At Endor Labs, safeguarding your data is our priority. We believe that transparency builds trust, so we’re upfront about what data we handle, how we process it, and most importantly, what we don’t do!
The data that Endor Labs handles varies depending on the product you use, your deployment model, and your configured integrations. As Endor Labs continues to innovate, our data handling practices may change with the introduction of new capabilities, products, or changes to existing functionality over time.
Deployment models
Endor Labs has two primary deployment models:
- Hybrid scanning: Customers can run Endor Labs CLI in their CI/CD environment. While using a hybrid scanning strategy, analysis of your software is performed inside your environment on the compute environment where a scan is running. Metadata associated with the various scan types are then sent back to Endor Labs cloud environment to your hosted tenant and stored for analysis.
- Cloud scanning:: Customers may choose to integrate and deploy Endor Labs using a cloud-based scanning solution, such as the Endor Labs GitHub App. When using a cloud-based scanning solution, Endor Labs is provided access to your source code and SCM in order to facilitate continuious scanning on changes to your software and the configuration of your SCM environment. Endor Labs deletes the source code data from our servers after each scan and stores only the metadata associated with the scan.
Data common across products
- Finding data: Endor Labs stores information required to report on findings to on their customers security or operational risks such as vulnerability or misconfigration information.
- Finding location: Endor Labs stores information required to identify the location of a finding so that corrective action may take place. This includes information such as the repository name, file name, and issue location.
- Integration information: Endor Labs stores information required for operation of external integrations with third parties such as Jira. These include configuration and authentication information.
- Identity information: Endor Labs stores identity claim information required to access and use the platform, such as email address and group claims sent by an external identity provider.
- User telemetry: Endor Labs stores various types of information pertaining to your usage of Endor Labs such as platform usage and scan configuration.
Product: Endor Open Source
Endor Labs stores data about your repository, software packages, container images, and your software manifest files in order to report findings on known issues and re-analyze them as security intelligence feeds are continuously updated.
Data in SCA scanning
- Analyzes repositories for manifest files and code to determine the resolved dependencies.
- Looks in dependency caches or environments to determine the dependencies resolved by a package manager.
- Assesses the source code or final artifact to create and identify a call graph for the specific version of your code in the case of SCA scanning.
Data in container scanning
Endor Labs container scan accesses the image on the host operating system and reviews the image digests and layers, assesses the dependencies installed at each layer and aggregates risk information based on those dependencies.
| Data Elements | Examples |
|---|---|
| Package/Image metadata | Package version call graph, dependency graph, package name, version, dependency metadata |
| Repository metadata | Repository name, Git reference, Git SHA |
| Finding information | Security and operational risk |
Product: Endor CI/CD
- Scans your CI files and code to identify what tools are used when optionally scanning for tools.
- Aggregates information about your repository and organization settings on GitHub while performing a scan using your GitHub token. This setting configuration is used to continuously monitor these settings for potential risk based on policy.
| Data Elements | Examples |
|---|---|
| CI Tool information | Name and category of CI testing tools used |
| Repository configuration settings | Branch protection rules, webhooks, runner groups |
| Organization configuration settings | Webhooks, organization settings |
Product: Endor SBOM Hub
Endor Labs SBOM Hub leverages the raw data of the SBOMs you provide for tracking. This includes the complete SBOM and metadata about risks discovered by Endor Labs.
Product: Endor Code
Data in secret scanning
During secret scanning:
- Endor Labs scans an existing ref or all Git logs for potential secret leaks. If an issue is identified, it will store issue location information including the Git reference, file and line numbers from which a secret is found.
- Secret validation occurs as part of a local scan, during which the discovered secret is used to validate against an external validation endpoint or API. This occurs in the environment from which the scan for secrets is run.
Data in SAST scanning
During SAST scans, Endor Labs stores a snippet of vulnerable code for ease of identification of an issue.
| Data Elements | Examples |
|---|---|
| File Location and Line numbers | Line numbers and files where a finding is discovered |
| Repository Metadata | Repository Name, Git Reference, Git SHA |
| Finding Information | Information about the specific secret leak or code weakness |
Endor Labs Policy and Transparency Information
For additional information, see the following relevant pages on how Endor Labs handles your data: