This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Endor Labs CLI

endorctl is a command line utility designed to bring the functionality of Endor Labs into your software delivery workflows. It allows you to scan and monitor your projects, import and export SBOMs, and interact with the API.

1 - Install and configure endorctl

Learn how to install, configure, and authenticate with Endor Labs

Perform software composition analysis, dependency management, or detect secrets in your code using Endor Labs.

Download and install endorctl

Use one of the following methods to download and install endorctl on your local system. After you install endorctl, you must authenticate. Then you can start scanning your code.

Install endorctl with Homebrew

Use Homebrew to efficiently install endorctl on macOS and Linux operating systems making it easy to manage dependencies, and track installed packages with their versions.

Install endorctl from the Endor Labs tap with Homebrew by running the following commands. The tap is updated regularly with the latest endorctl release.

brew tap endorlabs/tap
brew install endorctl

Install endorctl with npm

Use npm to efficiently install endorctl on macOS, Linux, and Windows operating systems making it easy to manage dependencies, track and update installed packages and their versions.

Make sure that you have npm installed in your local environment and use the following command to install endorctl using npm.

npm install -g endorctl

endorctl is available as an npm package and is updated regularly with the latest endorctl release.

Download and install the endorctl binary directly

To download the endorctl binary directly use the following commands:


## Download the latest CLI for Linux amd64
curl https://api.endorlabs.com/download/latest/endorctl_linux_amd64 -o endorctl

## Verify the checksum of the binary
echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_linux_amd64)  endorctl" | sha256sum -c

## Modify the permissions of the binary to ensure it is executable
chmod +x ./endorctl

## Create an alias endorctl of the binary to ensure it is available in other directory
alias endorctl="$PWD/endorctl"


### Download the latest CLI for MacOS ARM64
curl https://api.endorlabs.com/download/latest/endorctl_macos_arm64 -o endorctl

### Verify the checksum of the binary
echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_macos_arm64)  endorctl" | shasum -a 256 -c

### Modify the permissions of the binary to ensure it is executable
chmod +x ./endorctl

### Create an alias endorctl of the binary to ensure it is available in other directory
alias endorctl="$PWD/endorctl"


### Download the latest CLI for MacOS AMD64
curl https://api.endorlabs.com/download/latest/endorctl_macos_amd64 -o endorctl

### Verify the checksum of the binary
echo "$(curl -s https://api.endorlabs.com/sha/latest/endorctl_macos_amd64)  endorctl" | shasum -a 256 -c

### Modify the permissions of the binary to ensure it is executable
chmod +x ./endorctl

### Create an alias endorctl of the binary to ensure it is available in other directory
alias endorctl="$PWD/endorctl"

## Download the latest CLI for Windows amd64
curl -O https://api.endorlabs.com/download/latest/endorctl_windows_amd64.exe
## Check the expected checksum of the binary file
curl https://api.endorlabs.com/sha/latest/endorctl_windows_amd64.exe
## Verify the expected checksum and the actual checksum of the binary match
certutil -hashfile .\endorctl_windows_amd64.exe SHA256
## Rename the binary file
ren endorctl_windows_amd64.exe endorctl.exe

You can also view these instructions via the Endor Labs application user interface:

  1. Sign in to Endor Labs.
  2. Navigate to the Projects list
  3. Select Add Project
  4. Choose CLI
  5. Follow the on-screen instructions to download and install the appropriate version and architecture of endorctl for your system.

You can download all versions from endorctl versions. To install endorctl you must select the appropriate version and architecture for your machine.

Authenticate to Endor Labs

Users can authenticate to Endor Labs several ways:

  1. Using the init command
  2. With an API token

Login with the init command

To login with your supported authentication provider:

endorctl init --auth-mode=google

endorctl init --auth-mode=github

endorctl init --auth-mode=gitlab

endorctl init --auth-email=<insert_email_address>

endorctl init --auth-mode=sso --auth-tenant=<insert-your-tenant>

To login with your supported authentication provider in environments without a browser you can use headless mode:

endorctl init --auth-mode=google --headless-mode

endorctl init --auth-mode=github --headless-mode

endorctl init --auth-mode=gitlab --headless-mode

endorctl init --auth-email=<insert_email_address> --headless-mode

endorctl init --auth-mode=sso --auth-tenant=<insert-your-tenant> --headless-mode

Login with an API Key

To login with an API key you’ll need to set several environment variables:

  • ENDOR_API_CREDENTIALS_KEY - The API key used to authenticate against the Endor Labs API.
  • ENDOR_API_CREDENTIALS_SECRET - The API key secret used to authenticate against the Endor Labs API.
  • ENDOR_NAMESPACE - The Endor Labs namespace you would like to scan against. You can locate the namespace from the top left hand corner of the screen under the Endor Labs logo on the Endor Labs application.

To get an API Key and secret for use with endorctl, see Managing API Keys.

