Use the scan
command to perform scans against a repository.
Usage
To perform a full scan including reachability analysis for the open source software of the packages you build in a repository and monitor the checked out version of your code run the command:
endorctl scan
To scan leaked secrets and monitor all results in the checked out version of your repository:
endorctl scan --secrets
To scan for leaked secrets in all branches of your repository use the command:
endorctl scan --secrets --git-logs
To scan for misconfigurations in a GitHub repository (i.e https://github.com/endorlabs/app-java-demo):
export GITHUB_TOKEN=<insert-your-github-token>
endorctl scan --github --repository-http-clone-url=https://github.com/endorlabs/app-java-demo
To scan for CI/CD tools run the following command:
export GITHUB_TOKEN=<insert-your-github-token-with-read:org-access>
endorctl scan --tools --github
To include GitHub application data you must also set the --github
flag and provide a GitHub token with read:org access.
To run a scan as a test in a pull request without monitoring the version of your code over time run the command:
endorctl scan --pr
To scan and discover GitHub action workflows (Beta) in your CI/CD pipeline run the command:
endorctl scan --ghactions
Along with performing the regular dependency analysis on your repository, it discovers the GitHub actions configured in your CI/CD pipeline and maps them as GitHub action dependencies in your package.
To scan binaries and artifacts run the following command:
endorctl scan --package --path --project-name
You must provide the path of your file using --path
and specify a name for your project using --project-name
.
Options
The command endorctl scan
uses the following flags and environment variables:
Flag | Environment Variable | Description |
---|---|---|
as-default-branch |
ENDOR_SCAN_AS_DEFAULT_BRANCH |
Set this as the default branch. |
bazel-exclude-targets |
ENDOR_SCAN_BAZEL_EXCLUDE_TARGETS |
Set this variable to exclude a list of Bazel targets included in a provided Bazel query. |
bazel-include-targets |
ENDOR_SCAN_AS_INCLUDE_TARGETS |
Set this variable to scan a list of targets using Bazel. Only the specified list of targets are scanned. If you do not specify bazel-include-targets , you must identify targets using bazel-targets-query . If you specify targets, then the results from bazel-targets-query are ignored. |
bazel-targets-query |
ENDOR_SCAN_BAZEL_TARGETS |
Set this variable to query for a list of Bazel targets to include in a scan. |
bazel-workspace-path |
ENDOR_SCAN_BAZEL_WORKSPACE_PATH |
Set this variable to specify the path of the Bazel workspace. |
bazel-vendor-manifest-path |
ENDOR_SCAN_BAZEL_VENDOR_MANIFEST_PATH |
Set this variable to specify the path of the go.mod file if you use Bazel with Gazelle in vendored mode for Go projects. |
build |
ENDOR_SCAN_BUILD |
Enable the scan to build the project if needed. |
call-graph-languages |
ENDOR_SCAN_CALLGRAPH_LANGUAGES |
Set programming languages for call graph generation (go , java , python , rust ) (default value is: [go , java , python , rust ]). |
container |
ENDOR_SCAN_CONTAINER |
Set this to the container image:tag to perform a scan on containers. |
container-as-ref |
ENDOR_SCAN_CONTAINER_AS_REF |
Scan container in a persistent context and keep the version. Use the --project-name argument to specify the name of the project and --path argument to specify its path. |
dependencies |
ENDOR_SCAN_DEPENDENCIES |
Scan Git commits and generate findings for all dependencies. |
detached-ref-name |
ENDOR_SCAN_DETACHED_REF_NAME |
Set the name of the Git reference to a user-provided name. Example: --detached-ref-name="$CI_DEFAULT_BRANCH" . Use with CI environments that checkout commits, such as GitLab. |
disable-private-package-analysis |
ENDOR_SCAN_DISABLE_PRIVATE_PACKAGE_ANALYSIS |
Disable the call graph analysis of private dependencies that are not part of the repository. |
droid-gpt |
ENDOR_SCAN_DROID_GPT |
Use DroidGPT to interpret build errors and generate remediation advice. |
exclude-path |
ENDOR_SCAN_EXCLUDE_PATH |
Specify one or more file paths or directories to exclude from the scan using Glob style expressions. For example, --exclude-path="src/java/**" will exclude all files under src/java , including any sub-directories, while --exclude-path="src/java/*" will only exclude the files directly under src/java . Paths must be relative to the root of the repository. Use quotes to ensure that your shell does not expand wild cards. |
exit-on-policy-warning |
ENDOR_SCAN_EXIT_ON_POLICY_WARNING |
