This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
api
Use the api command to interact with the Endor Labs API
The endorctl api
command allows you to interact with the Endor Labs API directly through the command line interface.
Usage
The syntax of the endorctl api
command is:
endorctl api [subcommand] [flags]
The following subcommands are supported:
create
creates a specified object in a namespace.
delete
deletes a specified object in a namespace.
get
gets a specified object in a namespace.
list
lists a specified group of objects in a namespace.
update
updates a specified object in a namespace.
Flags and variables
The following flags are supported for all endorctl api
subcommands, unless specified otherwise:
Flag |
Environment Variable |
Description |
data |
ENDOR_API_DATA |
Define the object you want to create or update in json format. |
field-mask |
ENDOR_API_FIELD_MASK |
Specify a list of fields to return or update. |
header |
ENDOR_API_HEADER |
Specify request header information in the following format: key:value |
interactive |
ENDOR_API_INTERACTIVE |
Create or update an object interactively. Requires the environment variable EDITOR to be set (for example, export EDITOR=vim ). |
name |
ENDOR_API_NAME |
Specify the name of the resource that you want to interact with. |
output-type |
ENDOR_API_OUTPUT_TYPE |
Specify the output format of the response. The default output type is json , but can also be set to yaml or table . |
resource |
ENDOR_API_RESOURCE |
Specify the resource type that you want to interact with. See commonly used resource types below for a list of supported resource types. |
timeout |
ENDOR_API_TIMEOUT |
Set the timeout limit for the command. The default is 20s , but larger or more complex requests might need additional time, which might lead to a “context deadline exceeded” error. |
uuid |
ENDOR_API_UUID |
Specify the UUID of the resource that you want to interact with. |
Commonly used resource types
The following table lists resource types that are commonly used in the API. For more information, see the resource kind documentation.
Resource kinds are case sensitive.
Resource Kind |
Description |
Project |
A project represents a configuration for ingesting source control repositories. List all projects by calling endorctl api list -r Project . |
Repository |
A repository represents information about a source control repository where source code is hosted. List all repositories for a project by filtering on meta.parent_uuid==<project-uuid> . |
RepositoryVersion |
A repository version represents information about a specific version of code in source control, such as commit SHAs, tags or branches. List all repository versions for a project by filtering on meta.parent_uuid==<project-uuid> . |
PackageVersion |
A package version represents information about a named version of a package. List all package versions for a project by filtering on spec.project_uuid==<project-uuid> . |
DependencyMetadata |
A dependency metadata object represents the relationship between the root package version (importer) and a given dependency. List all dependency metadata objects for a project by filtering on spec.importer_data.project_uuid==<project-uuid> . |
Metric |
A metric object contains the output of a given analytic. List all metric objects for a project by filtering on spec.project_uuid==<project-uuid> . |
Finding |
A finding represents a result of an evaluation method used to evaluate code against a rule. List all findings for a project by filtering on spec.project_uuid==<project-uuid> . |
ScanResult |
A scan result contains metadata about a particular scan (configuration, results etc.). List all scan results for a project by filtering on meta.parent_uuid==<project-uuid> . |
AuthorizationPolicy |
An authorization policy represents a policy for access control. List all authorization policies by calling endorctl api list -r AuthorizationPolicy . |
1 - create
Use the create command to create a specified resource through the API
Usage
The endorctl api create
command creates an object of a specified resource type.
endorctl api create -r [resource] [flags]
Interactive Mode
- Use
--interactive
or -i
to create an object with an interactive code editor.
- Define your editor using
export EDITOR=<editor>
where the editor is defined as the command used to edit files. For example, export EDITOR=vi
allows you to edit in vi and export EDITOR=code
opens the file with the code command in VS Code.
Examples
To create a package manager integration that uses the repository https://example.replaceme.com
for dependency resolution in Python with the top priority for dependency resolution use the following command:
endorctl api create -r PackageManager \
--data '{"meta":{"name":"pypi PackageManager"},"spec":{"pypi":{"url":"https://example.replaceme.com ","priority":0}}}'
2 - delete
Use the delete command to delete a specified resource through the API
Usage
The endorctl api delete
command deletes a given object of a specified resource type.
endorctl api delete -r [resource] [flags]
Examples
Use the following command to delete the project with the UUID, ‘62aa1cfadfa47d9ccb754d22’, that is no longer needed.
endorctl api delete -r Project --uuid 62aa1cfadfa47d9ccb754d22
3 - get
Use the get command to retrieve a specified resource through the API
Usage
The endorctl api get
command retrieves a given object of a specified resource type.
endorctl api get -r [resource] [flags]
Examples
- Get a specific project by its UUID:
endorctl api get -r Project --uuid <UUID>
- Get a specific package version:
endorctl api get --resource "PackageVersion" --name "<ecosystem>://<name>@<version>"
4 - list
Use the list command to retrieve a filtered or unfiltered list of a specified resource through the API
Usage
The endorctl api list
command lists all objects of a specified resource type, based on the specified filters, field-masks and/or other options.