To set your environment variables run the following commands and replace each example with the appropriate value:

export ENDOR_API_CREDENTIALS_KEY=<example-api-key>
export ENDOR_API_CREDENTIALS_SECRET=<example-api-key-secret>
export ENDOR_NAMESPACE=<example-tenant-namespace>

Once you’ve exported your environment variables you can test successful authentication by running the following command to list projects in your namespace:

endorctl api list -r Project --page-size=1

Once you have successfully initialized endorctl, you can print your access token with the following command:

endorctl auth --print-access-token

The token has an expiration time of 4 hours.

Persistently set environment variables for endorctl

To persistently set an environment variable, append the environment variable and the value to ~/.endorctl/config.yaml. This configuration file is for CLI usage.

For example, if your GitHub Enterprise Server URL was https://api.github.com you can set the variable to persist in your configuration using the following command:

echo ENDOR_SCAN_SOURCE_GITHUB_API_URL=https://api.github.com >> ~/.endorctl/config.yaml

See endorctl commands for all supported commands and environment variables.

2 - Commands

Learn more about the available endorctl commands

2.1 - api

Use the api command to interact with the Endor Labs API

The endorctl api command allows you to interact with the Endor Labs API directly through the command line interface.

Usage

The syntax of the endorctl api command is:

endorctl api [subcommand] [flags]

The following subcommands are supported:

  • create creates a specified object in a namespace.
  • delete deletes a specified object in a namespace.
  • get gets a specified object in a namespace.
  • list lists a specified group of objects in a namespace.
  • update updates a specified object in a namespace.

Flags and variables

The following flags are supported for all endorctl api subcommands, unless specified otherwise:

Flag Environment Variable Description
data ENDOR_API_DATA Define the object you want to create or update in json format.
field-mask ENDOR_API_FIELD_MASK Specify a list of fields to return or update.
filter ENDOR_API_FILTER Specify the query parameters for a list command.
header ENDOR_API_HEADER Specify request header information in the following format: key:value
interactive ENDOR_API_INTERACTIVE Create or update an object interactively. Requires the environment variable EDITOR to be set (e.g. export EDITOR=vim).
name ENDOR_API_NAME Specify the name of the resource that you want to interact with.
output-type ENDOR_API_OUTPUT_TYPE Specify the output format of the response. The default output type is json, but can also be set to yaml or table.
resource ENDOR_API_RESOURCE Specify the resource type that you want to interact with. See commonly used resource types below for a list of supported resource types.
timeout ENDOR_API_TIMEOUT Specify the timeout limit for the command. The default is 30s, but larger and/or more complicated requests may require more time (resulting in a “context deadline exceeded” error).
uuid ENDOR_API_UUID Specify the UUID of the resource that you want to interact with.

Commonly used resource types

The following table lists resource types that are commonly used in the API. See the API documentation to get a full list of resource types.

Resource Kind Description
Project A project represents a configuration for ingesting source control repositories. List all projects by calling endorctl api list -r Project.
Repository A repository represents information about a source control repository where source code is hosted. List all repositories for a project by filtering on meta.parent_uuid==<uuid>.
RepositoryVersion A repository version represents information about a specific version of code in source control, such as commit SHAs, tags or branches. List all repository versions for a project by filtering on meta.parent_uuid==<uuid>.
PackageVersion A package version represents information about a named version of a package. List all package versions for a project by filtering on spec.project_uuid==<uuid>.
DependencyMetadata A dependency metadata object represents the relationship between the root package version (importer) and a given dependency. List all dependency metadata objects for a project by filtering on spec.importer_data.project_uuid==<uuid>.
Metric A metric object contains the output of a given analytic. List all metric objects for a project by filtering on spec.project_uuid==<uuid>.
Finding A finding represents a result of an evaluation method used to evaluate code against a rule. List all findings for a project by filtering on spec.project_uuid==<uuid>.
ScanResult A scan result contains metadata about a particular scan (configuration, results etc.). List all scan results for a project by filtering on meta.parent_uuid==<uuid>.
AuthorizationPolicy An authorization policy represents a policy for access control. List all authorization policies by calling endorctl api list -r AuthorizationPolicy.

Example

Use the --filter flag to customize your query and the --field-mask flag to limit the fields returned. For example, run the following command to list the description and the target dependency name for all findings in a given project:

endorctl api list --resource Finding \
    --filter "spec.project_uuid==<uuid>" \
    --field-mask "meta.description,spec.target_dependency_package_name"

Useful API commands

  • List all package versions at a given source code git reference:
endorctl api list --resource "PackageVersion" \
    --output-type "yaml" \
    --filter "spec.project_uuid==<uuid> and spec.source_code_reference.version.ref==<git-reference>"
  • Get a specific package version:
endorctl api get --resource "PackageVersion" --name "<ecosystem>://<name>@<version>"
  • Get a count of the number of projects hosted in your Endor Labs tenant:
endorctl api list --resource Project --count
  • Get a count of the number of projects hosted in your Endor Labs tenant:
endorctl api list --resource Project --count | jq -r '.count_response.count'
  • List all of the direct dependencies of a specific package given its UUID.
endorctl api list --resource DependencyMetadata \
    --filter "spec.importer_data.package_version_uuid==<uuid> and spec.dependency_data.direct==true"

2.1.1 - create

Use the create command to create a specified resource through the API

Usage

The endorctl api create command creates an object of a specified resource type.

