This is the multi-page printable view of this section. Click here to print.
This is the multi-page printable view of this section. Click here to print.
AI security review provides automated code review capabilities using artificial intelligence to identify potential security issues in your codebase.
After you set up AI security review, creating a pull request triggers an Endor Labs scan on the diff. Endor Labs sends the scan data to an AI model to produce a security analysis and generates a report.
You can view the report in the Endor Labs user interface. You can also enable pull request comments to get a comment on your GitHub pull request with the details of the AI security review.
The following sections provide information on how to set up AI security review, customize a scan profile, and view the AI security review results.
Before you set up AI Security Review, ensure that the following prerequisites are in place:
To set up AI security review, you need to complete the following tasks:
Install the GitHub App if you don’t have it already. See GitHub App for more information.
Ensure that you enable the following settings:
Create a scan profile for AI security review and configure the following options:
After you create the scan profile, assign the scan profile to the projects for which you want to set up AI security review.
See Scan Profiles for more information on creating a scan profile.
Ensure that the Security Review policy is enabled under finding policies.
Security Review and ensure that the policy is enabled.
If you want to get comments on your GitHub pull requests, you need to set up an action policy.
Select Settings from the left sidebar.
Select Action Policies.
Click Create Action Policy.
Select Security Review as the Policy Template.
Choose the severity threshold to trigger the AI security review.
You can choose from the following severity thresholds:
Select Pull Request as the Branch Type.
Choose Enforce Policy as the action, and select Warn or Break the Build depending on your preference.
Configure include and exclude patterns for the policy.
Name the policy and provide a description.
Enter tags if required for the policy.
Click Create Action Policy to save the policy.
See Action Policies for more information on setting up an action policy.
You can view the AI security review results in the Endor Labs UI. You can also enable PR comments to get a comment on your GitHub PR with the details of the AI security review.
Select Projects from the left sidebar.
Select the project for which you want to view the AI security review results.
Select Security Review.
You can view the AI security review results for all the pull requests raised in the project. You can also search for a specific pull request and view the results.
You can filter the results by the type of the security issues, the severity of the security issues, the author of the PR, the approvers, and the creation time of the PR. You can select advanced to enter a search query to filter the results.
For example, you can filter the results to show only the critical security issues that are part of unmerged pull requests:
(spec.level in ["SECURITY_REVIEW_LEVEL_CRITICAL"] and spec.repository_pull_request_spec.merged != true)
Click on a pull request to view the detailed report.
The report appears in the right sidebar. You can view the security analysis of the PR and the list of security risks along with their severities.
You can click links against the security analysis to go directly to the lines of code that has the security risk.
You can also click the links to view the pull request and the specific commit that introduced the security risk.
Select the arrow next to a security risk to view the details of the security risk.
You can view the analysis of the security risk, the code snippet associated with the risk, and the details of the pull request.
If you configure the action policy to get comments on your GitHub pull requests, Endor Labs comments on the pull request with the security analysis.
