • Sophisticated suppression management, so you can effectively pursue a zero-vuln strategy.
  • Microsoft Board integration and developer guidance to streamline your workflows.
  • Real-time notification if new vulnerabilities are uncovered in the industry, allowing you to respond to emerging threats immediately.
  • Analyses your open source licenses, enabling you to manage your legal risks.

This pipeline extension makes integrating MergeBase SCA into your Microsoft development environment a seamless experience. It analyses your projects in place and will not upload your valuable intellectual property into the cloud.

Contact us to find out more about run-time protection and container scanning.

Getting started

Required Parameters

The following parameters are required. The values in parentheses is used in pipeline workflow configuration.

Project Name (projectName): A unique name for your project. This will be the name that represents the project in the MergeBase Dashboard.

MergeBase Dashboard URL (url): Add your dashboard URL in the form https://[your-organization] . If you have an on-premise installation, use your custom URL.

Customer Token (customerToken): Your API token from your Dashboard. This can be found on the Settings page.

Optional Parameters

The values in parentheses is used in pipeline workflow configuration.

Severity Threshold (severityThreshold): Vulnerabilities below the following CVSS/Risk Score threshold are ignored. (between 0.0 - 10.0)

Path to scan(mbScanPath): This defaults to ./. It can be modified for your project's setup.

Scan all projects found (scanAll): Scan the build directory recursively to find all projects with compatible build files. This defaults to false, and the MergeBase scanner will select the first build file it find in the current directory or the specific file if you have selected a file-path.

Enable Debug logging (debugMode): Enables debug output for use in troubleshooting.

Enable JSON output (jsonOutput): Outputs the MergeBase report in JSON form for use in automation.

Freestyle Projects

In a freestyle project, add "MergeBase SCA Scan" build step. Add the required parameters as listed above.


For feature requests, open a pull request or contact

For security or vulnerability reports, email


Licensed under MIT, see LICENSE