Return a non-zero exit code if there are policy violation warnings. |
ghactions |
ENDOR_SCAN_GHACTIONS |
Scan and discover GitHub action workflows in your CI/CD pipeline. |
git-logs |
ENDOR_SCAN_GIT_LOGS |
Audit the historical Git logs of the repository for all branches in the repository. Must be used together with --secrets . |
github-api-url |
GITHUB_API_URL |
Set the GitHub API URL used for API requests to Github Enterprise Cloud or GitHub Enterprise Server. This flag must be used for self-hosted source control systems such as GitHub Enterprise Server. (default https://api.github.com/ ) |
github-ca-path |
GITHUB_CA_PATH |
Set the path to the CA certificate used by GitHub Enterprise Server if it is untrusted by your system. |
github-token |
GITHUB_TOKEN |
Set the GitHub token used to authenticate with GitHub. |
github |
ENDOR_SCAN_GITHUB |
Fetch information from GitHub and generate findings for any GitHub misconfigurations (see also RSPM policies). |
include-path |
ENDOR_SCAN_INCLUDE_PATH |
Limit the scan to the specified file paths or directories using Glob style expressions. For example, --include-path="src/java/**" will scan all the files under src/java , including any sub-directories, while --include-path="src/java/*" will only include the files directly under src/java . Paths must be relative to the root of the repository. Use quotes to ensure that your shell does not expand wild cards. |
languages |
ENDOR_SCAN_LANGUAGES |
Set programming languages to scan. Used to limit scan to specific languages. |
output-type |
ENDOR_SCAN_SUMMARY_OUTPUT_TYPE |
Set output format (json, yaml, table, or summary). Use summary to only display policy violations and not all findings. (default table ) |
package |
ENDOR_SCAN_PACKAGE |
Scan binaries and artifacts. You must provide the path of your file using --path and specify a name for your project using --project-name parameters. |
path |
ENDOR_SCAN_PATH |
Set the path to the repository to scan on the local filesystem. Example: --path=/Users/endorlabs/github/myrepo . |
pnpm |
ENDOR_PNPM_ENABLED |
Set to true to scan and detect dependencies for JavaScript projects that use PNPM package manager. |
pr-baseline |
ENDOR_SCAN_PR_BASELINE |
Set to the Git reference that you are merging to, such as your default branch. Action policies will only flag issues that do not exist in the baseline so that developers are only alerted to issues on the current changes. Example: --pr-baseline=main . |
pr-incremental |
ENDOR_SCAN_PR_INCREMENTAL |
Only scan packages with dependencies that have changed compared to the baseline scan. Must be set together with --pr-baseline or --enable-pr-comments . |
pr |
ENDOR_SCAN_PR |
Set if this is a PR scan. PR scans are not used for reporting or monitoring and should be treated as point in time policy and finding test. |
pre-commit-checks |
ENDOR_SCAN_PRE_COMMIT_CHECKS |
Perform Git pre-commit checks on the changeset about to be committed. Must be used together with --secrets . |
project-name |
ENDOR_SCAN_PROJECT_NAME |
Give a name for the project while scanning binaries and artifacts. It is used with the --package parameter. |
quick-scan |
ENDOR_SCAN_QUICK_SCAN |
Perform a quick scan without call graph generation. |
registries |
ENDOR_SCAN_REGISTRIES |
Registries that must be used in addition to public or namespace registries. Format:\"user:password@ecosystem://registry#priority\" . |
repository-http-clone-url |
ENDOR_SCAN_GITHUB_REPOSITORY_HTTP_CLONE_URL |
Set the GitHub repository HTTP clone URL for --github scans. |
sarif-file |
ENDOR_SCAN_SUMMARY_SARIF_FILE |
Set the path to a SARIF file to save the finding result summary to. |
secrets |
ENDOR_SCAN_SECRETS |
Scan source code repository and generate findings for leaked secrets. See also --git-logs and --pre-commit-checks . |
tags |
ENDOR_SCAN_TAGS |
Specify a list of user-defined tags to add to this scan. Tags can be used to search and filter scans later. |
tools |
ENDOR_SCAN_TOOLS |
Scan source code repository for CI/CD tools. To include GitHub application data you must also set the --github flag and provide a GitHub token with read:org access. |
use-bazel |
ENDOR_SCAN_USE_BAZEL |
Uses Bazel to perform the endorctl scan. |
use-local-repo-cache |
ENDOR_SCAN_USE_LOCAL_CACHE |
Uses the local cache for dependency resolution. * Make sure that mvn install -U is successful and include mvn dependency and mvn help plugins in the local m2 cache. For Gradle complete gradle assemble --refresh-dependencies . |
uuid |
ENDOR_SCAN_UUID |
Scan the specified project UUID. |
install-build-tools |
ENDOR_SCAN_INSTALL_BUILD_TOOLS |
Install build tools in a runtime sandbox. |