endorctl api create -r [resource] [flags]

Examples

To create a package manager integration that uses the repository https://example.replaceme.com for dependency resolution in Python with the top priority for dependency resolution use the following command:

endorctl api create -r PackageManager \
    --data '{"meta":{"name":"pypi PackageManager"},"spec":{"pypi":{"url":"https://example.replaceme.com ","priority":0}}}'

2.1.2 - delete

Use the delete command to delete a specified resource through the API

Usage

The endorctl api delete command deletes a given object of a specified resource type.

endorctl api delete -r [resource] [flags]

Examples

Use the following command to delete the project with UUID ‘62aa1cfadfa47d9ccb754d22’ that is no longer needed.

endorctl api delete -r Project --uuid 62aa1cfadfa47d9ccb754d22

2.1.3 - get

Use the get command to retrieve a specified resource through the API

Usage

The endorctl api get command retrieves a given object of a specified resource type.

endorctl api get -r [resource] [flags]

Examples

To get a specific project by its UUID:

endorctl api get -r Project --uuid <uuid>

2.1.4 - list

Use the list command to retrieve a filtered or unfiltered list of a specified resource through the API

Usage

The endorctl api list command lists all objects of a specified resource type, based on the specified filters, field-masks and/or other options.

endorctl api list -r [resource] [flags]

Flags and variables

The endorctl api list command supports the following additional flags and environment variables:

Flag Environment Variable Description
count ENDOR_API_COUNT Get the number of items in the list.
group-aggregation-paths ENDOR_API_GROUP_AGGREGATION_PATHS Specify one or more fields to group resources by.
group-show-aggregation-uuids ENDOR_API_GROUP_SHOW_AGGREGATION_UUIDS Get the uuids of the resources in each group as specified by --group-aggregation-paths.
group-unique-count-paths ENDOR_API_GROUP_UNIQUE_COUNT_PATHS Count the number of unique values, for these fields, in the group.
group-unique-value-paths ENDOR_API_GROUP_UNIQUE_VALUE_PATHS Get the unique values, for these fields, in the group.
list-all ENDOR_API_LIST_ALL List all resources (use -t/--timeout to increase timeout for big queries).
page-size ENDOR_API_PAGE_SIZE Set the page size to limit the number of results returned (default 100).
page-token ENDOR_API_PAGE_TOKEN Set the page token to start from.
pr-uuid ENDOR_API_PR_UUID Only list resources from a specific PR scan.
traverse ENDOR_API_TRAVERSE Get data from any child namespaces as well.

Filtering

The following operators are supported for filters:

  • == - Matches objects where a specified filter criteria is equal.
  • != - Matches objects where a specified filter criteria is NOT equal.
  • < - Matches objects where a specified filter criteria less than a specified value.
  • <= - Matches objects where a specified filter criteria less than or equal to a specified value.
  • > - Matches objects where a specified filter criteria greater than to a specified value.
  • contains - Matches objects where a specified filter contains a value in an array.
  • matches - Matches objects that match an exact or specified regex pattern.
  • exists - Matches objects where a specified field in a json payload exists.

Examples

Return a list of all projects in the namespace:

endorctl api list -r Project

List all projects in the namespace and only return the name of each project:

endorctl api list -r Project --list-all --field-mask meta.name

Return a count of findings associated with the default branch:

endorctl api list -r Finding --filter 'context.type==CONTEXT_TYPE_MAIN' --count

Return a count of unique vulnerabilities found in non-test dependencies where there is an upstream patch available and the function associated with the vulnerability is reachable in the context of the application:

endorctl api list -r Finding \
    --filter 'context.type==CONTEXT_TYPE_MAIN and spec.finding_categories contains [FINDING_CATEGORY_VULNERABILITY] and spec.finding_tags contains [FINDING_TAGS_NORMAL] and spec.finding_tags contains [FINDING_TAGS_REACHABLE_FUNCTION] and spec.finding_tags contains [FINDING_TAGS_FIX_AVAILABLE]' \
    --group-aggregation-paths 'spec.finding_metadata.vulnerability.meta.name'

Return the count of the number of scans run on the default branch since a given point in time:

endorctl api list -r ScanResult -f "context.id==default and meta.create_time >= date(2023-11-14)" --count

2.1.5 - update

Use the update command to update an API object.

Usage

endorctl api update -r [resource] [flags]

Interactive Mode

  • Use --interactive or -i to update an object with an interactive code editor.
    • Define your editor using export EDITOR=<editor> where the editor is defined as the command used to edit files. For example, export EDITOR=vi allows you to edit in vi and export EDITOR=code opens the file with the code command in VScode.

Examples

To interactively update a project with the UUID of 6549886f0dd828140b4a477b:

endorctl api update -r Project -i --uuid 6549886f0dd828140b4a477b

To add a tag “CrownJewel” to a project named https://github.com/endorlabs/github-action use the following command:

endorctl api update -r Project \
  --name https://github.com/endorlabs/github-action \
  --data "{ \"meta\": {\"tags\": [ \"CrownJewel\" ] }}" \
  --field-mask 'meta.tags'

2.2 - artifact sign

Use the artifact sign command to sign container images and build artifacts in the CI pipeline.

