This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Deploy Endor Labs GitLab App

Learn how to continuously monitor your environment with the Endor Labs GitLab App.

Table of Contents

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Learn how to continuously monitor your environment with the Endor Labs GitLab App.

Endor Labs provides a GitLab App that continuously monitors users’ projects for security and operational risk. You can use the GitLab App to selectively scan your repositories for SCA, secrets, SAST, and CI/CD tools. You can use the GitLab App with a GitLab cloud account or a self-hosted GitLab instance.

When you use Endor Labs GitLab App, Endor Labs creates namespaces based on your organization hierarchy in GitLab.

The namespaces created by the Endor Labs GitLab App are not like regular namespaces and are called managed namespaces. These namespaces are named after subgroup slugs in GitLab.

See Manage GitLab App to learn how to manage your GitLab App integration in Endor Labs.

You can also scan your merge requests using the GitLab App. You can enable MR scans during the installation of the GitLab App or by editing the GitLab App integration. See GitLab App MR scans for more information.

Ensure that you consider the following limitations when you use the GitLab monitoring scan.

  • GitLab supports up to 20 levels of subgroup nesting, while Endor Labs currently supports a maximum of 10 levels, assuming the installation is created at the tenant level. If a GitLab installation is created within a nested namespace, such as tenant.namespace1.namespace2, the available nesting depth for subgroups in GitLab is reduced. In this case, Endor Labs can only support up to eight levels of nested subgroups.
  • Endor Labs supports GitLab groups with a maximum of 64 characters.

Managed namespaces are always reflective in terms of structure and content in GitLab.

Managed namespaces have the following restrictions:

  • You cannot delete managed namespaces.

  • You cannot delete projects present within managed namespaces.

  • You cannot add projects or create namespaces within managed namespaces.

  • You cannot create any new Endor Labs App installation within the managed namespaces.

    For example, you cannot create an Endor Labs GitHub App installation within a namespace that was created by the Endor Labs GitLab App.

Any modifications to the namespaces have to be in GitLab. The changes that you make to the namespaces and projects are reflected in Endor Labs after a rescan.

If your organization has the following hierarchy in GitLab:

graph TD
    GL((GitLab))
    HC[HappyCorp]

    %% Main divisions
    Web[Web]
    Mobile[Mobile]
    Desktop[Desktop]

    %% Web subgroups
    WA[Alpha]
    WB[Beta]
    WG[Gamma]

    %% Mobile subgroups
    MD[Delta]
    ME[Epsilon]
    MZ[Zeta]

    %% Desktop subgroups
    DP[Pi]
    DR[Rho]
    DS[Sigma]

    %% Main connections
    GL --> HC
    HC --> Web
    HC --> Mobile
    HC --> Desktop

    %% Web connections
    Web --> WA
    Web --> WB
    Web --> WG

    %% Mobile connections
    Mobile --> MD
    Mobile --> ME
    Mobile --> MZ

    %% Desktop connections
    Desktop --> DP
    Desktop --> DR
    Desktop --> DS

    class HC main
    class Web,Mobile,Desktop division
    classDef default fill:#777777
    classDef circle fill:#95A5A6
    class GL circle

Endor Labs creates managed namespaces that mirror your GitLab groups under an Endor Labs namespace (for example, happyendor). Endor Labs creates happycorp as the parent namespace with web, mobile, and desktop as the child namespaces. The namespace happycorp will be under the Endor Labs namespace.

