Pull requests remediation in GitHub

Learn how to configure PR remediation in a GitHub environment to address issues in your code repository.

You can set up PR remediation in your GitHub environment if you use the Endor Labs GitHub App (Pro). When PR remediation is set up, Endor Labs creates a PR to update the manifest files with dependency version upgrades, based on a remediation policy, to address vulnerability findings.

Your tenant must have upgrades and remediation feature for automated PR to function.

Complete the following tasks to set up automated PR.

  1. Install or migrate to GitHub App (Pro) and enable SCA scanner.

  2. Create a GitHub PR for remediations notification integration.

  3. Create a remediation policy with the notification integration that you created in the previous step.

    The following image shows an example of a remediation policy that targets projects with the tag java and automatically raises a PR when remediation is found for reachable dependencies that resolve critical and high issues with low upgrade risk.

    Remediation Policy 1

Understanding PR remediation

If Endor Labs identifies any fixes that address vulnerability findings according to the remediation policy in the next scan, it creates a pull request in GitHub with the details of the patch. You can merge the PR after review to fix the vulnerability findings.

Endor Labs updates the PR if there is a recommendation change in upgrade impact analysis. If there are any changes in the vulnerability findings, Endor Labs updates the PR description. If there is new patch version available, Endor Labs closes the existing PR with comments and opens a new PR. If you resolve the notification in Endor Labs, the PR is closed with a comment.

Endor Labs does not further update the PR in the following scenarios, if you:

  • Add a commit to the PR
  • Close the PR
  • Delete the PR branch
  • Dismiss the notification in Endor Labs

Limitations of PR remediation

Currently, automated PRs have the following limitations:

  • Only Java (with Gradle or Maven) Go (including and above version 1.18), and JavaScript are supported.
  • Maven projects that use dependencyManagement tags and the dependency information is only available in the parent pom file are not supported.
  • Gradle projects with convention files (Groovy files with .gradle extension with any name) are not supported.
  • Gradle projects with resource catalogues (version defined in .toml files) are not supported.
  • Go projects that use the replace directive in go.mod are not supported. replace directives are commonly used for local development, debugging, or patching dependencies.

Create a GitHub PR for remediations notification integration

Remediation notification integration allows Endor Labs to get a notification from GitHub regarding pull requests. The notification alerts the GitHub App to perform PR remediation.

  1. Sign in to Endor Labs and select Integrations from the left sidebar.

  2. Under Notifications, click Add for GitHub PR for Remediations.

  3. Click Add Notification Integration.

    Add GitHub PR for Remediation

  4. Enter a name and description for this integration.

  5. Select Enable GitHub PR Notification Integration for Remediations.

  6. Optionally, select Propagate this notification target to all child namespaces so that the notification integration applies to all child namespaces.

  7. Click Add Notification Integration.