Endor Labs for Bazel

Learn how to implement Endor Labs in monorepos using Bazel

Bazel is an open-source build and test tool, which is commonly used in monorepos. Bazel is used to quickly build software across multiple languages.

Using Endor Labs, organizations relying heavily on Bazel can:

  • Test their software for potential issues and violations of organizational policy
  • Prioritize vulnerabilities in the context of their applications
  • Understand the relationships between software components in their applications

Scan your Bazel projects

To successfully scan using Bazel:

Install software prerequisites

The following prerequisite must be fulfilled:

  • One or more WORKSPACE files must be present in your repository.
  • The bazel command must be installed and available on the host system. To install Bazel, see the Bazel documentation.
  • When performing deep scans make sure that you have the following minimum system specification requirements:
    • 4-core processor with 16 GB RAM for small projects
    • 8-core processor with 32 GB RAM for mid-size projects
    • 16-core processor with 64 GB RAM for large projects
  • Bazel versions 5.x.x and 6.x.x are supported.

Select and build your Bazel targets

Endor Labs supports scanning targets using the following language-specific Bazel rules:

Here are some examples.

  • To get all targets created with a java_binary build rule you can use the query:

bazel query 'kind(java_binary, //...)'

  • To get all targets created with a py_binary build rule you can use the query:

bazel query 'kind(py_binary, //...)'

  • To get all targets created with a go_binary build rule under the golang directory you can use the query:

bazel query 'kind(go_binary, //golang/...)'

In general, refine your query to select the most important targets in your monorepo and align with your existing build workflows.

You can choose to build the targets before running the scan. Use the bazel build commands to do this by passing a comma-separated list of targets. For example, //:test and //:test2 run bazel build //:test,//:test2. endorctl will attempt a scan if the targets are not built. endorctl uses bazel build //:test and bazel query 'deps( //:test)' --output graph to build your targets.

Run a scan

Use the following options to scan your repositories. Perform a scan after building the projects. See

Once you’ve selected your targets you can define the targets for scanning using one of three command line arguments:

To include or exclude specific targets you can pass a comma-separated list of targets to --bazel-exclude-targets or --bazel-include-targets.

To scan a specific list of targets, use the command:

endorctl scan --use-bazel --bazel-include-targets=//your-target-name

To scan a list of targets using the bazel query language use the following command and replace the query below with your own:

endorctl scan --use-bazel --bazel-targets-query='kind(java_binary, //...)

Finally, if your workspace file is not located at the root of the repository you must define the WORKSPACE file location for the targets you would like to scan. For example:

endorctl scan --use-bazel --bazel-targets-query='kind(java_binary, //...) --bazel-workspace-path=./src/java

Option 1 - Quick scan

Perform a quick scan to get quick visibility into your software composition. This scan will not perform reachability analysis to help you prioritize vulnerabilities.

endorctl scan --use-bazel --bazel-include-targets=//your-target-name --quick-scan

You can perform the scan from within the root directory of the git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan --use-bazel --bazel-include-targets=//your-target-name --quick-scan -o json | tee /path/to/results.json

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Option 2 - Deep scan

Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully.

You can run a deep scan with the following commands:

endorctl scan --use-bazel --bazel-include-targets-query=//your-target-name

Use the following flags to save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan --use-bazel --bazel-include-targets-query=//your-target-name -o json | tee /path/to/results.json

When a deep scan is performed all private software dependencies are completely analyzed by default if they have not been previously scanned. This is a one-time operation and will slow down initial scans, but will not impact subsequent scans.

Organizations might not own some parts of the software internally and findings are actionable by another team. These organizations can choose to disable this analysis using the flag disable-private-package-analysis. By disabling private package analysis, teams can enhance scan performance but may lose insights into how applications interact with first-party libraries.

Use the following command flag to disable private package analysis:

endorctl scan --use-bazel --bazel-include-targets=//your-target-name --disable-private-package-analysis

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Understand the scan process

To understand the scan process for Java projects, see Endor Labs for Java.

To understand the scan process for Python projects, see Endor Labs for Python.

To understand the scan process for GO projects, see Endor Labs for GO.

Known limitations

  • Scanning Java binaries using Bazel is not supported.