This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Deploy Endor Labs GitHub App (Pro)

Learn how to continuously monitor your environment with the Endor Labs GitHub App.

Table of Contents

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Learn how to continuously monitor your environment with the Endor Labs GitHub App.

Endor Labs GitHub App (Pro) is an enhanced version of the Endor Labs GitHub App that supports PR remediation to fix vulnerabilities. See PR remediation for more information.

Warning
You cannot have both GitHub App and GitHub App (Pro) simultaneously in your environment. When migrating from one app to the other, ensure you select the same set of repositories as before to preserve your currently scanned projects and findings after the migration.

You can also make the findings generated by Endor Labs available to GitHub Advanced Security so that you can view the findings in the GitHub Advanced Security. Endor Labs exports the findings in the SARIF format and uploads them to GitHub. You can view the findings under Security > Vulnerability Alerts > Code Scanning in GitHub. See Export findings to GitHub Advanced Security for more information.

When Endor Labs scans a repository for the first time, it detects the default branch of the repository. The findings that are created in the scan are associated with the default branch.

When you change the default branch in your source control system (for example, from main to dev):

  • Endor Labs automatically detects the new default branch and sets that as the default reference
  • The previous default branch becomes a reference branch
  • Scans continue on the new default branch and the reference branch

The findings associated with the previous default branch are no longer associated with the default context reference. You can view them in the reference context.

When you rename the default branch in your source control system:

  • Endor Labs automatically switches to the renamed branch
  • Scans continue without disruption

When you add a new repository version (for example, a dev branch), both the default branch and the new version are scanned by the Endor Labs App.

You can control the default branch detection by setting the ENDOR_SCAN_TRACK_DEFAULT_BRANCH environment variable in a scan profile. You need to configure the project to use the scan profile. See Configure scan profiles for more information.

By default, the environment variable is set to true. When set to true, the default branch detection is enabled, and the first branch you scan is automatically considered as the default branch.

Before installing and scanning projects with Endor Labs GitHub App (Pro), make sure you have:

  • Administrative permissions to your GitHub organization. Installing the Endor Labs GitHub App (Pro) in your organization requires approval or permissions from your GitHub organizational administrator. If you don’t have the permissions, use the command line utility, endorctl, while you wait for the approval.
  • Endor Labs GitHub App (Pro) requires the following permissions:
    • Read access to Dependabot alerts, actions, administration, checks, code, commit statuses, issues, metadata, packages, pull requests, repository hooks, and security events.
    • Read and write access to checks, contents, and pull requests.
    • Write access to code scanning alerts to upload findings to GitHub Advanced Security as SARIF files.

To automatically scan repositories using the GitHub App and create automatic PRs to fix vulnerabilities:

  1. Sign in to Endor Labs.

  2. From the left sidebar, choose Projects and click Add Project.

  3. From GitHub, choose GitHub App

  4. Select Enable Automated Pull Requests.

    Endor Labs GitHub App (Pro)

  5. Click Install GitHub App (Pro).

    You will be redirected to GitHub to install the Endor Labs App (Pro).

  6. Click Install.

  7. Select a user to authorize the app.

  8. Select the organization in which you want to install the app.

  9. Select whether to install and authorize Endor Labs on all your repositories or select the specific repositories that you wish to scan.

  10. Review the permissions required for Endor Labs and click Install and Authorize.

Note
If the button to install says Install and Request instead of Install and Authorize, you don’t have permission to install the GitHub App. Use the endorctl command line interface or select Install and Request to notify your organizational administrator of your request to install. If you select Install and Request your installation will not be active unless your organizational administrator approves the request to install GitHub App.

  1. Choose a namespace and click Next.

    Choose namespace

    Select Manage Namespaces if you need to create a new namespace or if you don’t see the namespace you want to use in the list.

  2. Based on your license, select and enable the scanners.

    The following scanners are available:

    • SCA: Perform software composition analysis and discover AI models used in your repository.
    • RSPM: Scan the repository for misconfigurations. RSPM scans run every week on Sundays.
    • Secret: Scan the repository for exposed secrets.
    • GitHub Actions: Scan the repository and identify all the GitHub Actions workflows used in the repository.
    • SAST: Scan your source code for weakness and generate SAST findings.

  3. Select Include Archived Repositories to scan your archived repositories. By default, the GitHub archived repositories aren’t scanned.

  4. Select PULL REQUEST SCANS to set preferences for scanning pull requests submitted by users.

    Choose PR options

    • Select Pull Request Comments to enable GitHub Actions to comment on PRs for policy violations.

