Skip to main content
See also Best practices for tips on how to optimize queries.

Get list of projects

endorctl api list --resource Project
Add one or more field-masks to limit the fields returned for each object. For example, set the field-mask to meta.name to only get the name and UUID of all projects. The UUID is always returned. 
endorctl api list --resource Project --field-mask meta.name

Get project UUID

The project UUID connects all the objects for a given project. One way to get the project UUID is to extract it from the uuid field in the Project object. For more information, see Resource kinds. 
endorctl api get --resource Project --name <project-name> | jq '.uuid'

Get list of findings for a project

Use the following filter to get a list of findings for a given project: spec.project_uuid==<project-uuid> 
endorctl api list --resource Finding --filter "spec.project_uuid==<project-uuid>"

Get number of findings for a project

Add the --count flag to just get the number of findings. This is much faster than retrieving the objects. 
endorctl api list --resource Finding --filter "spec.project_uuid==<project-uuid>" --count

Get number of findings for a project by severity

Use grouping to get the number of findings by severity. 
endorctl api list --resource Finding \
  --filter "spec.project_uuid==<project-uuid>" \
  --group-aggregation-paths "spec.level"

Get list of findings for reachable functions

Use the following filter to get a list of findings for reachable functions: spec.finding_tags contains FINDING_TAGS_REACHABLE_FUNCTION For a list of all finding attributes, see Finding tags. 
endorctl api list --resource Finding \
  --filter "spec.finding_tags contains FINDING_TAGS_REACHABLE_FUNCTION"

Get list of findings for reachable functions for a project

Combine the previous filters to get a list of findings for reachable functions for a given project: spec.project_uuid==<project-uuid> and spec.finding_tags contains FINDING_TAGS_REACHABLE_FUNCTION 
endorctl api list --resource Finding \
  --filter "spec.project_uuid==<project-uuid> and spec.finding_tags contains FINDING_TAGS_REACHABLE_FUNCTION"

Get list of findings in a category

Use the following filter to get a list of findings in the RSPM category: spec.finding_categories contains FINDING_CATEGORY_SCPM For a list of all finding categories, see Finding categories. 
endorctl api list --resource Finding \
  --filter "spec.finding_categories contains FINDING_CATEGORY_SCPM"

Get list of findings for a vulnerability

Use the following filter to get a list of findings for a given vulnerability, for example "CVE-2024-53677" or "GHSA-43mq-6xmg-29vm": spec.finding_metadata.vulnerability.spec.aliases contains CVE-2024-53677
Note: You can replace the CVE ID in the example with any other vulnerability ID type, such as GHSA, BIT, GO, PYSEC, or OVAL. 
endorctl api list --resource Finding \
  --filter "spec.finding_metadata.vulnerability.spec.aliases contains CVE-2024-53677"

Get list of findings for a code owner

Use the spec.code_owners.owners field to filter findings based on code owner.
Note: Code owners are automatically assigned based on the CodeOwners object for the project, which Endor Labs generates from the CODEOWNERS file in the default branch. For projects without a CODEOWNERS file, manage the CodeOwners object through the API. 
endorctl api list --resource Finding \
  --filter "spec.code_owners.owners contains <owner>" \
  --timeout 100s

Group findings by code owner

Use the spec.code_owners.owners field to group findings based on code owner.
Note: Code owners are automatically assigned based on the CodeOwners object for the project, which Endor Labs generates from the CODEOWNERS file in the default branch. For projects without a CODEOWNERS file, manage the CodeOwners object through the API. 
endorctl api list --resource Finding \
  --group-aggregation-paths "spec.code_owners.owners" \
  --timeout 100s

Get finding snooze history

Endor Labs captures snooze updates as FindingLog objects. 
endorctl api list --resource FindingLog \
  --filter "spec.finding_uuid==<finding-uuid> and spec.operation==OPERATION_UPDATE" \
  --field-mask "meta.create_time,meta.created_by,spec.snooze"

Get Endor Labs scores for an OSS package

  1. Set the namespace to "oss" because the OSS tenant stores data for OSS packages.
  2. Endor Labs stores package version scores in the "package_version_scorecard" Metric object, in the spec.metric_values.scorecard.score_card.category_scores field, so you need to get this Metric object for the given OSS package. For more information, see the Metric resource kind documentation.
  3. To get Metric objects belonging to a given package version, get the UUID of the corresponding PackageVersion object. The PackageVersion object name must be in the format <ecosystem>://<name>@<version>, for example: "mvn://ch.qos.logback:logback-core@1.3.3". For more information, see the PackageVersion resource kind documentation. Once you have the PackageVersion object, use the following jq command to extract the UUID: jq '.list.object[].uuid'
  4. Get the Metric object corresponding to the PackageVersion UUID using the following two filters:
    1. meta.name==package_version_scorecard
    2. meta.parent_uuid==<package-version-uuid>
  5. Use the following jq command to extract just the Endor Labs scores from the Metric object: jq '.list.objects[].spec.metric_values.scorecard.score_card.category_scores' 
# Get the PackageVersion and extract the uuid
UUID=$(endorctl api list \
  --namespace oss \
  --resource PackageVersion \
  --filter "meta.name==mvn://ch.qos.logback:logback-core@1.3.3" \
  | jq '.list.objects[].uuid')

