Use the scan command to perform endorctl scan.

Use the scan command to perform scans against a repository.


To perform a full scan including reachability analysis for the open source software of the packages you build in a repository and monitor the checked out version of your code run the command:

endorctl scan

To scan leaked secrets and monitor all results in the checked out version of your repository:

endorctl scan --secrets

To scan for leaked secrets in all branches of your repository use the command:

endorctl scan --secrets --git-logs

To scan for misconfigurations in a GitHub repository (i.e

export GITHUB_TOKEN=<insert-your-github-token>
endorctl scan --github --repository-http-clone-url=

To run a scan as a test in a pull request without monitoring the version of your code over time run the command:

endorctl scan --pr


The command endorctl scan uses the following flags and environment variables:

Flag Environment Variable Description
as-default-branch ENDOR_SCAN_AS_DEFAULT_BRANCH Set this as the default branch.
bazel-targets-query ENDOR_SCAN_BAZEL_TARGETS Set this variable to query for a list of Bazel targets to include in a scan.
bazel-exclude-targets ENDOR_SCAN_BAZEL_EXCLUDE_TARGETS Set this variable to exclude a list of Bazel targets included in a provided Bazel query.
bazel-include-targets ENDOR_SCAN_AS_INCLUDE_TARGETS Set this variable to perform a scan on a list of targets using Bazel. Only the specified list of targets are scanned. If you do not specify bazel-include-targets, you must use identify targets using bazel-targets-query. If you specify targets, then the results from bazel-targets-query are ignored.
bazel-workspace-path ENDOR_SCAN_BAZEL_WORKSPACE_PATH Set this variable to specify the path of the Bazel workspace.
build ENDOR_SCAN_BUILD Enable the scan to build the project if needed.
call-graph-languages ENDOR_SCAN_CALLGRAPH_LANGUAGES Set programming languages for call graph generation (go, java, python, rust) (default [go,java,python,rust]).
dependencies ENDOR_SCAN_DEPENDENCIES Scan git commits and generate findings for all dependencies.
detached-ref-name ENDOR_SCAN_DETACHED_REF_NAME Set the name of the git reference to a user-provided name. Example: --detached-ref-name="$CI_DEFAULT_BRANCH". Use with CI environments that checkout commits, such as GitLab.
disable-private-package-analysis ENDOR_SCAN_DISABLE_PRIVATE_PACKAGE_ANALYSIS Disable the call graph analysis of private dependencies that are not part of the repository.
droid-gpt ENDOR_SCAN_DROID_GPT Use DroidGPT to interpret build errors and generate remediation advice.
exclude ENDOR_SCAN_EXCLUDE Set to a regex pattern such as ‘foo.*’ to exclude any files or directories, in the scan path, that match this pattern. For example, --exclude='*.py' will ignore the following:, src/,; and --exclude='tests' will ignore tests/ as well as a/b/tests/c/ See also --include and --languages.
exit-on-policy-warning ENDOR_SCAN_EXIT_ON_POLICY_WARNING Return a non-zero exit code if there are policy violation warnings.
git-logs ENDOR_SCAN_GIT_LOGS Audit the historical git logs of the repository for all branches in the repository. Must be used together with --secrets.
github ENDOR_SCAN_GITHUB Fetch information from GitHub, scan git commits and generate findings for all dependencies, as well as any GitHub misconfigurations.
github-api-url GITHUB_API_URL Set the GitHub API URL used for API requests to Github Enterprise Cloud or GitHub Enterprise Server. This flag must be used for self-hosted source control systems such as GitHub Enterprise Server. (default
github-ca-path GITHUB_CA_PATH Set the path to the CA certificate used by GitHub Enterprise Server if it is untrusted by your system.
github-token GITHUB_TOKEN Set the GitHub token used to authenticate with GitHub.
include ENDOR_SCAN_INCLUDE Set to a regex pattern to only scan files and directories, in the scan path, that match this pattern. For example, --include=src/bar will only scan files under src/bar. Note that there must be a manifest file at the root of the include directory for the scan to be successful. See also --exclude and --languages.
languages ENDOR_SCAN_LANGUAGES Set programming languages to scan. Used to limit scan to specific languages.
output-type ENDOR_SCAN_SUMMARY_OUTPUT_TYPE Set output format (json, yaml, table, or summary). Use summary to only display policy violations and not all findings. (default json)
path ENDOR_SCAN_PATH Set the path to the repository to scan on the local filesystem. Example: --path=/Users/endorlabs/github/myrepo.
pr ENDOR_SCAN_PR Set if this is a PR scan. PR scans are not used for reporting or monitoring and should be treated as point in time policy and finding test.
pr-baseline ENDOR_SCAN_PR_BASELINE Set to the git reference that you are merging to, such as your default branch. Action policies will only flag issues that do not exist in the baseline so that developers are only alerted to issues on the current changes. Example: --pr-baseline=main.
pre-commit-checks ENDOR_SCAN_PRE_COMMIT_CHECKS Perform Git pre-commit checks on the changeset about to be committed. Must be used together with --secrets.
quick-scan ENDOR_SCAN_QUICK_SCAN Perform a quick scan without call graph generation.
registries ENDOR_SCAN_REGISTRIES Registries that must be used in addition to public or namespace registries. Format: "user:password@ecosystem://registry#priority".
repository-http-clone-url ENDOR_SCAN_GITHUB_REPOSITORY_HTTP_CLONE_URL Set the GitHub repository http clone URL for --github scans.
sarif-file ENDOR_SCAN_SUMMARY_SARIF_FILE Set the path to a SARIF file to save the finding result summary to.
secrets ENDOR_SCAN_SECRETS Scan source code repository and generate findings for leaked secrets. See also --git-logs and --pre-commit-checks.
tags ENDOR_SCAN_TAGS Specify a list of user-defined tags to add to this scan. Tags can be used to search and filter scans later.
use-bazel ENDOR_SCAN_USE_BAZEL Uses Bazel to perform the endorctl scan.
use-local-repo-cache ENDOR_SCAN_USE_LOCAL_CACHE Uses the local cache for dependency resolution.
uuid ENDOR_SCAN_UUID Scan the specified project uuid.
pnpm ENDOR_PNPM_ENABLED Set to true to scan and detect dependencies for JavaScript projects that use PNPM package manager.
phantom-dependencies ENDOR_SCAN_PHANTOM_DEPS Set to true to scan and detect dependencies used in source code but not declared in the package’s manifest files.