Use the artifact [ sign \| verify ] command to sign and verify container images and other build artifacts.

Usage

To sign an artifact, use the following command:

endorctl artifact sign --name <artifact> --source-repository-ref <ref> --certificate-oidc-issuer <issuer>

To verify a signed artifact, use the following command:

endorctl verify --name <artifact> --certificate-oidc-issuer <issuer>`

To revoke a signature, use the following command:

endorctl artifact revoke-signature --name <artifact> --source-repository-ref <ref>

Options

You can use the following flags and environment variables:

For endorctl artifact sign

Flags Environment Variables Description
--name string ENDOR_ARTIFACT_NAME Name of the artifact. For example, ghcr.io/org/image@sha256:digest.
--build-config-digest string ENDOR_ARTIFACT_BUILD_CONFIG_DIGEST Specific version of top-level/initiating build instructions. For example, workflow sha.
--build-config-name ENDOR_ARTIFACT_BUILD_CONFIG_NAME Name of top-level/initiating build instructions. For example, workflow.
--certificate-oidc-issuer ENDOR_ARTIFACT_CERTIFICATE_OIDC_ISSUER Name of the OIDC issuer present in a valid certificate.
--certificate-identity ENDOR_ARTIFACT_CERTIFICATE_IDENTITY Name of the identity present in a valid certificate.
--runner-environment string ENDOR_ARTIFACT_RUNNER_ENVIRONMENT Name of platform-hosted or self-hosted infrastructure. For example, self-hosted.
--source-repository string ENDOR_ARTIFACT_SOURCE_REPOSITORY Source repository that the build was based upon. For example, org/repo.
--source-repository-digest string ENDOR_ARTIFACT_SOURCE_REPOSITORY_DIGEST Specific version of the source code that the build was based upon. For example, commit sha.
--source-repository-owner string ENDOR_ARTIFACT_SOURCE_REPOSITORY_OWNER Owner of the source repository that the build was based upon. For example, my-org.
--source-repository-ref string (mandatory) ENDOR_ARTIFACT_SOURCE_REPOSITORY_REF Source repository ref that the build run was based upon.

For endorctl artifact verify

Flags Environment Variables Description
--name <name> ENDOR_ARTIFACT_NAME The name of the artifact to verify.
--certificate-oidc-issuer <issuer> ENDOR_ARTIFACT_CERTIFICATE_OIDC_ISSUER The issuer of the OIDC certificate used for verification.

For endorctl artifact [revoke-signature ]

Flags Environment Variables Description
--name string ENDOR_ARTIFACT_NAME The name of the artifact whose signature needs to be revoked.
--source-repository-ref string (mandatory) ENDOR_ARTIFACT_SOURCE_REPOSITORY_REF Reference to the source repository of the artifact.

2.3 - completion

Use the completion command to get a command completion script for a specified command shell

The completion command for endorctl outputs a completion script that may be added to your local environment. Once run this script will enable tab autocompletion for endorctl.

Supported command completion environments are zsh, powershell, bash and fish.

Command completion for zsh shells

To enable command completion for a MacOS based zsh environment:

echo "source $(endorctl completion zsh)" >> ~/.zshrc
source ~/.zshrc

You will need to start a new shell for this setup to take effect.

Command completion for bash shells

To enable command completion for a Linux bash based shell:

echo "source $(endorctl completion zsh)" >> ~/.bashrc
source ~/.bashrc

You will need to start a new shell for this setup to take effect.

Command completion for Powershell

To load completions in your current shell session:

endorctl completion powershell | Out-String | Invoke-Expression

To load completions for every new session, add the output of the above command to your powershell profile.

Command completion for Fish shells

To load completions in your current shell session:

endorctl completion fish | source

To load completions for every new session, execute once:

endorctl completion fish > ~/.config/fish/completions/endorctl.fish

You will need to start a new shell for this setup to take effect.

Usage

There are no flags that apply to endorctl completion.

2.4 - help

Use the help command to get command help for endorctl.

The help command lists all available commands for endorctl scan.

Examples

endorctl help

Usage

endorctl help
Endorctl is a command-line tool that allows you to scan and monitor your projects, import and export SBOMs, and interact with the API. Using endorctl you can connect to your Endor Labs tenant and integrate it into your CI pipeline.

Usage:
  endorctl [flags]
  endorctl [command]

Available Commands:
  api         Interact with the Endor Labs API
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  host-check  Validate host machine environment and configuration
  init        Initialize or reinitialize endorctl
  recommend   Recommendations for dependency maintenance
  sbom        SBOM operations
  scan        Scan a source code repository
  sync-org    Sync GitHub repositories for a specified organization
  validate    Validate a policy

Flags:
  -a, --api string                   Set the API URL for the Endor Labs Application (default "https://api.endorlabs.com")
      --api-key string               Set the API key used to authenticate with Endor Labs
      --api-secret string            Set the secret corresponding to the API key used to authenticate with Endor Labs
      --aws-role-arn string          Set the target role ARN for AWS based authentication. AWS authentication is only enabled if this flag is set
      --bypass-host-check            Bypass the check that verifies that the host machine is correctly setup to use endorctl
      --config-path string           Set the local filesystem path to the endor config directory containing your endor environment variables
      --enable-github-action-token   Enable keyless authentication using Github action OIDC tokens
      --gcp-service-account string   Set the target service account for GCP based authentication. GCP authentication is only enabled if this flag is set
  -h, --help                         help for endorctl
      --log-level string             Set the log level (default "info")
  -n, --namespace string             Set to the namespace of the project that you are working with
      --pre-commit-checks            Perform Git pre-commit checks on the changeset about to be committed
      --token string                 Set the authentication token used to authenticate with Endor Labs
      --verbose                      Enable verbose logging
  -v, --version                      version for endorctl

Use "endorctl [command] --help" for more information about a command.