Each of these child namespaces have further child namespaces as follows:

  • web: alpha, beta, gamma
  • mobile: delta, epsilon, zeta
  • desktop: pi, rho, sigma

The following diagram shows the organization of namespaces in Endor Labs.

graph TD
    EN[happyendor]
    HC[happycorp]

    %% Main divisions
    Web[web]
    Mobile[mobile]
    Desktop[desktop]

    %% Web subgroups
    WA[alpha]
    WB[beta]
    WG[gamma]

    %% Mobile subgroups
    MD[delta]
    ME[epsilon]
    MZ[zeta]

    %% Desktop subgroups
    DP[pi]
    DR[rho]
    DS[sigma]

    %% Main connections
    EN --> HC
    HC --> Web
    HC --> Mobile
    HC --> Desktop

    %% Web connections
    Web --> WA
    Web --> WB
    Web --> WG

    %% Mobile connections
    Mobile --> MD
    Mobile --> ME
    Mobile --> MZ

    %% Desktop connections
    Desktop --> DP
    Desktop --> DR
    Desktop --> DS

    class HC main
    class EN endor
    class Web,Mobile,Desktop division
    class WA,WB,WG,MD,ME,MZ,DP,DR,DS group
    classDef main fill:#008B87
    classDef division fill:#008B87
    classDef group fill:#008B87
Note
In Endor Labs, namespaces are always in lowercase. If your groups have uppercase characters in their names, the corresponding namespaces will be converted to lowercase.

You cannot create multiple GitLab installations with the same root group in the host URL within the same Endor Labs namespace.

For example, if a GitLab installation exists with a host URL like gitlab.com/group1/sg1, you cannot create another installation with a host URL like gitlab.com/group1/sg2 within the same Endor namespace. Instead, you must create the installation with a different root group in the host URL, such as gitlab.com/group2/sg2.

graph TD

      %% Endor Labs namespace
      EN[happyendor]

      %% GitLab groups
      G1[group1]
      G2[group2]
      SG1[sg1]
      SG2[sg2]

      %% connections
      EN --> G1
      EN --> G2
      G1 --> SG1
      G2 --> SG2

      class EN endor
      class G1,G2,SG1,SG2 managed
      classDef managed fill:#008B87

If you wish to create an installation with a host URL like gitlab.com/group1/sg2, it should be inside a different Endor Labs namespace.

graph TD

      %% Endor Labs namespace
      EN[happyendor]
      EN2[happyendor2]

      %% GitLab groups
      G1[group1]
      G2[group1]
      SG1[sg1]
      SG2[sg2]

      %% connections
      EN --> G1
      EN2 --> G2
      G1 --> SG1
      G2 --> SG2

      class EN,EN2 endor
      class G1,G2,SG1,SG2 managed
      classDef managed fill:#008B87

When Endor Labs scans a repository for the first time, it detects the default branch of the repository. The findings that are created in the scan are associated with the default branch.

When you change the default branch in your source control system (for example, from main to dev):

  • Endor Labs automatically detects the new default branch and sets that as the default reference
  • The previous default branch becomes a reference branch
  • Scans continue on the new default branch and the reference branch

The findings associated with the previous default branch are no longer associated with the default context reference. You can view them in the reference context.

When you rename the default branch in your source control system:

  • Endor Labs automatically switches to the renamed branch
  • Scans continue without disruption

When you add a new repository version (for example, a dev branch), both the default branch and the new version are scanned by the Endor Labs App.

You can control the default branch detection by setting the ENDOR_SCAN_TRACK_DEFAULT_BRANCH environment variable in a scan profile. You need to configure the project to use the scan profile. See Configure scan profiles for more information.

By default, the environment variable is set to true. When set to true, the default branch detection is enabled, and the first branch you scan is automatically considered as the default branch.

Before installing and scanning projects with Endor Labs GitLab App, make sure you have:

  • A GitLab cloud account or a self-hosted GitLab instance.
  • An organization in GitLab.
  • Endor Labs GitLab App requires a GitLab personal access token with at least read_api permission. You need to provide the api permission if you want to scan your merge requests.
Admin Authorization Role
Only users with admin authorization role in Endor Labs can create and manage installations. See Authorization roles for more information.
GitLab Personal Access Token
If you have restrictions on using a regular GitLab personal access token or face issues with such a token, you can use a personal access token for a GitLab service account instead.

