Enable auto detection

Learn how to automatically detect toolchains used in your repository.

The system can automatically detect toolchains required for your projects based on the manifest files present in your repository. Auto detection is supported for Java, Python, Golang and .NET(C#) projects. Only the Long Term Support (LTS) versions of the toolchains are supported in auto detection. See the Toolchain support matrix for a complete list of supported toolchain versions for auto detection.

Endor Labs begins auto detection by scanning your project repository to locate manifest files and identify the languages used in your project. Based on the results, it runs language specific detectors to extract version information. Each detector operates independently and follows a consistent process. It reviews the associated manifest or build configuration files to determine the toolchain version. If a file contains multiple version fields, the detector uses a fixed priority order to select the most appropriate one.

After identifying a version, the detector sends the version details to the assigner. The assigner checks the Endor Labs toolchain support matrix to verify if the version is supported for the host operating system and architecture. If it doesn’t find an exact match, it selects the closest supported version based on the major version number. This version will be the toolchain used for your project scan.

For example, when analyzing Java projects, the Java detector checks manifest files like pom.xml or build.gradle to find the Java version used in the project.

flowchart TD
  subgraph C["Detectors find versions of detected languages"]
    L1["language 1 detector"]
    Lang["..."]
    L2["language n detector"]
  end
  A(["Scan Repository"])
  B["Detect Languages"]
  D["Assigners"]
  F{"Exact match"}
  G(["Select closest supported version by matching major version"])
  H(["Select exact supported version"])
  I["Yes"]
  J["No"]
  K["Match version with Endor Labs suported versions"]

  A --> B --> C --> D --> K --> F
  F --> I --> H
  F --> J --> G

  %% Force black border on subgraph
  classDef subgraphStyle stroke:#000000,stroke-width:1px,fill:#00F078;
  class C subgraphStyle
  classDef JavaStyle fill:#D3D3D3;
  class L1,L2,Lang JavaStyle
  classDef blueText fill:#3FE1F3,stroke:#000000,color:#000000;
  class I,J,K blueText

  %% NEW: Bigger node style and class
  classDef largeNode fill:#00F078,stroke:#000000,color:#000000;
  class A,B,D,E largeNode

  %% Optional: force large box padding via dummy <br> line
  style C width:520px

The following table lists the manifest files Endor Labs scans to detect the language and version used in your project.

Language Build Tool Manifest File
Java Maven pom.xml
Java Gradle build.gradle, gradle-wrapper.properties
.NET global.json, *.csproj
Golang go.mod
Python setup.py, .python-version, pyproject.toml
NodeJS package.json, .nvmrc, .node-version
Yarn package.json, .yarnrc.yml, yarnrc
pnpm package.json

To enable auto detection from the CLI,

endorctl scan --install-build-tools --enable-build-tools-version-detection

When using the GitHub App, you can enable auto detection either by a project or enable it for all projects in a tenant.

  • To enable the auto detection by a project, update the project’s meta.annotations with "ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true".
meta:
  annotations: {"ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true"}

  endorctl api update -r Project --uuid=<project-uuid> -i
  • To enable auto detection across all projects in a tenant, update the system config’s meta.annotations with "ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true".
 meta:
   annotations: {"ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true"}

 endorctl api update -r SystemConfig --uuid=<system-config-uuid> -i

The updates are applied during the next scheduled scan or whenever you perform a manual re-scan.