> ## Documentation Index > Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt > Use this file to discover all available pages before exploring further. # Best practices: Working with dependency filters > Learn how to implement and use dependency filters to search, prioritize, and manage dependencies across your organization. export const YamlTable = ({children, data: propData, content}) => { const KV_RE = /^([A-Za-z][A-Za-z0-9_()/#\s-]+?):\s*(.+)$/; const INLINE_MD_RE = /(\[([^\]]+)\]$([^)]+)$)|(`([^`]+)`)|(\*\*([^*]+)\*\*)|(\*([^*]+)\*)/g; const YES_RE = /^-yes-$/i; const NO_RE = /^-no-$/i; const LIMITED_RE = /^-(limited|partial)-$/i; const NA_RE = /^-(na|none)-$/i; const NA2_RE = /^-na2-$/i; const SIMPLE_TAG_RE = /()|()|(-note-)|(-warning-)/gi; const tryParseKV = trimmed => { const m = KV_RE.exec(trimmed); return m ? { key: m[1], value: m[2].trim() } : null; }; const registerKey = (key, seenKeys, orderedKeys) => { if (!seenKeys.has(key)) { orderedKeys.push(key); seenKeys.add(key); } }; const flushEntry = (currentEntry, entries) => { if (Object.keys(currentEntry).length > 0) entries.push(currentEntry); }; const parseDashPrefixed = (lines, entries, orderedKeys, seenKeys) => { let currentEntry = {}; let inEntry = false; for (const line of lines) { const trimmed = line.trim(); if (trimmed.startsWith('- ')) { if (inEntry) entries.push(currentEntry); currentEntry = {}; inEntry = true; const kv = tryParseKV(trimmed.substring(2).trim()); if (kv) { registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; } } else if (inEntry && trimmed !== '') { const kv = tryParseKV(trimmed); if (kv) { registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; } } } flushEntry(currentEntry, entries); }; const parseBlankSeparated = (lines, entries, orderedKeys, seenKeys) => { let currentEntry = {}; let inEntry = false; for (const line of lines) { const trimmed = line.trim(); if (trimmed === '') { if (inEntry) { flushEntry(currentEntry, entries); currentEntry = {}; inEntry = false; } continue; } const kv = tryParseKV(trimmed); if (!kv) continue; const isNewEntry = !line.startsWith(' ') && !line.startsWith('\t'); if (isNewEntry && inEntry && Object.keys(currentEntry).length > 0) { entries.push(currentEntry); currentEntry = {}; } registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; inEntry = true; } flushEntry(currentEntry, entries); }; const normalizeEntries = (entries, orderedKeys) => entries.map(entry => { const filled = {}; for (const key of orderedKeys) filled[key] = entry[key] || ''; return filled; }); const parseYamlTableContent = contentStr => { if (!contentStr) return []; const entries = []; const orderedKeys = []; const seenKeys = new Set(); const lines = contentStr.split('\n'); if (lines.some(line => line.trim().startsWith('- '))) { parseDashPrefixed(lines, entries, orderedKeys, seenKeys); } else { parseBlankSeparated(lines, entries, orderedKeys, seenKeys); } return normalizeEntries(entries, orderedKeys); }; const processText = text => { if (!text) return text; const parts = []; let keyIndex = 0; let lastIndex = 0; let match; while ((match = INLINE_MD_RE.exec(text)) !== null) { if (match.index > lastIndex) parts.push(text.slice(lastIndex, match.index)); if (match[1]) { parts.push({match[2]}); } else if (match[4]) { parts.push({match[5]}); } else if (match[6]) { parts.push({match[7]}); } else if (match[8]) { parts.push({match[9]}); } lastIndex = match.index + match[0].length; } if (lastIndex < text.length) parts.push(text.slice(lastIndex)); if (parts.length === 0) return text; const keyRef = { current: keyIndex }; return expandHtmlTags(parts, keyRef); }; const processBadges = text => { if (!text || typeof text !== 'string') return text; if (YES_RE.test(text)) return ✓; if (NO_RE.test(text)) return ✗; if (LIMITED_RE.test(text)) return ◐; if (NA_RE.test(text) || NA2_RE.test(text)) return Not applicable; return processText(text); }; const cellClassName = text => { if (!text || typeof text !== 'string') return undefined; if (NA_RE.test(text)) return 'yt-cell-na'; if (NA2_RE.test(text)) return 'yt-cell-na2'; return undefined; }; const expandSimpleTags = (str, keyRef) => { const result = []; let last = 0; SIMPLE_TAG_RE.lastIndex = 0; let m; while ((m = SIMPLE_TAG_RE.exec(str)) !== null) { if (m.index > last) result.push(str.slice(last, m.index)); if (m[1]) { result.push(
); } else if (m[2]) { result.push(
,
); } else if (m[3]) { result.push(Note: ); } else if (m[4]) { result.push(Warning: ); } last = m.index + m[0].length; } if (last < str.length) result.push(str.slice(last)); return result; }; const expandHtmlTags = (chunks, keyRef) => { const out = []; for (const chunk of chunks) { if (typeof chunk === 'string') { out.push(...expandSimpleTags(chunk, keyRef)); } else { out.push(chunk); } } return out; }; const extractText = node => { if (node === null || node === undefined) return ''; if (typeof node === 'string') return node; if (typeof node === 'number') return String(node); if (typeof node === 'boolean') return ''; if (Array.isArray(node)) return node.map(extractText).join(''); if (node && typeof node === 'object' && node.type) { const props = node.props || ({}); if (typeof props.children === 'string') return props.children; if (props.children) return extractText(props.children); return ''; } return String(node || ''); }; const [mounted, setMounted] = useState(false); useEffect(() => { setMounted(true); }, []); const data = useMemo(() => { if (propData) return propData; if (content && typeof content === 'string') return parseYamlTableContent(content); if (!children) return []; if (typeof children === 'string') return parseYamlTableContent(children); const childrenArray = Array.isArray(children) ? children : [children]; return parseYamlTableContent(childrenArray.map(extractText).join('').trim()); }, [children, propData, content]); const columns = useMemo(() => { if (!data || data.length === 0) return []; const firstRow = data[0]; if (!firstRow || typeof firstRow !== 'object') return []; return Object.keys(firstRow); }, [data]); if (!mounted) return null; if (!data || data.length === 0) return null; const rowKey = row => columns.map(c => row[c] || '').join('|'); return {columns.map(col => )} {data.map(row => {columns.map(col => )} )}