  1. Sign in to Endor Labs.

  2. Select Projects from the left sidebar and click Add Project.

  3. From GITLAB, select GitLab App.

    GitLab App

  4. Enter the GitLab organization URL in the format: https://gitlab.com/{group}/{subgroup1}/....

    You need to enter at least the root group. For example, https://gitlab.com/group1.

    You can provide the host URL up to any subgroup level. For example, https://gitlab.com/group1/subgroup1/subgroup2/subgroup3.

    Endor Labs creates namespaces for groups and subgroups and maps projects to these namespaces.

    If the GitLab installation is created at the tenant level, Endor Labs supports up to 10 levels of GitLab group nesting. If the installation is created within a nested namespace under the tenant, the supported nesting depth decreases by one level for each additional level of nesting.

  5. Enter the GitLab personal access token.

Scope of the Personal Access Token
The personal access token must have at least the read_api scope. If you want to scan merge requests, you need to provide the personal access token of a project developer role with the api scope.

  1. Select the scan types to enable:

    • SCA: Perform software composition analysis and discover AI models used in your repository.
    • Secret: Scan GitLab projects for exposed secrets.
    • CI/CD: Scan GitLab projects and identify all the CI/CD tools used.
    • SAST: Scan GitLab projects to generate SAST findings.

    The available scan types depend upon your license.

  2. Select Include Archived Repositories to scan your archived repositories. By default, the GitLab archived repositories aren’t scanned.

  3. Click Create.

    Your GitLab App installation is created and has now started monitoring the projects in your groups. Endor Labs GitLab App scans your GitLab projects every 24 hours and reports any new findings.

  4. Optionally, you can continue to Configure GitLab App MR scans to scan your merge requests.

    GitLab App installation created

    You can also choose to configure the webhook for MR scans and apply it to specific projects through a scan profile. See Scan profiles for more information. Thereby, you can ensure that MR scans are only for selected projects rather than for all the projects in the group.

  5. Click Skip to if you don’t want to scan your merge requests.

    You can enable MR scans later in the GitLab App integration.

GitLab App MR scans

Beta

You can configure MR scans while creating a new GitLab App installation or for the existing GitLab App installations. Endor Labs uses group webhooks to scan your merge requests. For more information, refer to GitLab webhooks.

Permissions for the GitLab App MR scans
GitLab App installation requires a personal access token of the project developer role with the api scope. You need to configure webhooks to complete the MR scans configuration. Webhooks configuration through cURL requires the personal access token of the group owner with the api scope or the group owner role needs to configure the webhook on the GitLab UI.

You can also choose to receive MR comments on your merge requests. After you configure MR comments, Endor Labs posts a comment on the merge request if any issues are detected during the MR scan. See GitLab MR comments for more information.

After you complete the initial installation of the GitLab App to install the GitLab App in Endor Labs, you can configure MR scans. At this point, the GitLab App will be operational.

You can also choose to configure the webhook for MR scans and apply it to specific projects through a scan profile. See Scan profiles for more information. Thereby, you can ensure that MR scans are only for selected projects rather than all the projects in the group.

  1. Select Merge Request Scans under Merge Request Configuration.

    GitLab App MR scan setup

  2. Optionally, select Merge Request Comments to enable MR comments.

    When you enable MR comments, Endor Labs will post a comment on the merge request if any issues are detected during the MR scan. You need to set up MR comments in Endor Labs to receive the comments. See GitLab MR comments for more information.

Enable MR scans for selected projects

If you select the options to configure MR scans in your GitLab App installation, merge requests for all the projects in the groups and subgroups are scanned. Instead, you can choose to configure MR scans and MR comments for selected projects. Choose not to select Merge Request Scans but continue to set up the webhook for MR scans. Set up a scan profile to configure MR scans. Ensure that you select Pull Request Scans and optionally select under Developer Workflow when you create the scan profile.

Configure MR scans for selected projects

See Scan profiles for more information.

  1. Select Set up the webhook now under Webhook Settings.

  2. You can either configure the webhook on the GitLab UI or use the cURL command to set up the webhook.

    Configure the webhook on the GitLab UI

    Ensure that you have the group owner role to configure the webhook on GitLab.

