This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

api

Use the api command to interact with the Endor Labs API

1: create

2: delete

3: get

4: list

5: update

The endorctl api command allows you to interact with the Endor Labs API directly through the command line interface.

Usage

The syntax of the endorctl api command is:

endorctl api [subcommand] [flags]

The following subcommands are supported:

create creates a specified object in a namespace.
delete deletes a specified object in a namespace.
get gets a specified object in a namespace.
list lists a specified group of objects in a namespace.
update updates a specified object in a namespace.

Flags and variables

The following flags are supported for all endorctl api subcommands, unless specified otherwise:

Flag	Environment Variable	Description
`data`	`ENDOR_API_DATA`	Define the object you want to create or update in json format.
`field-mask`	`ENDOR_API_FIELD_MASK`	Specify a list of fields to return or update.
`header`	`ENDOR_API_HEADER`	Specify request header information in the following format: `key:value`
`interactive`	`ENDOR_API_INTERACTIVE`	Create or update an object interactively. Requires the environment variable `EDITOR` to be set (for example, `export EDITOR=vim`).
`name`	`ENDOR_API_NAME`	Specify the name of the resource that you want to interact with.
`output-type`	`ENDOR_API_OUTPUT_TYPE`	Specify the output format of the response. The default output type is `json`, but can also be set to `yaml` or `table`.
`resource`	`ENDOR_API_RESOURCE`	Specify the resource type that you want to interact with. See commonly used resource types below for a list of supported resource types.
`timeout`	`ENDOR_API_TIMEOUT`	Set the timeout limit for the command. The default is `20s`, but larger or more complex requests might need additional time, which might lead to a “context deadline exceeded” error.

| uuid | ENDOR_API_UUID | Specify the UUID of the resource that you want to interact with. |

Commonly used resource types

The following table lists resource types that are commonly used in the API. For more information, see the resource kind documentation.

Resource kinds are case sensitive.

Resource Kind	Description
`Project`	A project represents a configuration for ingesting source control repositories. List all projects by calling `endorctl api list -r Project`.
`Repository`	A repository represents information about a source control repository where source code is hosted. List all repositories for a project by filtering on `meta.parent_uuid==<project-uuid>`.
`RepositoryVersion`	A repository version represents information about a specific version of code in source control, such as commit SHAs, tags or branches. List all repository versions for a project by filtering on `meta.parent_uuid==<project-uuid>`.
`PackageVersion`	A package version represents information about a named version of a package. List all package versions for a project by filtering on `spec.project_uuid==<project-uuid>`.
`DependencyMetadata`	A dependency metadata object represents the relationship between the root package version (importer) and a given dependency. List all dependency metadata objects for a project by filtering on `spec.importer_data.project_uuid==<project-uuid>`.
`Metric`	A metric object contains the output of a given analytic. List all metric objects for a project by filtering on `spec.project_uuid==<project-uuid>`.
`Finding`	A finding represents a result of an evaluation method used to evaluate code against a rule. List all findings for a project by filtering on `spec.project_uuid==<project-uuid>`.
`ScanResult`	A scan result contains metadata about a particular scan (configuration, results etc.). List all scan results for a project by filtering on `meta.parent_uuid==<project-uuid>`.
`AuthorizationPolicy`	An authorization policy represents a policy for access control. List all authorization policies by calling `endorctl api list -r AuthorizationPolicy`.

1 - create

Use the create command to create a specified resource through the API

Usage

The endorctl api create command creates an object of a specified resource type.

endorctl api create -r [resource] [flags]

Interactive Mode

Use --interactive or -i to create an object with an interactive code editor.
- Define your editor using export EDITOR=<editor> where the editor is defined as the command used to edit files. For example, export EDITOR=vi allows you to edit in vi and export EDITOR=code opens the file with the code command in VS Code.

Examples

To create a package manager integration that uses the repository https://example.replaceme.com for dependency resolution in Python with the top priority for dependency resolution use the following command:

endorctl api create -r PackageManager \
    --data '{"meta":{"name":"pypi PackageManager"},"spec":{"pypi":{"url":"https://example.replaceme.com ","priority":0}}}'

2 - delete

Use the delete command to delete a specified resource through the API

Usage

The endorctl api delete command deletes a given object of a specified resource type.

endorctl api delete -r [resource] [flags]

Examples

Use the following command to delete the project with the UUID, ‘62aa1cfadfa47d9ccb754d22’, that is no longer needed.

endorctl api delete -r Project --uuid 62aa1cfadfa47d9ccb754d22

3 - get

Use the get command to retrieve a specified resource through the API

Usage

The endorctl api get command retrieves a given object of a specified resource type.

endorctl api get -r [resource] [flags]

Examples

Get a specific project by its UUID:

endorctl api get -r Project --uuid <UUID>

Get a specific package version:

endorctl api get --resource "PackageVersion" --name "<ecosystem>://<name>@<version>"

4 - list

Use the list command to retrieve a filtered or unfiltered list of a specified resource through the API

Usage

The endorctl api list command lists all objects of a specified resource type, based on the specified filters, field-masks and/or other options.

endorctl api list -r [resource] [flags]