# Get the Metric and extract the Endor Labs scores
endorctl api list \
  --namespace oss \
  --resource Metric \
  --filter "meta.name==package_version_scorecard and meta.parent_uuid==$UUID" \
  | jq '.list.objects[].spec.metric_values.scorecard.score_card.category_scores'
Below is an example response to the request. 
[
  {
    "category": "SCORE_CATEGORY_ACTIVITY",
    "centered_score": 6.956522,
    "description": "Captures the level of activity associated with the repository. Activity information is based on GitHub metadata. Higher levels of activity can mean that the repository is well maintained and will continue to be in the future.",
    "raw_score": 7.0212765,
    "score": 7
  },
  {
    "category": "SCORE_CATEGORY_POPULARITY",
    "centered_score": 8.076923,
    "description": "Captures how popular is the repository. Popularity information is based on GitHub metadata. Popular repositories are more likely to be maintained.",
    "raw_score": 7.368421,
    "score": 9
  },
  {
    "category": "SCORE_CATEGORY_CODE_QUALITY",
    "centered_score": 4.2105265,
    "description": "Provides a view of code quality and adherence to best practices in a repository. This information is based on from both GitHub metadata  and the source code in the repository.",
    "raw_score": 4.848485,
    "score": 4
  },
  {
    "category": "SCORE_CATEGORY_SECURITY",
    "centered_score": 4.7297297,
    "description": "Captures the level of compliance with security best practices as well as vulnerability information for the repository including currently open as well as fixed vulnerabilities.  Analysis only considers vulnerabilities associated with this repository and not its dependencies. Vulnerability information is based on OSV.dev data and Endor's vulnerability database",
    "raw_score": 8.333333,
    "score": 4
  }
]

Get license text from a license finding

  1. Look up a license-related Finding object for a dependency using the following filter: spec.finding_categories contains [FINDING_CATEGORY_LICENSE_RISK] and spec.finding_tags not contains [FINDING_TAGS_SELF]
  2. Get the name of the corresponding PackageVersion object from the spec.target_dependency_package_name field. If we have a list of Finding objects, we can use the following jq command to get the PackageVersion name: jq '.list.objects[].spec.target_dependency_package_name'
  3. Look up the PackageVersion object and store the UUID.
    Note: If this is an OSS dependency we must use the “oss” namespace.
  4. Look up the corresponding pkg_version_info_for_license Metric object using the following filter: meta.name==pkg_version_info_for_license&meta.parent_uuid==$UUID
    Note: The Metric is in the same namespace as the PackageVersion.
  5. Use the following jq command to extract the license text from the Metric object: jq '.list.objects[].spec.metric_values.licenseInfoType.license_info.all_licenses[].matched_text'
For more information, see the Metric resource kind documentation. 
# Get the target dependency PackageVersion name from a license-related finding
NAME=$(endorctl api list --resource Finding \
  --filter "spec.finding_categories contains [FINDING_CATEGORY_LICENSE_RISK] and spec.finding_tags not contains [FINDING_TAGS_SELF]" \
  --page-size 1 \
  | jq '.list.objects[].spec.target_dependency_package_name')

# Get the target dependency PackageVersion uuid
UUID=$(endorctl api list --resource PackageVersion \
  --namespace oss \
  --filter "meta.name==$NAME" \
  | jq '.list.objects[].uuid')

# Get the corresponding pkg_version_info_for_license Metric and extract the license text
endorctl api list --resource Metric \
  --namespace "oss" \
  --filter "meta.name==pkg_version_info_for_license and meta.parent_uuid==$UUID" \
  | jq '.list.objects[].spec.metric_values.licenseInfoType.license_info.all_licenses[].matched_text'

Get list of projects using a tool

  1. Endor Labs stores CI/CD tool metrics in the version_cicd_tools Metric object, in the spec.metric_values.CiCdTools.ci_cd_tools.tools list. Use the following filter to get all such Metrics with entries for the given tool name (GitHub Actions in this example). For more information, see the Metric resource kind documentation. meta.name==version_cicd_tools and spec.metric_values.CiCdTools.ci_cd_tools.tools.name=='GitHub Actions'
  2. Use the following jq command to get the UUIDs of the corresponding Project objects: .list.objects[].spec.project_uuid
  3. Remove duplicate Project UUIDs (a Project can have multiple repository versions).
  4. Use the UUIDs to get the corresponding Project objects. 
# Get list of Project UUIDs
PROJECT_UUIDS=$(endorctl api list --resource Metric \
  --filter "meta.name==version_cicd_tools and spec.metric_values.CiCdTools.ci_cd_tools.tools.name=='GitHub Actions'" \
  | jq -r '.list.objects[].spec.project_uuid')