    1. Sign in to GitLab and select the group for which you want to configure the webhook.

    2. Select Settings > Webhooks from the left sidebar.

    3. Click Add Webhook.

    4. Configure the webhook in GitLab.

      • Name: Name for the webhook.
      • Description: Description for the webhook.
      • URL: Enter https://api.endorlabs.com/webhooks/gitlab as the URL to access the Endor Labs webhook API.
      • Secret Token: The secret token from Endor Labs.

      You can copy the values from the Endor Labs user interface.

      GitLab App MR scan setup webhook

    5. Click Add Custom Header and enter the following values:

      • Key: X-Endor-Installation-ID
      • Value: The Custom Header Value from the Endor Labs user interface. It is the installation ID of the Endor Labs GitLab installation.

    6. Select Merge request events under the Trigger section.

    7. Ensure that Enable SSL verification is selected under the SSL verification section.

    8. Click Add Webhook to save the changes.

      You can create a webhook without SSL verification, but it is not recommended. Without SSL verification, the webhook is vulnerable to man-in-the-middle attacks.

    Configure the webhook using the cURL command

    Ensure that you have the personal access token of the group owner with the api scope to configure the cURL command.

    1. Select cURL command to configure the webhook using the cURL command.

      GitLab App MR scan setup curl

    2. Replace PRIVATE-TOKEN with the personal access token of the group owner with the api scope.

    3. Copy the cURL command and run it on your system to register the webhook with GitLab.

Save the webhook configuration
Ensure that you complete the webhook configuration in GitLab and save the configuration in Endor Labs. Otherwise, the MR scans will not be enabled.
  1. Click Save to save MR scan configuration.

You can configure MR scans for existing GitLab installations or after the creation of a new GitLab installation.

Scope of the Personal Access Token
Replace the personal access token with the personal access token of a project developer (minimum) role with the api scope for MR scans.

  1. Sign in to Endor Labs and select Integrations from the left sidebar.

  2. Click Manage in GitLab under Source Control Managers.

  3. Click the three dots menu next to the GitLab installation that you want to update.

  4. Select Edit Integration.

  5. Select Merge Request Settings in Integration Settings.

    GitLab App MR scan setup

  6. Select Merge Request Scans.

  7. Optionally, select Merge Request Comments to enable MR comments.

    Ensure that you complete the MR comments configuration in Endor Labs to receive the comments. See GitLab MR comments for more information.

  8. Select Merge Request Scans to enable MR scans.

  9. Select Set up the webhook now under Webhook Settings.

  10. You can either configure the webhook on the GitLab UI or use the cURL command to set up the webhook.

Configure the webhook on the GitLab UI

Ensure that you have the group owner role to configure the webhook on GitLab.

  1. Sign in to GitLab and select the group for which you want to configure the webhook.

  2. Select Settings > Webhooks from the left sidebar.

  3. Click Add Webhook.

  4. Configure the webhook in GitLab.

    • Name: Name for the webhook.
    • Description: Description for the webhook.
    • URL: Enter https://api.endorlabs.com/webhooks/gitlab as the URL to access the Endor Labs webhook API.
    • Secret Token: The secret token from Endor Labs.

    You can copy the values from the Endor Labs user interface.

    GitLab App MR scan setup webhook

  5. Click Add Custom Header and enter the following values:

    • Key: X-Endor-Installation-ID
    • Value: The Custom Header Value from the Endor Labs user interface. It is the installation ID of the Endor Labs GitLab installation.

  6. Select Merge request events under the Trigger section.

  7. Ensure that Enable SSL verification is selected under the SSL verification section.

  8. Click Add Webhook to save the changes.

    You can create a webhook without SSL verification, but it is not recommended. Without SSL verification, the webhook is vulnerable to man-in-the-middle attacks.

Configure the webhook using the cURL command

Ensure that you have the personal access token of the group owner with the api scope to configure the cURL command.

