Set up AI security review with endorctl

Use endorctl to run AI security review with GitHub environment variables.

You can use AI security review with endorctl and GitHub environment variables without requiring the GitHub App. This approach allows you to integrate AI security review into your local development workflows. You can use this approach only if you have GitHub as your source control management system.

Complete the following tasks to set up AI security review with endorctl:

Ensure that the following prerequisites are met before using AI security review with endorctl:

  • An active Endor Labs subscription with Endor Code Pro license.
  • Access to configure scan profiles and policies
  • Code Segment Embeddings and LLM Processing enabled in Data Privacy settings
  • A GitHub token with appropriate permissions.

Perform the following steps to enable code segment embeddings and LLM processing:

  1. Select Manage > Settings from the left sidebar.

  2. Select SYSTEM SETTINGS > Data Privacy.

    Enable Code Segment Embeddings and LLM Processing
  3. Select Code Segment Embeddings and LLM Processing.

  4. Click Save Data Privacy Settings.

Perform the following steps to verify your license and feature access:

  1. Select Settings > License from the left sidebar.
  2. Verify that you have Security Review in Products and Features.

Configure the following environment variables for GitHub integration:

# Required: GitHub token with repo access
export GITHUB_TOKEN=<your-github-token>

# Required: Endor Labs authentication
export ENDOR_API_CREDENTIALS_KEY=<your-api-key>
export ENDOR_API_CREDENTIALS_SECRET=<your-api-secret>
export ENDOR_NAMESPACE=<your-namespace>

For pull request scans with AI security review, you need to specify the required flags.

endorctl scan \
  -n <namespace> \
  --pr \
  --security-review \
  --github-pr-id <PR_NUMBER> \
  --github-token $GITHUB_TOKEN \
  --enable-pr-comments

The following table describes the flags used in the command.

Flag Mandatory Description
-n <namespace> Your Endor Labs namespace. If you do not specify a namespace, the command uses the default namespace.
--pr Indicates that this is a pull request scan.
--security-review Enables AI security review.
--github-pr-id <PR_NUMBER> The GitHub pull request number that you want to scan.
--github-token $GITHUB_TOKEN GitHub token for authentication. You need to specify this flag if you did not set up the GITHUB_TOKEN environment variable.
--enable-pr-comments Enables comments on the GitHub pull request. Enable this flag if you want to get comments on your GitHub pull request with the details of the AI security review. You must enable the action policy for pull request comments.