Flags and variables

The endorctl api list command supports the following additional flags and environment variables:

Flag	Environment Variable	Description
`count`	`ENDOR_API_COUNT`	Get the number of items in the list.
`filter`	`ENDOR_API_FILTER`	Specify query parameters used to filter resources.
`group-aggregation-paths`	`ENDOR_API_GROUP_AGGREGATION_PATHS`	Specify one or more fields to group resources by.
`group-show-aggregation-uuids`	`ENDOR_API_GROUP_SHOW_AGGREGATION_UUIDS`	Get the uuids of the resources in each group as specified by `--group-aggregation-paths`.
`group-unique-count-paths`	`ENDOR_API_GROUP_UNIQUE_COUNT_PATHS`	Count the number of unique values, for these fields, in the group.
`group-unique-value-paths`	`ENDOR_API_GROUP_UNIQUE_VALUE_PATHS`	Get the unique values, for these fields, in the group.
`list-all`	`ENDOR_API_LIST_ALL`	List all resources (use `-t/--timeout` to increase timeout for big queries).
`page-id`	`ENDOR_API_PAGE_ID`	Set the page id to start from.
`page-size`	`ENDOR_API_PAGE_SIZE`	Set the page size to limit the number of results returned (default `100`).
`page-token`	`ENDOR_API_PAGE_TOKEN`	Set the page token to start from.
`pr-uuid`	`ENDOR_API_PR_UUID`	Only list resources from a specific PR scan.
`sort-order`	`ENDOR_API_SORT_ORDER`	Sort resources in the specified order, `ascending` or `descending` (default `ascending`).
`sort-path`	`ENDOR_API_SORT_PATH`	Specify a field to sort resources by.
`traverse`	`ENDOR_API_TRAVERSE`	Get data from any child namespaces as well.

Examples

Use the --filter flag to customize your query and the --field-mask flag to limit the fields returned. For example, run the following command to list the description and the target dependency name for all findings in a given project:

endorctl api list \
  --resource Finding \
  --filter "spec.project_uuid==<uuid>" \
  --field-mask "meta.description,spec.target_dependency_package_name"

For more information on filters and field-masks, see Filters. and Masks.

Useful API commands

Get a count of the number of projects hosted in your Endor Labs tenant:

endorctl api list \
  --resource Project \
  --count \
  | jq -r '.count_response.count'

List all projects in the namespace and only return the name of each project:

endorctl api list \
  --resource Project \
  --list-all \
  --field-mask meta.name \
  | jq '.list.objects[].meta.name'

List all package versions at a given source code Git reference:

endorctl api list \
  --resource "PackageVersion" \
  --output-type "yaml" \
  --filter "spec.project_uuid==<uuid> and spec.source_code_reference.version.ref==<git-reference>"

List all direct dependencies of a specific package given its UUID.

endorctl api list \
  --resource DependencyMetadata \
  --filter "spec.importer_data.package_version_uuid==<UUID> and spec.dependency_data.direct==true"

Return a count of findings associated with the default branch for a given project:

endorctl api list \
  --resource Finding \
  --filter "context.type==CONTEXT_TYPE_MAIN and spec.project_uuid==<project-uuid>" \
  --count

Return a count of unique vulnerabilities found in non-test dependencies where there is an upstream patch available and the function associated with the vulnerability is reachable in the context of the application for a given project:

endorctl api list \
  --resource Finding \
  --filter "context.type==CONTEXT_TYPE_MAIN and spec.project_uuid==<project-uuid> and spec.finding_categories contains [FINDING_CATEGORY_VULNERABILITY] and spec.finding_tags contains [FINDING_TAGS_NORMAL] and spec.finding_tags contains [FINDING_TAGS_REACHABLE_FUNCTION] and spec.finding_tags contains [FINDING_TAGS_FIX_AVAILABLE]" \
  --group-aggregation-paths "spec.finding_metadata.vulnerability.meta.name"

Return the count of the number of scans run on the default branch since a given point in time:

endorctl api list \
  --resource ScanResult \
  --filter "context.id==default and meta.create_time >= date(2023-11-14)" \
  --count

For more examples, see Use cases.

5 - update

Use the update command to update an API object.

Usage

endorctl api update -r [resource] [flags]

Interactive Mode

Use --interactive or -i to update an object with an interactive code editor.
- Define your editor using export EDITOR=<editor> where the editor is defined as the command used to edit files. For example, export EDITOR=vi allows you to edit in vi and export EDITOR=code opens the file with the code command in VS Code.
- Specify which fields you want to update using the --field-mask parameter. If this is not set, endorctl will try to update all fields.

Examples

To interactively update a project with the UUID 6549886f0dd828140b4a477b:

endorctl api update -r Project -i --uuid 6549886f0dd828140b4a477b --field-mask meta.tags

To add a tag “CrownJewel” to a project named https://github.com/endorlabs/github-action use the following command:

endorctl api update -r Project \
  --name https://github.com/endorlabs/github-action \
  --data "{ \"meta\": {\"tags\": [ \"CrownJewel\" ] }}" \
  --field-mask 'meta.tags'