  1. Select cURL command to configure the webhook using the cURL command.

    GitLab App MR scan setup curl

  2. Replace PRIVATE-TOKEN with the personal access token of the group owner with the api scope.

  3. Copy the cURL command and run it on your system to register the webhook with GitLab.

11. Click Save to save the changes.

GitLab MR scans require a webhook to be configured on GitLab. You can configure the webhook on the GitLab UI or use the cURL command to configure the webhook. For more information, refer to GitLab webhooks.

Ensure that you have the group owner role to configure the webhook on GitLab.

  1. Sign in to GitLab and select the group for which you want to configure the webhook.

  2. Select Settings > Webhooks from the left sidebar.

  3. Click Add Webhook.

  4. Configure the webhook in GitLab.

    • Name: Name for the webhook.
    • Description: Description for the webhook.
    • URL: Enter https://api.endorlabs.com/webhooks/gitlab as the URL to access the Endor Labs webhook API.
    • Secret Token: The secret token from Endor Labs.

    You can copy the values from the Endor Labs user interface.

    GitLab App MR scan setup webhook

  5. Click Add Custom Header and enter the following values:

    • Key: X-Endor-Installation-ID
    • Value: The Custom Header Value from the Endor Labs user interface. It is the installation ID of the Endor Labs GitLab installation.

  6. Select Merge request events under the Trigger section.

  7. Ensure that Enable SSL verification is selected under the SSL verification section.

  8. Click Add Webhook to save the changes.

    You can create a webhook without SSL verification, but it is not recommended. Without SSL verification, the webhook is vulnerable to man-in-the-middle attacks.

Ensure that you have the personal access token of the group owner with the api scope to configure the cURL command.

  1. Select cURL command to configure the webhook using the cURL command.

    GitLab App MR scan setup curl

  2. Replace PRIVATE-TOKEN with the personal access token of the group owner with the api scope.

  3. Copy the cURL command and run it on your system to register the webhook with GitLab.

MR comments are automated comments added to merge requests when Endor Labs detects policy violations or security issues during scans. When an MR is raised or updated, Endor Labs runs scans on the proposed changes and adds a comment if any violations are detected based on the configured action policies.

After you enable MR comments, you need to set up an action policy to allow comments to be posted on merge requests.

The action policy that you create triggers the posting of comments on your merge request after a scan is complete. See Action policy for more information. You can create multiple action policies based on your requirements, which the MR scan can trigger. If you create action policy with the Secret template, you get an inline comment with the line number where the secret is detected.

Ensure that you configure the following important settings in the action policy:

  1. Choose an appropriate action policy template or create a custom action policy.

    You can choose an action policy template like Vulnerabilities or create a custom action policy.

  2. Under Action, select Enforce Policy, then choose:

    • Warn to post a comment without breaking the build.
    • Break the Build to fail the build and block the pull request.

  3. Define the scope of the policy using tags. Only projects that match the specified tags will receive MR comments.

  4. Select Propagate this policy to all child namespaces if you want to apply the policy to all child namespaces.

Action policy propagation in child namespaces
If you select Propagate this policy to all child namespaces, and update the policy in the child namespace, the policy in the child namespace takes precedence over the policy in the parent namespace. If you select the propagate option for the child namespace, its child namespaces will also inherit the policy. Since namespace hierarchy follows the group and subgroup hierarchy of GitLab, you can effectively use this option to control the policy for different levels of your organization.

Endor Labs provides a default template for MR comments that you can use out-of-the-box. You can also create custom templates using Go Templates.

The following section shows the default template for MR comments.

{{- /* Do not modify the placement of the CommentHeader.
It is being used to identify the comments generated by Endor Labs. */ -}}
{{ .CommentHeader.Value }}

{{ $policiesTriggeredNumber := len .PolicyFindingsMap }}

{{/* ALERT BANNER */}}
> [!WARNING]
> Endor Labs detected {{ $policiesTriggeredNumber }} policy violations associated with this merge request.