# Remove duplicate UUIDs
UNIQUE_UUIDS=$(echo $PROJECT_UUIDS | sort | uniq)

# Get Project for each uuid and extract the name
for uuid in $UNIQUE_UUIDS
do
  endorctl api get --resource Project --uuid $uuid | jq '.meta.name'
done
See also List Projects, with Repository Versions and CI/CD Tool Metrics for a Query Service example that retrieves CI/CD tool Metrics for a list of projects.

Get the latest scan result

  1. To get the latest object, first sort the objects in descending order, based on the meta.create_time field: list_parameters.sort.order=SORT_ENTRY_ORDER_DESC&list_parameters.sort.path=meta.create_time
  2. Then, to get only the latest object, set the page size to 1: list_parameters.page_size=1 
endorctl api list --resource ScanResult \
  --sort-order descending \
  --sort-path meta.create_time \
  --page-size=1

Create a policy

The following example uses the Create Policy endpoint to create a new policy. 
endorctl api create --resource Policy \
  --data '{
    "meta": {
      "description": "Disable action policies for CVE-2020-7677",
      "kind": "Policy",
      "name": "Ignore CVE-2020-7677"
    },
    "propagate": true,
    "spec": {
      "exception": {
        "reason": "EXCEPTION_REASON_RISK_ACCEPTED"
      },
      "policy_type": "POLICY_TYPE_EXCEPTION",
      "query_statements": [
        "data.exceptions.match_finding"
      ],
      "resource_kinds": [
        "Finding"
      ],
      "rule": "package exceptions\n\nmatch_finding[result] {\n\tsome i\n  data.resources.Finding[i].spec.finding_metadata.vulnerability.spec.aliases[_] = \"CVE-2020-7677\"\n  result = { \"Endor\" : { \"Finding\" : data.resources.Finding[i].uuid } }\n}"
    },
    "tenant_meta": {
      "namespace": "$ENDOR_NAMESPACE"
    }
  }'

Update a policy to include a project

The following example uses the Update Policy endpoint to apply a policy to a given project by updating the spec.project_selector tag list.
This overrides the existing project_selector list, so you must pass in all the project inclusion tags that you want to keep for this policy along with the new tag.
endorctl api update --resource Policy --uuid <policy-uuid> \
  --field-mask "spec.project_selector" \
  --data '{ "spec" : { "project_selector" : [ "$uuid=<project-uuid>" ] } }'

Update a policy to exclude a project

The following example uses the Update Policy endpoint to exclude a given project from a policy by updating the spec.project_exceptions tag list.
This overrides the existing project_exceptions list, so you must pass in all project exception tags that you want to keep for this policy along with the new tag.
endorctl api update --resource Policy --uuid <policy-uuid> \
  --field-mask "spec.project_exceptions" \
  --data '{ "spec" : { "project_exceptions" : [ "$uuid=<project-uuid>" ] } }'

Update an exception policy to apply custom tags to matching findings

The following example uses the Update Policy endpoint to specify a list of custom tags to apply to findings matching a given exception policy.
This overrides the existing spec.exception.tags list, so you must pass in all tags that you want to keep for this policy along with the new tag.
endorctl api update --resource Policy --uuid <policy-uuid> \
  --field-mask "spec.exception.tags" \
  --data '{ "spec" : { "exception" : { "tags" : [ <tag1>, <tag2> ] } } }'

Upgrade a policy to use the latest template version

The following example uses the Update Policy endpoint to upgrade a given policy to use the latest template version. 
endorctl api update --resource Policy --uuid <policy-uuid> \
  --field-mask "spec.template_version" \
  --data '{ "spec" : { "template_uuid" : "<template-uuid>", "template_version" : "2.0.0" } }'

Delete a policy

The following example uses the Delete Policy endpoint to delete a policy. 
endorctl api delete --resource Policy --uuid <policy-uuid>

Add meta tags to an object

The following example uses the Update Finding endpoint to add custom tags to a finding by updating the meta.tags field.
This overrides the existing meta.tags list, so you must pass in all tags that you want to keep for this object along with the new tag.
endorctl api update --resource Finding --uuid <finding-uuid> \
  --field-mask "meta.tags" \
  --data '{ "meta" : { "tags" : [ "tag1", "tag2", "tag3" ] } }'

Get data from child namespaces

Use the traverse option to include data from child namespaces as well as the parent namespace. 
endorctl api list --resource Project --traverse