2.5 - host-check

Use the host check command to verifiy if your system is appropriately setup to perform a scan.

The command endorctl host-check allows you to quickly verify if your system is setup with the appropriate tools to perform a successful scan.

Usage

To verify that your local host is appropriately configured to scan a given repository:

  1. Clone the repository you’d like to verify system setup for. The following instructions should be updated to the repository of your selection.
git clone https://github.com/endorlabs/app-java-demo.git
  1. Navigate to the root of the repository you’ve cloned:
cd ./app-java-demo
  1. Run the host check command:
endorctl host-check

To verify that your local host is appropriately configured with AI reccomendations on how to address any issues perform the following procedure and add the --droid-gpt flag to the host check command:

endorctl host-check --droid-gpt

Options

The endorctl host-check command uses the following flags and environment variables:

Flag Environment Variable Description
auth-check-only ENDOR_HOST_CHECK_AUTH_CHECK_ONLY Validate authentication credentials only.
droid-gpt ENDOR_HOST_CHECK_DROID_GPT Use DroidGPT to generate remediation advice.
path ENDOR_HOST_CHECK_PATH Set the path to the repository to scan on the local filesystem. Example: --path=/Users/endorlabs/github/myrepo.

2.6 - init

Use the init command to authenticate to Endor Labs from a workstation with an external identity provider.

The command endorctl init allows you to quickly authenticate your client to Endor Labs using an external identity provider.

Supported authentication providers for endorctl init are:

  • google - Used to create an API key and API key secret when you sign in with Google Workspaces as your external identity provider.
  • github - Used to create an API key and API key secret when you sign in with GitHub Cloud as your external identity provider.
  • gitlab - Used to create an API key and API key secret when you sign in with GitLab Cloud as your external identity provider.
  • email - Used to create an API key and API key secret when you sign in with an email lin.
  • sso - Used to sign in with a Custom Enterprise Identity Provider, such as Okta.

Usage

To login with your supported authentication provider:

endorctl init --auth-mode=google

endorctl init --auth-mode=github

endorctl init --auth-mode=gitlab

endorctl init --auth-email=<insert_email_address>

endorctl init --auth-mode=sso --auth-tenant=<insert-your-tenant>

To login with your supported authentication provider in environments without a browser you can use headless mode:

endorctl init --auth-mode=google --headless-mode

endorctl init --auth-mode=github --headless-mode

endorctl init --auth-mode=gitlab --headless-mode

endorctl init --auth-email=<insert_email_address> --headless-mode

endorctl init --auth-mode=sso --auth-tenant=<insert-your-tenant> --headless-mode

Once you’ve issued the command in headless mode please navigate to an internet/browser accessible computer and follow the instructions provided in your terminal.

Options

The following flags and environment variables are available for the init command.

Flag Environment Variable Description
auth-mode ENDOR_INIT_AUTH_MODE Set authentication method for the initialization process (github, google, gitlab, or azureadv2).
headless-mode ENDOR_INIT_HEADLESS_MODE Run authentication and initialization without opening your browser.

2.7 - sbom

Use the sbom command to import or export SBOMs to or from Endor Labs

The endorctl sbom command allows you to import or export SBOMs to or from Endor Labs.

Usage

The syntax of endorctl sbom is as follows:

endorctl sbom [subcommand] [flags]

The following subcommands are supported as part of endorctl api:

  • endorctl sbom import imports an SBOM to be managed by Endor Labs.
  • endorctl sbom export allows you to export an SBOM from Endor Labs.

Options

Flag Environment Variable Description
format ENDOR_SBOM_FORMAT Set the SBOM format (cyclonedx, or SPDX) (default cyclonedx)

2.7.1 - export

Use the sbom export command to export an SBOM for a software package from Endor Labs.

The sbom export command allows you to export an SBOM for a specified package from Endor Labs.