{col.replaceAll('_', ' ')}
{processBadges(row[col])}

; }; Filters enable targeted queries on dependencies based on attributes such as ecosystem, reachability, direct versus transitive usage, discovery type, approximate resolution, severity, and Endor scores. This guide explains how dependency filters work, how to apply and combine them effectively, and provides practical examples to support triage, audit, and reporting workflows across your dependency inventory. ## How filters work Each filter consists of three parts. * **Key**: The attribute you want to filter (for example, `Ecosystems`, `Dependency Reachability`, and `Direct`). * **Operator**: The comparison logic (for example, `equals`, `in`, and `greater than` ). * **Value**: The target value to evaluate (for example, `Maven` and `Yes`). Dependency filters use standard comparison operators to evaluate criteria. See [Filter operators](/developers-api/rest-api/using-the-rest-api/filters#operators) for detailed information about available operators and their usage when using the API. When you apply multiple filters, the system combines them using logical AND operations across filters for different fields and logical OR operations across filters for the same field. For example: * **Filter 1**: `Ecosystems in: npm` * **Filter 2**: `Dependency Reachability: Potentially Reachable` * **Filter 3**: `Direct: Yes` * **Filter 4**: `Dependency Scopes: Normal` Multiple dependency filters applied

This combination returns only dependencies that are in the npm ecosystem, potentially reachable in your code, direct, and have normal scope. ## Filter implementation techniques You can use the following filter types to manage your dependencies effectively. * [Preset filters](#preset-filters): Use the filter bar in the Endor Labs user interface to quickly segment dependencies by common attributes. * [Filter dependencies using API](#filter-dependencies-using-api): Use the REST API or endorctl for complex queries and logical combinations. ### Preset filters The following examples demonstrate how to apply preset filters for common dependency scenarios. #### Filter dependencies by project Use the **Projects** filter to show only dependencies used by one or more selected projects. You can search by project name or tags, and click **Add Filter**. For example, to view only dependencies used by a specific application, search by project name or tags Filter by project