endorctl api list -r [resource] [flags]
Flags and variables
The endorctl api list
command supports the following additional flags and environment variables:
Flag |
Environment Variable |
Description |
count |
ENDOR_API_COUNT |
Get the number of items in the list. |
filter |
ENDOR_API_FILTER |
Specify query parameters used to filter resources. |
group-aggregation-paths |
ENDOR_API_GROUP_AGGREGATION_PATHS |
Specify one or more fields to group resources by. |
group-show-aggregation-uuids |
ENDOR_API_GROUP_SHOW_AGGREGATION_UUIDS |
Get the uuids of the resources in each group as specified by --group-aggregation-paths . |
group-unique-count-paths |
ENDOR_API_GROUP_UNIQUE_COUNT_PATHS |
Count the number of unique values, for these fields, in the group. |
group-unique-value-paths |
ENDOR_API_GROUP_UNIQUE_VALUE_PATHS |
Get the unique values, for these fields, in the group. |
list-all |
ENDOR_API_LIST_ALL |
List all resources (use -t/--timeout to increase timeout for big queries). |
page-id |
ENDOR_API_PAGE_ID |
Set the page id to start from. |
page-size |
ENDOR_API_PAGE_SIZE |
Set the page size to limit the number of results returned (default 100 ). |
page-token |
ENDOR_API_PAGE_TOKEN |
Set the page token to start from. |
pr-uuid |
ENDOR_API_PR_UUID |
Only list resources from a specific PR scan. |
sort-order |
ENDOR_API_SORT_ORDER |
Sort resources in the specified order, ascending or descending (default ascending ). |
sort-path |
ENDOR_API_SORT_PATH |
Specify a field to sort resources by. |
traverse |
ENDOR_API_TRAVERSE |
Get data from any child namespaces as well. |
Examples
Use the --filter
flag to customize your query and the --field-mask
flag to limit the fields returned.
For example, run the following command to list the description and the target dependency name for all findings in a given project:
endorctl api list \
--resource Finding \
--filter "spec.project_uuid==<uuid>" \
--field-mask "meta.description,spec.target_dependency_package_name"
For more information on filters and field-masks, see Filters.
and Masks.
Useful API commands
- Get a count of the number of projects hosted in your Endor Labs tenant:
endorctl api list \
--resource Project \
--count \
| jq -r '.count_response.count'
- List all projects in the namespace and only return the name of each project:
endorctl api list \
--resource Project \
--list-all \
--field-mask meta.name \
| jq '.list.objects[].meta.name'
- List all package versions at a given source code Git reference:
endorctl api list \
--resource "PackageVersion" \
--output-type "yaml" \
--filter "spec.project_uuid==<uuid> and spec.source_code_reference.version.ref==<git-reference>"
- List all direct dependencies of a specific package given its UUID.
endorctl api list \
--resource DependencyMetadata \
--filter "spec.importer_data.package_version_uuid==<UUID> and spec.dependency_data.direct==true"
- Return a count of findings associated with the default branch for a given project:
endorctl api list \
--resource Finding \
--filter "context.type==CONTEXT_TYPE_MAIN and spec.project_uuid==<project-uuid>" \
--count
- Return a count of unique vulnerabilities found in non-test dependencies where there is an upstream patch available and the function associated with the vulnerability is reachable in the context of the application for a given project:
endorctl api list \
--resource Finding \
--filter "context.type==CONTEXT_TYPE_MAIN and spec.project_uuid==<project-uuid> and spec.finding_categories contains [FINDING_CATEGORY_VULNERABILITY] and spec.finding_tags contains [FINDING_TAGS_NORMAL] and spec.finding_tags contains [FINDING_TAGS_REACHABLE_FUNCTION] and spec.finding_tags contains [FINDING_TAGS_FIX_AVAILABLE]" \
--group-aggregation-paths "spec.finding_metadata.vulnerability.meta.name"
- Return the count of the number of scans run on the default branch since a given point in time:
endorctl api list \
--resource ScanResult \
--filter "context.id==default and meta.create_time >= date(2023-11-14)" \
--count
For more examples, see Use cases.
5 - update
Use the update command to update an API object.
Usage
endorctl api update -r [resource] [flags]
Interactive Mode
- Use
--interactive
or -i
to update an object with an interactive code editor.
- Define your editor using
export EDITOR=<editor>
where the editor is defined as the command used to edit files. For example, export EDITOR=vi
allows you to edit in vi and export EDITOR=code
opens the file with the code command in VS Code.
- Specify which fields you want to update using the
--field-mask
parameter. If this is not set, endorctl will try to update all fields.
Examples
To interactively update a project with the UUID 6549886f0dd828140b4a477b:
endorctl api update -r Project -i --uuid 6549886f0dd828140b4a477b --field-mask meta.tags
To add a tag “CrownJewel” to a project named https://github.com/endorlabs/github-action use the following command:
endorctl api update -r Project \
--name https://github.com/endorlabs/github-action \
--data "{ \"meta\": {\"tags\": [ \"CrownJewel\" ] }}" \
--field-mask 'meta.tags'