Usage

To export an SBOM for a specified package version named “go://github.com/Dreamacro/clash@master” in Endor Labs.

endorctl sbom export --package-version-name=go://github.com/Dreamacro/clash@master

To export an SBOM for a specified package version given its UUID with the UUID of “653c625cd44ec559e19349dc” to a file called “sbom.json”

endorctl sbom export --package-version-uuid=653c625cd44ec559e19349dc >> sbom.json

Options

Flag Environment Variable Description
component-type ENDOR_SBOM_COMPONENT_TYPE Set the SBOM component type (application, or library). (default application)
output-format ENDOR_SBOM_OUTPUT_FORMAT Set the SBOM format (json, or xml) (default json).
package-version-name ENDOR_SBOM_PACKAGE_VERSION_NAME Name of the package version to create an SBOM for.
package-version-uuid ENDOR_SBOM_PACKAGE_VERSION_UUID UUID of the package version to create an SBOM for.
timeout ENDOR_SBOM_TIMEOUT Set the timeout for the SBOM generation (default 30s).
with-vex ENDOR_SBOM_WITH_VEX Also generate the corresponding VEX document.

2.7.2 - import

Use the SBOM import command to import SBOMs to Endor Labs

The sbom import command allows you to import SBOMs to Endor Labs to track your third party risk.

Usage

To import an SBOM to Endor Labs use the following command:

endorctl sbom import --sbom-file-path=/path/to/your/sbom.json

endorctl sbom import --format=spdx --sbom-file-path=/path/to/your/sbom.json

Options

Flag Environment Variable Description
format ENDOR_SBOM_FORMAT Set the SBOM format (cyclonedx, or SPDX) (default cyclonedx)
sbom-file-path ENDOR_SBOM_FILE_PATH Set the file path to the SBOM to import.

2.8 - scan

Use the scan command to perform endorctl scan.

Use the scan command to perform scans against a repository.

Usage

To perform a full scan including reachability analysis for the open source software of the packages you build in a repository and monitor the checked out version of your code run the command:

endorctl scan

To scan leaked secrets and monitor all results in the checked out version of your repository:

endorctl scan --secrets

To scan for leaked secrets in all branches of your repository use the command:

endorctl scan --secrets --git-logs

To scan for misconfigurations in a GitHub repository (i.e https://github.com/endorlabs/app-java-demo):

export GITHUB_TOKEN=<insert-your-github-token>
endorctl scan --github --repository-http-clone-url=https://github.com/endorlabs/app-java-demo

To scan for CI/CD tools run the following command:

export GITHUB_TOKEN=<insert-your-github-token-with-read:org-access>
endorctl scan --tools --github

To include GitHub application data you must also set the --github flag and provide a GitHub token with read:org access.

To run a scan as a test in a pull request without monitoring the version of your code over time run the command:

endorctl scan --pr

To scan and discover GitHub action workflows (Beta) in your ci-cd pipeline run the command:

endorctl scan --ghactions

Along with performing the regular dependency analysis on your repository, it discovers the GitHub actions configured in your CI/CD pipeline and maps them as GitHub action dependencies in your package.

To scan binaries and artifacts run the following command:

endorctl scan --package --path --project-name

You must provide the path of your file using --path and specify a name for your project using --project-name.

Options

The command endorctl scan uses the following flags and environment variables:

Flag Environment Variable Description
as-default-branch ENDOR_SCAN_AS_DEFAULT_BRANCH Set this as the default branch.
bazel-exclude-targets ENDOR_SCAN_BAZEL_EXCLUDE_TARGETS Set this variable to exclude a list of Bazel targets included in a provided Bazel query.
bazel-include-targets ENDOR_SCAN_AS_INCLUDE_TARGETS Set this variable to perform a scan on a list of targets using Bazel. Only the specified list of targets are scanned. If you do not specify bazel-include-targets, you must use identify targets using bazel-targets-query. If you specify targets, then the results from bazel-targets-query are ignored.
bazel-targets-query ENDOR_SCAN_BAZEL_TARGETS Set this variable to query for a list of Bazel targets to include in a scan.
bazel-workspace-path ENDOR_SCAN_BAZEL_WORKSPACE_PATH Set this variable to specify the path of the Bazel workspace.
build ENDOR_SCAN_BUILD Enable the scan to build the project if needed.
call-graph-languages ENDOR_SCAN_CALLGRAPH_LANGUAGES Set programming languages for call graph generation (go, java, python, rust) (default [go,java,python,rust]).
dependencies ENDOR_SCAN_DEPENDENCIES Scan git commits and generate findings for all dependencies.
detached-ref-name ENDOR_SCAN_DETACHED_REF_NAME Set the name of the git reference to a user-provided name. Example: --detached-ref-name="$CI_DEFAULT_BRANCH". Use with CI environments that checkout commits, such as GitLab.
disable-private-package-analysis ENDOR_SCAN_DISABLE_PRIVATE_PACKAGE_ANALYSIS Disable the call graph analysis of private dependencies that are not part of the repository.
droid-gpt ENDOR_SCAN_DROID_GPT Use DroidGPT to interpret build errors and generate remediation advice.
exclude ENDOR_SCAN_EXCLUDE Set to a regex pattern such as ‘foo.*’ to exclude any files or directories, in the scan path, that match this pattern. For example, --exclude='*.py' will ignore the following: foo.py, src/foo.py, foo.py/bar.sh; and --exclude='tests' will ignore tests/foo.py as well as a/b/tests/c/foo.py. See also --include and --languages.
exit-on-policy-warning ENDOR_SCAN_EXIT_ON_POLICY_WARNING Return a non-zero exit code if there are policy violation warnings.
ghactions ENDOR_SCAN_GHACTIONS Scan and discover GitHub action workflows in your ci-cd pipeline.
git-logs ENDOR_SCAN_GIT_LOGS Audit the historical git logs of the repository for all branches in the repository. Must be used together with --secrets.
github-api-url GITHUB_API_URL Set the GitHub API URL used for API requests to Github Enterprise Cloud or GitHub Enterprise Server. This flag must be used for self-hosted source control systems such as GitHub Enterprise Server. (default https://api.github.com/)
github-ca-path GITHUB_CA_PATH Set the path to the CA certificate used by GitHub Enterprise Server if it is untrusted by your system.
github-token GITHUB_TOKEN Set the GitHub token used to authenticate with GitHub.
github ENDOR_SCAN_GITHUB Fetch information from GitHub and generate findings for any GitHub misconfigurations (see also SCPM policies).
include ENDOR_SCAN_INCLUDE Set to a regex pattern to only scan files and directories, in the scan path, that match this pattern. For example, --include=src/bar will only scan files under src/bar. Note that there must be a manifest file at the root of the include directory for the scan to be successful. See also --exclude and --languages.
languages ENDOR_SCAN_LANGUAGES Set programming languages to scan. Used to limit scan to specific languages.
output-type ENDOR_SCAN_SUMMARY_OUTPUT_TYPE Set output format (json, yaml, table, or summary). Use summary to only display policy violations and not all findings. (default json)
package ENDOR_SCAN_PACKAGE Scan binaries and artifacts. You must provide the path of your file using --path and specify a name for your project using --project-name parameters.
path ENDOR_SCAN_PATH Set the path to the repository to scan on the local filesystem. Example: --path=/Users/endorlabs/github/myrepo.
pnpm ENDOR_PNPM_ENABLED Set to true to scan and detect dependencies for JavaScript projects that use PNPM package manager.
pr-baseline ENDOR_SCAN_PR_BASELINE Set to the git reference that you are merging to, such as your default branch. Action policies will only flag issues that do not exist in the baseline so that developers are only alerted to issues on the current changes. Example: --pr-baseline=main.
pr-incremental ENDOR_SCAN_PR_INCREMENTAL Only scan packages with dependencies that have changed compared to the baseline scan. Must be set together with --pr-baseline or --enable-pr-comments.
pr ENDOR_SCAN_PR Set if this is a PR scan. PR scans are not used for reporting or monitoring and should be treated as point in time policy and finding test.
pre-commit-checks ENDOR_SCAN_PRE_COMMIT_CHECKS Perform Git pre-commit checks on the changeset about to be committed. Must be used together with --secrets.
project-name ENDOR_SCAN_PROJECT_NAME Give a name for the project while scanning binaries and artifacts. It is used with the --package parameter.
quick-scan ENDOR_SCAN_QUICK_SCAN Perform a quick scan without call graph generation.
registries ENDOR_SCAN_REGISTRIES Registries that must be used in addition to public or namespace registries. Format: "user:password@ecosystem://registry#priority".
repository-http-clone-url ENDOR_SCAN_GITHUB_REPOSITORY_HTTP_CLONE_URL Set the GitHub repository http clone URL for --github scans.
sarif-file ENDOR_SCAN_SUMMARY_SARIF_FILE Set the path to a SARIF file to save the finding result summary to.
secrets ENDOR_SCAN_SECRETS Scan source code repository and generate findings for leaked secrets. See also --git-logs and --pre-commit-checks.
tags ENDOR_SCAN_TAGS Specify a list of user-defined tags to add to this scan. Tags can be used to search and filter scans later.
tools ENDOR_SCAN_TOOLS Scan source code repository for CI/CD tools. To include GitHub application data you must also set the --github flag and provide a GitHub token with read:org access.
use-bazel ENDOR_SCAN_USE_BAZEL Uses Bazel to perform the endorctl scan.
use-local-repo-cache ENDOR_SCAN_USE_LOCAL_CACHE Uses the local cache for dependency resolution.
uuid ENDOR_SCAN_UUID Scan the specified project uuid.

2.9 - sync-org

Use the sync-org command to sync all projects in a GitHub organization to Endor Labs.

Use the endorctl sync-org command to create projects for all the unscanned repositories in your GitHub organization. This does not automatically scan the projects. It creates projects in Endor Labs, measures scan coverage across a GitHub organization, and gives you visibility into your source control repository.

Usage

To sync your GitHub organization to Endor Labs:

  • Export a GitHub token that can read all projects in your GitHub organization. To run the sync-org command you need at least repo and read:org permissions.
export GITHUB_TOKEN=<insert-github-token>
  • Run the sync-org command
endorctl sync-org --name=endorlabs

Options

The endorctl sync-org command uses the following flags and environment variables:

Flag Environment Variable Description
name ENDOR_SYNC_ORG_NAME Set the full name of the organization. Example: endorlabs
github-api-url ENDOR_SYNC_ORG_GITHUB_API_URL Set the URL for API requests to GitHub Enterprise Cloud or GitHub Enterprise Server (default https://api.github.com/).
platform-source ENDOR_SYNC_ORG_GITHUB_API_URL Set the platform source (default github).
uuid ENDOR_SYNC_ORG_UUID Set the uuid of the github installation.