{{ $dataMap := .DataMap }}
{{ $findingsMap := .FindingsMap }}
{{ $packageVersionsMap := .PackageVersionsMap }}
{{ $apiURL := .ApiEndpoint.Value }}

### Please review the findings that caused the policy violations.

{{ range $policyUUID, $policyName := .PoliciesMap }}
{{ $policyFindings := index $dataMap $policyUUID }}
<details>
<summary>

{{/* POLICY HEADER */}}
### :clipboard: Policy: {{ $policyName }} ({{ getFindingsCountString $policyFindings }})</summary>

{{ range $packageVersionUUID, $packageVersionFindings := $policyFindings.PackageToDependencies }}
{{ if ne getOtherFindingsPackageMarker $packageVersionUUID }}
{{ $packageVersionObject := index $packageVersionsMap $packageVersionUUID }}
{{ if $packageVersionObject }}
<details>
<summary>

{{/* PACKAGE HEADER */}}
#### :inbox_tray: Package [{{ $packageVersionObject.Meta.Name.Value }}]({{ getPackageVersionURL $apiURL $packageVersionObject }})</summary>
{{ range $dependencyName, $dependencyFindings := $packageVersionFindings.DependencyToFindings }}
<details>
<summary>

{{/* DEPENDENCY HEADER */}}
##### :arrow_heading_down: Dependency: {{ $dependencyName }}</summary>

{{ range $findingCounter, $findingUUID := $dependencyFindings.Uuids }}
<details>
{{ $findingObj := index $findingsMap $findingUUID }}

{{/* FINDING HEADER */}}
<summary> :triangular_flag_on_post: {{ $findingObj.Meta.Description.Value }}</summary>

{{/* FINDING DETAILS */}}
[Details]({{ getFindingURL $apiURL $findingObj }})
- **Severity**: ` + "`" + `{{ enumToString $findingObj.Spec.Level }}` + "` " + `
- **Tags**: {{ range $i, $t := $findingObj.Spec.FindingTags }}` + "`" + `{{ enumToString $t }}` + "` " + `{{ end }}
- **Categories**: {{ range $i, $c := $findingObj.Spec.FindingCategories }}` + "`" + `{{ enumToString $c }}` + "` " + `{{ end }}
{{- with getFirstPartyReachableFunctions $findingObj }}
- **Reachable via**: ` + "`" + `{{ . }}` + "` " + `
{{- end }}
- **Remediation**: {{ fixBackticks $findingObj.Spec.Remediation.Value }}
</details>
{{ end }} {{/*range $findingCounter, $findingUUID...*/}}
</details>
{{ end }} {{/*range $dependencyName, $depend...*/}}
</details>
{{ end }}  {{/* if $packageVersionObject */}}
{{ else }} {{/* if ne getOtherFindingsPackageMarker... */}}
{{ $depMarker := getOtherFindingsDependencyMarker }}
{{ $otherFindings := index $packageVersionFindings.DependencyToFindings $depMarker }}
{{ $otherFindingsLen := len $otherFindings.Uuids }}
{{ if ne $otherFindingsLen 0 }}
<details>
<summary>

#### :mag: Findings</summary>
{{ range $findingCounter, $findingUUID := $otherFindings.Uuids }}
<details>
{{ $findingObj := index $findingsMap $findingUUID }}
<summary>:triangular_flag_on_post: {{ $findingObj.Meta.Description.Value }}</summary>

