Bazel

Learn how to implement Endor Labs in monorepos using Bazel

Bazel is an open-source build and test tool, which is commonly used in monorepos. Bazel is used to quickly build software across multiple languages.

Using Endor Labs, organizations relying on Bazel can:

Scan their software for potential security issues and violations of organizational policy.
Prioritize vulnerabilities in the context of their applications.
Understand the relationships between software components in their applications.

System specifications for deep scan

Before you proceed to run a deep scan, ensure that your system meets the following specification.

Project Size	Processor	Memory
Small projects	4-core processor	16 GB
Mid-size projects	8-core processor	32 GB
Large projects	16-core processor	64 GB

Software prerequisites

Ensure that the following prerequisites are in place for a successful scan.

One or more WORKSPACE files must be present in your repository.
The bazel command must be installed and available on the host system. To install Bazel, see the Bazel documentation.
Bazel versions 5.x.x, 6.x.x, and 7.x.x are supported.

Select and build your Bazel targets

Endor Labs supports scanning targets using the following language-specific Bazel rules:

Bazel Rules for Java support included for 4.1 or higher versions.
- java_library
Bazel Rules for Python support included for 0.9.0 or higher versions.
- py_binary
- py_library
- py_image
  
  py_image is only supported with the PY3 toolchain, for example, py3_image.
Bazel Rules for Golang support included for 0.40.1 or higher versions with Bazel versions 5.x.x, 6.x.x. 0.42.0 or higher versions with Bazel versions 7.x.x.
Bazel Rules for Scala support is available for versions 5.0.0 to 6.6.0, including 5.0.0 and 6.6.0.
- scala_binary
- scala_library
To scan with Endor Labs you’ll need to specify a list of targets to scan or a Bazel query for which all targets matching your query criteria are scanned.
To select your Bazel targets you can search using the Bazel query language for specific targets to scan, or scan all targets that match a given query.

Here are some examples.

To get all targets created with a java_binary build rule you can use the query:

bazel query 'kind(java_binary, //...)'

To get all targets created with a py_binary build rule you can use the query:

bazel query 'kind(py_binary, //...)'

To get all targets created with a go_binary build rule under the golang directory you can use the query:

bazel query 'kind(go_binary, //...)'

To get all targets created with a scala_binary build rule under the scala directory you can use the query:

bazel query 'kind(scala_binary, //...)'

In general, refine your query to select the most important targets in your monorepo and align with your existing build workflows.

You can choose to build the targets before running the scan. Use the bazel build commands to do this by passing a comma-separated list of targets. For example, //:test and //:test2 run bazel build //:test,//:test2. endorctl will attempt a scan if the targets are not built. endorctl uses bazel build //:test and bazel query 'deps( //:test)' --output graph to build your targets.

Run a scan

Use the following options to scan your repositories. Perform a scan after building the projects. See

Once you’ve selected your targets you can define the targets for scanning using one of three command line arguments:

To include or exclude specific targets, you can pass a comma-separated list of targets to --bazel-exclude-targets or --bazel-include-targets.

To scan a specific list of targets, use the command:

endorctl scan --use-bazel --bazel-include-targets=//your-target-name

To scan a list of targets using the Bazel query language, use the following command and replace the following query with your own.

endorctl scan --use-bazel --bazel-targets-query='kind(java_binary, //...)'

If your workspace file is not located at the root of the repository you must define the WORKSPACE file location for the targets you would like to scan.

For example:

endorctl scan --use-bazel --bazel-targets-query='kind(java_binary, //...)' --bazel-workspace-path=./src/java

For Go projects, if you use Bazel with Gazelle in vendored mode, you need to provide the path of your go.mod file in the command option, --bazel-vendor-manifest-path.

For example:

endorctl scan --use-bazel --bazel-include-targets=//your-target-name --bazel-vendor-manifest-path=<path to go.mod>

Option 1 - Quick scan

Perform a quick scan to get quick visibility into your software composition. This scan won’t perform reachability analysis to help you prioritize vulnerabilities.

endorctl scan --use-bazel --bazel-include-targets=//your-target-name --quick-scan

You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan --use-bazel --bazel-include-targets=//your-target-name --quick-scan -o json | tee /path/to/results.json

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Option 2 - Deep scan

Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully.

You can run a deep scan with the following commands:

endorctl scan --use-bazel --bazel-include-targets=//your-target-name

Use the following flags to save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan --use-bazel --bazel-include-targets=//your-target-name -o json | tee /path/to/results.json

When a deep scan is performed all private software dependencies are completely analyzed by default if they have not been previously scanned. This is a one-time operation and will slow down initial scans, but won’t impact subsequent scans.

Organizations might not own some parts of the software internally and findings are actionable by another team. These organizations can choose to disable this analysis using the flag disable-private-package-analysis. By disabling private package analysis, teams can enhance scan performance but may lose insights into how applications interact with first-party libraries.

Use the following command flag to disable private package analysis:

endorctl scan --use-bazel --bazel-include-targets=//your-target-name --disable-private-package-analysis

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Understand the scan process

To understand the scan process for Java projects, see Endor Labs for Java.

To understand the scan process for Python projects, see Endor Labs for Python.

To understand the scan process for Go projects, see Endor Labs for GO.

Known limitations

Scanning Java binaries using Bazel is not supported.

Feedback

Was this page helpful?

Thanks for the feedback. Write to us at support@endor.ai to tell us more.