2.10 - validate policy

Use this command to validate a rego policy

Use the command endorctl validate policy to validate a rego policy against data for a specified project.

Usage

To verify that a rego policy is correctly formatted:

  1. First, select a rego policy. Lets take the example policy below that searches for dependencies with an Endor Labs overall score of less than 7. You can save this as test_policy.rego.
package example

match_package_version[result] {
  some i, j
  data.resources.Metric[i].meta.name == "package_version_scorecard"
  data.resources.Metric[i].meta.parent_kind == "PackageVersion"
  data.resources.Metric[i].meta.parent_uuid == data.resources.PackageVersion[_].uuid
  score := data.resources.Metric[i].spec.metric_values["scorecard"].score_card.overall_score
  score < 7

  result = {
    "Endor": {
      "PackageVersion": data.resources.Metric[i].meta.parent_uuid,
    },
    "Score": sprintf("%v", [score])
  }
}
  1. Next validate that the policy is correctly formatted.
endorctl validate policy --policy test_policy.rego

To validate the policy against real data:

endorctl validate policy --policy test_policy.rego --query "data.example.match_package_version" --uuid $PROJECT_UUID

Options

The endorctl validate policy command uses the following flags and environment variables:

Flag Environment Variable Description
input ENDOR_VALIDATE_POLICY_INPUT_FILE_PATH Path to a json file containing the input parameter values, if applicable.
output-type ENDOR_VALIDATE_POLICY_SUMMARY_OUTPUT_TYPE Set output format (json, yaml, or table) (default table).
policy ENDOR_VALIDATE_POLICY_FILE_PATH Path to a text (plain Rego rule), json (one Policy), or yaml (one or more Policies or PolicyTemplates) file containing the policy(ies) to be validated.
pr-baseline ENDOR_VALIDATE_POLICY_PR_BASELINE Name of baseline version to load data from.
pr-uuid ENDOR_VALIDATE_POLICY_PR_UUID PR scan to load data from.
query ENDOR_VALIDATE_POLICY_QUERY_STATEMENTS Query statement for this policy (e.g. data.packagename.allow) - Only needed for plain text Rego rules.
resource-kinds ENDOR_VALIDATE_POLICY_RESOURCE_KINDS Resource kinds required by this policy (e.g. PackageVersion,Metric) - Only needed for plain text Rego rules.
uuid ENDOR_VALIDATE_POLICY_PROJECT_UUID UUID of project to load data from.

3 - Global flags and environment variables

Use global flags and environment variables to customize and configure endorctl.

Every command-line flag has a corresponding environment variable that can be set instead of the flag, either directly in your environment or in a dedicated configuration file.

See config-path description in Global Flags and Variables and Set environment variables for details.

To set a command-line flag on the endorctl scan command you can specify the flag with a leading -- for full flag names or a leading - for short flag aliases. If applicable, input arguments are specified after the flag and separated from it with either a blank space or a = character. For example, to set the output-type specify --output-type json or -o=json. If the input argument is a list, then the list elements are separated by a , character, for example --languages=go,python.

Global flags and variables

The following Global flags are supported and configurable for any endorctl command:

Flag Environment Variable Description
api ENDOR_API Set the API URL for the Endor Labs Application (default https://api.endorlabs.com).
api-key ENDOR_API_CREDENTIALS_KEY Set the API key used to authenticate with Endor Labs.
api-secret ENDOR_API_CREDENTIALS_SECRET Set the secret corresponding to the API key used to authenticate with Endor Labs.
aws-role-arn ENDOR_AWS_CREDENTIALS_ROLE_ARN Set the target role ARN for AWS based authentication. AWS authentication is only enabled if this flag is set. See our AWS Keyless Authentication Docs for details.
bypass-host-check ENDOR_BYPASS_HOST_CHECK Bypass the check that verifies that the host machine is correctly setup to use endorctl.
config-path ENDOR_CONFIG_PATH Set the local filesystem path to the endor config directory containing your endor environment variables. By default set to $HOME/.endorctl/config.yaml.
enable-github-action-token ENDOR_GITHUB_ACTION_TOKEN_ENABLE Enable keyless authentication using Github action OIDC tokens. See the GitHub documentation on configuring OpenID Connect in cloud providers for details.
gcp-service-account ENDOR_GCP_CREDENTIALS_SERVICE_ACCOUNT Set the target service account for GCP based authentication. GCP authentication is only enabled if this flag is set.
log-level ENDOR_LOG_LEVEL Set the log level. Set to debug for debug logs. See also the --verbose flag.
namespace ENDOR_NAMESPACE Set to the namespace of the project that you are working with.
token ENDOR_TOKEN Set the authentication token used to authenticate with Endor Labs.
verbose ENDOR_LOG_VERBOSE Enable verbose logging.
version Display the endorctl client version.

Set endorctl environment variables

To set an environment variable run the following command:

export <environment variable>=<value>

For example to set the environment variable ENDOR_TOKEN to “mytoken” run the following command:

export ENDOR_TOKEN=mytoken