[Link To Finding]({{ getFindingURL $apiURL $findingObj }})
- **Severity**: ` + "`" + `{{ enumToString $findingObj.Spec.Level }}` + "` " + `
- **Tags**: {{ range $i, $t := $findingObj.Spec.FindingTags }}` + "`" + `{{ enumToString $t }}` + "` " + `{{ end }}
- **Categories**: {{ range $i, $c := $findingObj.Spec.FindingCategories }}` + "`" + `{{ enumToString $c }}` + "` " + `{{ end }}
- **Summary**: {{ $findingObj.Spec.Summary.Value }}
- **Remediation**: {{ fixBackticks $findingObj.Spec.Remediation.Value }}
{{- if hasFindingCategory $findingObj "SAST" }}
- **Location**: {{ getCustomLocation $findingObj }}
{{- if isNotEmptyString (getCustomCodeSnippet $findingObj) }}
- **Code Snippet**:
` + "```" + `
{{ getCustomCodeSnippet $findingObj }}
` + "```" + `
{{- end }}
{{- end }}
</details>
{{ end }} {{/*range $findingCounter, $findingUUID...*/}}
</details>
{{ end }} {{/*{{ if ne $otherFindingsLen 0*/}}
{{ end }} {{/* if ne getOtherFindingsPackageMarker... */}}
{{ end }} {{/* range $packageVersionUUID, $packageVersionFindings := $policyFindings */}}
</details>
{{ end}}  {{/* {{ range $policyUUID, $policyObj := .PoliciesMap */}}

{{ .CommentFooter.Value }}
_Scanned @ {{ now }} UTC_

You can create your custom template by editing the default template and saving the changes.

The following specification shows the additional functions that you can use in your custom template. You can access these functions by using their corresponding keys.


// FuncMap contains additional template functions used in GitLab comment templates.
var FuncMap = template.FuncMap{
	"now":                              toTime,
	"enumToString":                     enumToString,
	"getFindingURL":                    getFindingURL,
	"getPackageVersionURL":             getPackageVersionURL,
	"getPullRequestURL":                getEndorLabsPullRequestRunURL,
	"getFindingsCountString":           getFindingsCountString,
	"hasOtherFindings":                 hasOtherFindings,
	"getOtherFindingsPackageMarker":    getOtherFindingsPackageMarker,
	"getOtherFindingsDependencyMarker": getOtherFindingsDependencyMarker,
	"fixBackticks":                     fixUnclosedBackticks,
	"getFirstPartyReachableFunctions":  getFirstPartyReachableFunctions,
	"hasFindingCategory":               hasFindingCategory,
	// isNotEmptyString checks if a string is not empty
	"isNotEmptyString": func(value string) bool {
		return value != ""
	},
	// getCustomLocation extracts the location from Custom field
	"getCustomLocation": func(finding *endorpb.Finding) string {
		return getCustomFieldValue(finding, "location")
	},
	// getCustomCodeSnippet extracts the code snippet from Custom field
	"getCustomCodeSnippet": func(finding *endorpb.Finding) string {
		return getCustomFieldValue(finding, "code_snippet")
	},
	// add returns the sum of two integers
	"add": func(n int, incr int) int {
		return n + incr
	},
}

To edit the default template:

  1. Select Manage > Integrations from the left sidebar.

  2. Click Edit Template next to GitLab under Template for PR Comments.

  3. Update the template with the required changes.

  4. Select Propagate this template to all child namespaces if you want to apply the template to all child namespaces.

Template propagation in child namespaces
If you select Propagate this template to all child namespaces, and update the template in the child namespace, the template in the child namespace takes precedence over the template in the parent namespace. If you select the propagate option for the child namespace, its child namespaces will also inherit the template. Since namespace hierarchy follows the group and subgroup hierarchy of GitLab, you can effectively use this option to control the template for different levels of your organization.
  1. Click Save Template to save the changes.
Restore the default template
You can restore the default template by clicking Restore to Default in the template editor to go back to the initial template.

After you enable MR comments, Endor Labs posts a comment on the merge request if any issues are detected during the MR scan based on the action policies.

The following example shows a comment on the merge request as a result of the action policy for identifying leaked secrets.

GitLab MR comment secret

You can expand and view the details of the finding.

GitLab MR comment secret details

Click Link to Finding to view the details of the finding in Endor Labs.

For secrets, Endor Labs also generates a comment with the line number where the secret is detected.

GitLab MR comment secret line

When you create a new merge request, the Endor Labs GitLab App scans the merge request. Endor Labs generates findings based on the finding policy.

