Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt

Use this file to discover all available pages before exploring further.

Use the scan command to perform scans against a repository.

Usage

Run the following command to perform a full scan including reachability analysis for the open source packages you build in a repository. 
endorctl scan
If your project contains multiple programming languages, you can specify them as a comma-separated list using the --languages flag: 
endorctl scan --languages=<languages-list>
Provide <languages-list> as a comma-separated list using the supported languages: . To scan leaked secrets and monitor all results in the checked out version of your repository. 
endorctl scan --secrets
Run the following command to perform a regular scan for leaked secrets including the dependencies. 
endorctl scan --secrets --dependencies
Run the following command to scan for leaked secrets in all branches of your repository. 
endorctl scan --secrets --git-logs
The above command performs a scan of the repository’s Git logs using the following logic:
  • If endorctl scans the repository’s Git log history for the first time, it performs a full scan
  • endorctl also performs a full rescan if you change any of the rules in the namespace
  • In all other cases, endorctl runs an incremental scan based on the last scan time
If the system invalidates detected secrets and you want to re-validate them, force a full rescan with the following command. To scan for misconfigurations in a GitHub repository like https://github.com/endorlabs/app-java-demo. 
export ENDOR_SCAN_SCM_TOKEN=<insert-your-scm-token>
endorctl scan --github --repository-http-clone-url=https://github.com/endorlabs/app-java-demo
To run a scan as a test in a pull request without monitoring the version of your code over time run the command. 
endorctl scan --pr
To scan workflow files under .github/workflows and discover Actions used in your pipelines, run the following command. 
endorctl scan --ghactions
For CI integration options including the GitHub App and the Endor Labs GitHub Action, see GitHub Actions scanning. The command performs regular dependency analysis on your repository. It also discovers GitHub Actions workflows in your CI/CD pipeline and maps them as GitHub action dependencies in your package. To scan binaries and artifacts run the following command. 
endorctl scan --package --path --project-name
You must provide the path of your file using --path and specify a name for your project using --project-name. To scan and discover AI/LLM models in your repository, run the following command 
endorctl scan --ai-models --dependencies
To run a scan in dry run mode with local scanning and read-only access, run the following command. Dry run mode does not store scan results for monitoring and is best when used by developers running local scans. 
endorctl scan --dependencies --dry-run
You can also use --dry-run with --secrets or --sast flags. Do not use --dry-run with container scanning.

Options

The command endorctl scan uses the following flags and environment variables:

Bazel flags

Pull request (CI) flags

GitHub configuration flags

Call graph flags

Policy flags

Secrets scan flags

SAST scan flags

Sandbox flags

Miscellaneous flags