#### Filter dependencies by ecosystem Use the **Ecosystems** filter to segment dependencies by package manager or language for targeted security policies, license compliance, or ecosystem-specific upgrade campaigns. For example, to focus on Maven dependencies for a Java security assessment, use the `Ecosystems in: Maven` filter. Filter by ecosystem

#### Filter dependencies by reachability Use the **Dependency Reachability** filter to focus on dependencies that are reachable from your application code. Reachable dependencies are the ones that execute at runtime and increase your exposure to vulnerabilities. You can filter by **Reachable**, **Potentially Reachable**, or **Unreachable** dependency. For example, to prioritize remediation of dependencies your application might call at runtime, use the `Dependency Reachability: Potentially Reachable` filter. Filter by dependency reachability

#### Filter dependencies by scope Use the **Dependency Scopes** filter to separate production dependencies from those used only for testing or build-time tasks, so that you can target the right ones for policies and reports. You can filter by: * **Normal**: Production dependencies consumed by the application at run time. * **Test**: Dependencies used only in test scope, such as test frameworks and test-only libraries. * **Build**: Dependencies used only at build or development time, such as compilers, build tools, or dev-only tools. For example, to show only production dependencies, use the `Dependency Scopes: Normal` filter. Filter by dependency scope

#### Filter dependencies by declaration Use the **Direct** filter to distinguish between dependencies you declare explicitly in your manifests and those pulled in transitively. For example, to view only direct dependencies, use the `Direct: Yes` filter. Filter by direct

#### Filter dependencies by public Use the **Public** filter to show dependencies from public registries (npm, Maven Central, PyPI) or from private sources. For example, to view only dependencies from public package sources, use the `Public: Yes` filter. Filter by public

#### Filter dependencies by vendored Use the **Vendored** filter to scope results by whether your repository embeds dependency artifacts, such as version-controlled source or shaded JARs, rather than resolving them from a package registry. For example, to exclude vendored artifacts from a license review, use the `Vendored: No` filter. Filter by vendored

#### Filter dependencies by approximation Use the **Approximation** filter to distinguish dependencies inferred during fallback dependency resolution from dependencies fully resolved from manifests and lockfiles. Approximate dependencies can still appear in findings, but they may be less accurate than fully resolved dependencies. For example, to review only dependencies discovered through approximate resolution, use the `Approximation: Yes` filter. See [Approximate scans](/scan/sca/approximate-scans) For more information on approximate resolution. Filter by approximation

#### Filter dependencies by discovery type Use the **Discovery Type** filter to restrict results by how the dependency was found. You can filter by **Manifest** (declared in a manifest), **Phantom** (phantom or imported dependency analysis), or **Segment match** (code segment match). For example, to focus on phantom dependencies, use the `Discovery Type: Phantom` filter. Filter by discovery type

#### Filter dependencies by pinned Use the **Pinned** filter to tell whether the dependency version is pinned to a specific version or range. Unpinned direct dependencies are a common operational and supply chain risk because builds can pull different versions over time. For example, to list only pinned dependencies, use the `Pinned: Yes` filter. Filter by pinned

#### Filter dependencies by scan timestamp Use the **Last Scanned** filter to identify dependencies with stale security data that require fresh scans for current security posture. You can select from predefined time ranges or use the calendar to select a specific date. For example, to identify dependencies scanned within the last 24 hours, use the `Last Scanned: Last Day` filter. Filter by last scanned

#### Filter dependencies by release date Use the **Released** filter to focus on recently released dependency versions for upgrade planning or to track new releases. You can select from predefined time ranges or use the calendar to select a specific date. For example, to find dependencies released in the last week, use the `Released: Last Week` filter. Filter by release date