  1. Sign in to Endor Labs and select Projects from the left sidebar.

  2. Select the project for which you want to view the MR scan findings.

  3. Select PR runs to view the MR scan findings.

    View MR scan findings

  4. Select the MR for which you want to view the findings.

    View MR scan pane

  5. Click View Details to view the findings on the MR.

    View MR scan findings in detail

See View Findings for more information on Findings in Endor Labs.

You might want to update the webhook secret for rotation or because you have lost the secret.

  1. Select Integrations from the left sidebar.

  2. Click Manage in GitLab under Source Control Managers.

  3. Click the three dots menu next to the GitLab installation that you want to update.

  4. Select Edit Integration.

  5. Select Merge Request Settings.

  6. Enter the new Secret Token under Webhook Settings, and click Save to save the changes.

    GitLab App MR scan update webhook secret

    The secret token can be any random string.

To update the webhook secret in GitLab UI, you need to log in with the group owner role.

  1. Sign in to GitLab and select the group for which you want to update the webhook secret.

  2. Select Settings > Webhooks from the left sidebar.

  3. Click Edit next to the webhook that you want to update.

  4. Enter the new Secret token, and click Save changes to save the changes.

    Ensure that you use the same secret token that you used in Endor Labs.

Manage GitLab App on Endor Labs

You can make changes to the GitLab App integrations or delete them. You can view the activity logs for the GitLab App and rescan your GitLab projects on demand.

  1. Sign in to Endor Labs and select Manage > Integrations from the left sidebar.

  2. Click Manage next to GitLab under Source Control Managers.

    Manage GitLab App

  3. Click the three vertical dots next to the integration.

    You can choose from the following options:

To edit the GitLab App integration:

  1. Click the three vertical dots next to the integration, and select Edit Integration.

  2. You can update your personal access token and choose the scanners. Edit GitLab App\

  3. Select Merge Request Settings to edit the MR scans configuration.

    See GitLab App MR scans for more information.

Scope of the Personal Access Token
Replace the personal access token with the personal access token of a project developer (minimum) role with the api scope for MR scans.

  1. Click Save.

    The changes are applicable from the next scanning cycle.

To delete a GitLab App integration, click the three vertical dots next to the integration, and select Delete Integration.

Manage GitLab App

When you delete the integration, it will also delete all child namespaces, projects and references associated with the auto-generated root group namespace. It also deletes any manually created namespaces and projects under auto-generated namespace.

Endor Labs detects and reports installation and synchronization errors during organization sync. These include expired tokens, insufficient permissions, invalid host configurations, and certificate issues. Sync logs report those errors that you can resolve.

Sync logs showing error

To view sync logs, click the three vertical dots next to the integration, and select View Sync Logs.

The sync logs display details of synchronization attempts, including timestamps, error types, and diagnostic messages. These logs help identify issues such as authentication failures or configuration problems.

The sync logs detect and display the following categories of sync failures:

  • Expired or invalid Personal Access Tokens (PATs): The PAT used for authentication has expired or is no longer valid. Edit the integration and provide a valid token.
  • Insufficient PAT permissions: The PAT does not have the required scopes, such as repository read access. You must generate and provide a PAT with the correct access.
  • Certificate related access issues: The certificates required to connect to the SCM are invalid, outdated, or untrusted. This error occurs in self-hosted GitLab instances that use custom SSL certificates. Update the certificate configuration or ensure the certificate chain is properly trusted to resolve the issue.
  • Incorrect or invalid host URLs: The configured URL is incorrect or unreachable. Since you cannot edit the host URL, you need to delete and reinstall the integration using the correct URL.

After you resolve the issue, the error is automatically cleared during the next successful scan. You can manually re-trigger the scan using Rescan Org to verify the resolution immediately.

sync logs

The GitLab App scans your repositories every 24 hours. Click Rescan Org to manually trigger a scan outside the 24-hour period.

Click Scan More Repositories to go to Projects, where you can add more projects to scan through the GitLab App.