You can export the findings generated by Endor Labs to GitHub Advanced Security so that you can view the findings in the GitHub. Endor Labs exports the findings in the SARIF format and uploads them to GitHub. You can view the findings under Security > Vulnerability Alerts > Code Scanning in GitHub.
Warning
GitHub have several limitations for SARIF files, so you may not be able to experience the full benefits on Endor Labs. For example, GitHub limits the number of results in a SARIF file. It allows a maximum of 25000 results per file but displays the first 5000 results ranked by severity. Refer to GitHub SARIF support for code scanning for the complete list of limitations with respect to SARIF files in GitHub Advanced Security.Prerequisites
Ensure that you meet the following prerequisites before exporting findings to GitHub Advanced Security:
- Endor Labs GitHub App (Pro) installed in your GitHub repository. See Deploy Endor Labs GitHub App (Pro) for more information.
- Code scanning feature is enabled in your GitHub repository. Refer to Enabling code scanning for more information.
- Download and install endorctl. See Install endorctl for more information.
Create a SARIF exporter
SARIF exporter allows you to export the findings generated by Endor Labs in the SARIF format.
You can create a SARIF exporter using the Endor Labs API.
Run the following command to create a SARIF exporter.
endorctl api create -n <namespace> -r Exporter -d '{
"meta": {
"name": "<exporter-name>"
},
"tenant_meta": {
"namespace": "<namespace>"
},
"spec": {
"exporter_type": "EXPORTER_TYPE_GHAS",
"message_type_configs": [
{
"message_type": "MESSAGE_TYPE_FINDING",
"message_export_format": "MESSAGE_EXPORT_FORMAT_SARIF"
}
]
},
"propagate": true
}'
For example, to create a SARIF exporter named ghas-exporter in the namespace doe.deer, run the following command.
endorctl api create -n doe.deer -r Exporter -d '{
"meta": {
"name": "ghas-exporter"
},
"tenant_meta": {
"namespace": "doe.deer"
},
"spec": {
"exporter_type": "EXPORTER_TYPE_GHAS",
"message_type_configs": [
{
"message_type": "MESSAGE_TYPE_FINDING",
"message_export_format": "MESSAGE_EXPORT_FORMAT_SARIF"
}
]
},
"propagate": true
}'
Configure scan profile and project to use the SARIF exporter
You can configure the scan profile to use the SARIF exporter and associate it with your project. You can also set the scan profile as the default scan profile so that all the projects in the namespace use the scan profile by default. See Scan profiles for more information.
Configure the scan profile
Ensure that you select the SARIF exporter in the Export section of the scan profile.
-
Select Settings from the left sidebar.
-
Select Scan Profiles.
-
Select the scan profile you want to configure and click Edit Scan Profile.
-
Select the SARIF exporter under Exporters and click Save Scan Profile.
Configure the project to use the scan profile
Ensure that you choose the scan profile with the SARIF exporter for the project.
-
Go to the Projects page and select the project you want to configure.
-
Select Settings and select the scan profile you want to use under Scan Profile.
Scan projects to use the SARIF exporter
After the configuration is complete, your subsequent scans will export the findings in the SARIF format and upload them to GitHub. You can use the rescan ability to scan the project immediately instead of waiting for the next scheduled scan. See Rescan projects for more information.
View findings in GitHub
-
Navigate to your GitHub repository.
-
Select Security
-
Select Code scanning under Vulnerability Alerts.
You can use the search bar to filter the findings specific to a pull request. This allows you to view the specific findings if you have enabled PR scans. You can also view findings for a specific branch and other filter criteria.
