Skip to main content
Use the scan command to perform scans against a repository.

Usage

Run the following command to perform a full scan including reachability analysis for the open source packages you build in a repository. 
endorctl scan
If your project contains multiple programming languages, you can specify them as a comma-separated list using the --languages flag: 
endorctl scan --languages=<languages-list>
Provide <languages-list> as a comma-separated list using the supported languages: . To scan leaked secrets and monitor all results in the checked out version of your repository. 
endorctl scan --secrets
Run the following command to perform a regular scan for leaked secrets including the dependencies. 
endorctl scan --secrets --dependencies
Run the following command to scan for leaked secrets in all branches of your repository. 
endorctl scan --secrets --git-logs
The above command performs a scan of the repository’s Git logs using the following logic:
  • If endorctl scans the repository’s Git log history for the first time, it performs a full scan
  • endorctl also performs a full rescan if you change any of the rules in the namespace
  • In all other cases, endorctl runs an incremental scan based on the last scan time
If the system invalidates detected secrets and you want to re-validate them, force a full rescan with the following command. To scan for misconfigurations in a GitHub repository like https://github.com/endorlabs/app-java-demo. 
export ENDOR_SCAN_SCM_TOKEN=<insert-your-scm-token>
endorctl scan --github --repository-http-clone-url=https://github.com/endorlabs/app-java-demo
To run a scan as a test in a pull request without monitoring the version of your code over time run the command. 
endorctl scan --pr
To scan and discover GitHub action workflows in your CI/CD pipeline run the command. 
endorctl scan --ghactions
The command performs regular dependency analysis on your repository. It also discovers GitHub Actions workflows in your CI/CD pipeline and maps them as GitHub action dependencies in your package. To scan binaries and artifacts run the following command. 
endorctl scan --package --path --project-name
You must provide the path of your file using --path and specify a name for your project using --project-name. To scan and discover AI/LLM models in your repository, run the following command 
endorctl scan --ai-models --dependencies
To run a scan in dry run mode with local scanning and read-only access, run the following command. Dry run mode does not store scan results for monitoring and is best when used by developers running local scans. 
endorctl scan --dependencies --dry-run
You can also use --dry-run with --secrets or --sast flags. Do not use --dry-run with container scanning.

Options

The command endorctl scan uses the following flags and environment variables:

Bazel flags

Pull request (CI) flags

GitHub configuration flags

Call graph flags

Policy flags

Secrets scan flags

SAST scan flags

Sandbox flags

Miscellaneous flags