    • In Define Scanning Preferences, select either:

      • Quick Scan to gain rapid visibility into your software composition. It performs dependency resolution but does not conduct reachability analysis to prioritize vulnerabilities. The quick scan enables users to swiftly identify potential vulnerabilities in dependencies, ensuring a smoother and more secure merge into the main branch.

      • Full Scan to perform dependency resolution, reachability analysis, and generate call graphs for supported languages and ecosystems. This scan enables users to get complete visibility and identifies all issues dependencies, call graph generation before merging into the main branch. Full scans may take longer to complete, potentially delaying PR merges.

      See GitHub scan options for more information on the scans that you can do with the GitHub App.

  5. Click Continue. You have successfully installed the GitHub App (Pro).

Endor Labs GitHub App (Pro) scans your repositories every 24 hours and reports any new findings or changes to release versions of your code. It can also raise a PR with a fix based on your remediation policy. Ensure that you configure automated PR scans in your environment. See Automated PR scans for more information.

You can improve your experience with the GitHub App by setting up package repositories. This will help you create a complete bill of materials and perform static analysis. Without setting package repositories, you may not be able to get an accurate bill of materials. See Set up package manager integration for more information.

The Endor Labs GitHub App (Pro) has the same limitations as the GitHub App. See Limitations for more information.

Manage GitHub App (Pro) on Endor Labs

You can make changes to the GitHub App integrations or delete them. You can view the activity logs for the GitHub App and rescan your GitHub repositories on demand.

  1. Sign in to Endor Labs and select Integrations from the left sidebar.

  2. Click Manage next to GitHub under Source Control Managers.

    Manage GitHub App

  3. Click the three vertical dots next to the integration.

    You can choose from the following options:

To edit the GitHub App integration:

  1. Click the three vertical dots next to the integration, and select Edit Integration.
  2. Update your personal access token and choose the scanners.
  3. Choose Pull Request Scans to set preferences for scanning pull requests submitted by users:
    • Enable Automatic Pull Request Scanning to automatically scan PRs submitted by users.
    • Enable Pull Request Comments to allow GitHub Actions to comment on PRs for policy violations.
    • Set the Scanning Preferences to:
      • Quick Scan for dependency resolution without reachability analysis. This provides rapid visibility into potential vulnerabilities for faster merges.
      • Full Scan for dependency resolution, reachability analysis, and call graph generation for supported languages. This provides full visibility but may take longer to complete.
  4. Click Save. The changes are applied from the next scanning cycle.

To delete a GitHub App integration, click the three vertical dots next to the integration, and select Delete Integration.

When you delete the integration, it also deletes all child namespaces, projects, and references associated with the auto-generated root group namespace, as well as any manually created namespaces and projects under that namespace.

To view sync logs, click the three vertical dots next to the integration, and select View Sync Logs.

The sync logs display details of synchronization attempts, including timestamps, error types, and diagnostic messages. These logs help identify issues such as authentication failures or configuration problems.

sync logs

Warning
You cannot have both GitHub App and GitHub App (Pro) simultaneously in your environment. When you migrate from one app to the other, select the same set of repositories as before to preserve the currently scanned projects and findings after the migration.

To migrate from GitHub App (Pro) to standard GitHub App:

  1. Click the three vertical dots on the right side of the integration that you want to edit, and select Migrate to Standard App.

  2. Click Migrate.

    You will be redirected to GitHub.

  3. Click Configure.

  4. Select a user to authorize the app.

  5. Select Configure in the organization in which you want to migrate the app.

  6. Select whether to install and authorize Endor Labs on all your repositories or select the specific repositories that you wish to scan.

  7. Choose the namespace and click Next.

Warning
You must choose the same namespace as your existing GitHub App installation.
  1. Select and enable the scanners you require.
  2. Select the preferences for scanning pull requests, if required.
  3. Click Continue.
Old installation cleanup
After migration is successful, delete the old installation from your GitHub organization.
Branch protection rules
When you migrate from one app to another, you must manually update your branch protection rules in GitHub. Branch protection rules that reference the old GitHub App (Pro) ID will become inactive and will not function until reconfigured with the new app. Refer to Branch protection rules to learn more.

GitHub App scans your repositories every 24 hours. Click Rescan Org to manually trigger a scan outside the 24-hour period.

Click Scan More Repositories to go to Projects, where you can add more repositories to scan through the GitHub App.