Perform incremental scans

Scan the portions of code that have changed since the last full scan.

Perform incremental scans to scan the parts of a codebase that have changed since the last complete scan, rather than scanning the entire codebase every time. This process is efficient and faster, especially for large projects, because it focuses on new or modified code that might introduce new vulnerabilities or issues.

How does incremental scan work

To initiate incremental scans, first perform a complete scan to set a baseline. After establishing the baseline, you can start incremental scans to compare against it. The first scanned branch is considered the baseline, and this branch is continuously monitored. See set a default branch.

Ensure the baseline scan is successful and error-free. A successful complete scan will resolve dependencies, run analytics, and generate call graphs for supported languages.

During an incremental scan, Endor Labs first identifies the packages and their dependencies within a project. If a package and its dependencies remain unchanged, the rest of the scanning process is skipped, and a message No changes found in package is displayed along with the package name. If any changes are detected in the packages or dependencies, the scan proceeds with only the modified packages, and prints their results.

Incremental scanning is not performed if errors are found while resolving dependencies, if the project’s path has changed, or if there are failures within the project’s packages. In these cases, the system will automatically perform a complete scan.

Run an incremental scan

  1. First, perform a complete scan.
endorctl scan
  1. Use the --pr-incremental argument to perform an incremental scan, detecting and scanning dependencies that have changed since the baseline scan. This scan will generate call graphs only for the modified packages. See endorctl scan command arguments.
endorctl scan --pr --pr-baseline=main --pr-incremental