### Filter dependencies using API For complex queries, use the advanced filter syntax to combine multiple attributes and apply logical operators. The following table lists the available attributes for dependency filters. {` - Title: Dependency Package Version Name Key: \`meta.name\` Description: Filters dependencies by the dependency package version name in the format \`ecosystem://package@version\`. - Title: Parent UUID Key: \`meta.parent_uuid\` Description: Filters dependencies by the root package version UUID that declares or pulls in the dependency. - Title: Importing Project UUID Key: \`spec.importer_data.project_uuid\` Description: Filters dependencies by the project that contains them. Use to list all dependencies for a given project. - Title: Importing Package Version UUID Key: \`spec.importer_data.package_version_uuid\` Description: Filters dependencies by the root package version that declares or pulls in the dependency. - Title: Importing Package Name Key: \`spec.importer_data.package_name\` Description: Filters dependencies by the qualified name of the importing package, without version. - Title: Importing Package Version Name Key: \`spec.importer_data.package_version_name\` Description: Filters dependencies by the fully qualified name of the root package version. - Title: Call Graph Available Key: \`spec.importer_data.callgraph_available\` Description: Filters by whether a call graph is available for the root package version. - Title: Dependency Project UUID Key: \`spec.dependency_data.project_uuid\` Description: Filters by the project UUID to which the dependency package version belongs. - Title: Dependency Package Version UUID Key: \`spec.dependency_data.package_version_uuid\` Description: Filters by the UUID of the dependency package version object. - Title: Dependency Package Name Key: \`spec.dependency_data.package_name\` Description: Filters by the qualified dependency package name. - Title: Ecosystem Key: \`spec.dependency_data.ecosystem\` Description: Filters by dependency ecosystem, such as npm, Maven, or PyPI. - Title: Direct Key: \`spec.dependency_data.direct\` Description: Filters by whether the dependency is direct or transitive. - Title: Reachability Key: \`spec.dependency_data.reachable\` Description: Filters by reachability status, such as reachable, potentially reachable, or unreachable. - Title: Dependency Scope Key: \`spec.dependency_data.scope\` Description: Filters by dependency scope, such as Build, Normal, or Test. - Title: Public Key: \`spec.dependency_data.public\` Description: Filters by whether the dependency is from a public or a private source. - Title: Vendored Key: \`spec.dependency_data.vendored\` Description: Filters by whether the dependency is vendored or embedded in your repository. - Title: Approximation Key: \`spec.dependency_data.approximation\` Description: Filters by whether the dependency is approximate (estimated from unresolved dependency data). - Title: Pinned Key: \`spec.dependency_data.pinned\` Description: Filters by pinned status of the dependency version. - Title: Patched Key: \`spec.dependency_data.patched\` Description: Filters by patch status of the dependency version. - Title: End-of-Life Key: \`spec.dependency_data.eol\` Description: Filters by whether the dependency is end-of-life. - Title: Last Commit Key: \`spec.dependency_data.last_commit\` Description: Filters by the date of the last commit or modification in the dependency version. - Title: End-of-Life Timestamp Key: \`spec.dependency_data.eol_timestamp\` Description: Filters by the end-of-life timestamp of the dependency package version. - Title: Namespace Key: \`spec.dependency_data.namespace\` Description: Filters by the namespace to which the dependency package version belongs. - Title: Discovery Type Key: \`spec.dependency_data.discovery_type\` Description: Filters by discovery method: manifest, phantom, or segment match. - Title: Parent Count Key: \`spec.dependency_data.parent_count\` Description: Filters by the number of direct parents of the dependency in the dependency graph. `} #### API filter use cases The following examples demonstrate how to combine these attributes for common security and compliance workflows. List only direct dependencies for a given project. ```bash theme={null} spec.importer_data.project_uuid== and spec.dependency_data.direct==true ``` Focus on direct dependencies of a root package version that are also reachable, for prioritization. ```bash theme={null} spec.importer_data.package_version_uuid== and spec.dependency_data.direct==true and spec.dependency_data.reachable==REACHABILITY_TYPE_REACHABLE ``` Find dependencies that are end-of-life across the namespace for upgrade or replacement planning. ```bash theme={null} spec.dependency_data.eol==true ``` Limit to npm dependencies that are reachable from application code, across the namespace. ```bash theme={null} spec.dependency_data.ecosystem==ECOSYSTEM_NPM and spec.dependency_data.reachable==REACHABILITY_TYPE_REACHABLE ``` Find all public and non-vendored dependencies across the namespace for license or supply chain review. ```bash theme={null} spec.dependency_data.vendored==false and spec.dependency_data.public==true ``` Query across the namespace for dependencies that have a patch, without scoping by project. ```bash theme={null} spec.dependency_data.patched==true ```