scan
Use the scan
command to perform scans against a repository.
Usage
To perform a full scan including reachability analysis for the open source software of the packages you build in a repository and monitor the checked out version of your code run the command:
endorctl scan
To scan leaked secrets and monitor all results in the checked out version of your repository:
endorctl scan --secrets
To scan for leaked secrets in all branches of your repository use the command:
endorctl scan --secrets --git-logs
To scan for misconfigurations in a GitHub repository (i.e https://github.com/endorlabs/app-java-demo):
export GITHUB_TOKEN=<insert-your-github-token>
endorctl scan --github --repository-http-clone-url=https://github.com/endorlabs/app-java-demo
To scan for CI/CD tools run the following command:
export GITHUB_TOKEN=<insert-your-github-token-with-read:org-access>
endorctl scan --tools --github
To include GitHub application data you must also set the --github
flag and provide a GitHub token with read:org access.
To run a scan as a test in a pull request without monitoring the version of your code over time run the command:
endorctl scan --pr
To scan and discover GitHub action workflows (Beta) in your ci-cd pipeline run the command:
endorctl scan --ghactions
Along with performing the regular dependency analysis on your repository, it discovers the GitHub actions configured in your CI/CD pipeline and maps them as GitHub action dependencies in your package.
Options
The command endorctl scan
uses the following flags and environment variables:
Flag | Environment Variable | Description |
---|---|---|
as-default-branch |
ENDOR_SCAN_AS_DEFAULT_BRANCH |
Set this as the default branch. |
bazel-exclude-targets |
ENDOR_SCAN_BAZEL_EXCLUDE_TARGETS |
Set this variable to exclude a list of Bazel targets included in a provided Bazel query. |
bazel-include-targets |
ENDOR_SCAN_AS_INCLUDE_TARGETS |
Set this variable to perform a scan on a list of targets using Bazel. Only the specified list of targets are scanned. If you do not specify bazel-include-targets , you must use identify targets using bazel-targets-query . If you specify targets, then the results from bazel-targets-query are ignored. |
bazel-targets-query |
ENDOR_SCAN_BAZEL_TARGETS |
Set this variable to query for a list of Bazel targets to include in a scan. |
bazel-workspace-path |
ENDOR_SCAN_BAZEL_WORKSPACE_PATH |
Set this variable to specify the path of the Bazel workspace. |
build |
ENDOR_SCAN_BUILD |
Enable the scan to build the project if needed. |
call-graph-languages |
ENDOR_SCAN_CALLGRAPH_LANGUAGES |
Set programming languages for call graph generation (go, java, python, rust) (default [go,java,python,rust]). |
dependencies |
ENDOR_SCAN_DEPENDENCIES |
Scan git commits and generate findings for all dependencies. |
detached-ref-name |
ENDOR_SCAN_DETACHED_REF_NAME |
Set the name of the git reference to a user-provided name. Example: --detached-ref-name="$CI_DEFAULT_BRANCH" . Use with CI environments that checkout commits, such as GitLab. |
disable-private-package-analysis |
ENDOR_SCAN_DISABLE_PRIVATE_PACKAGE_ANALYSIS |
Disable the call graph analysis of private dependencies that are not part of the repository. |
droid-gpt |
ENDOR_SCAN_DROID_GPT |
Use DroidGPT to interpret build errors and generate remediation advice. |
exclude |
ENDOR_SCAN_EXCLUDE |
Set to a regex pattern such as ‘foo.*’ to exclude any files or directories, in the scan path, that match this pattern. For example, --exclude='*.py' will ignore the following: foo.py, src/foo.py, foo.py/bar.sh; and --exclude='tests' will ignore tests/foo.py as well as a/b/tests/c/foo.py. See also --include and --languages . |
exit-on-policy-warning |
ENDOR_SCAN_EXIT_ON_POLICY_WARNING |
Return a non-zero exit code if there are policy violation warnings. |
ghactions |
ENDOR_SCAN_GHACTIONS |
Scan and discover GitHub action workflows in your ci-cd pipeline. |
git-logs |
ENDOR_SCAN_GIT_LOGS |
Audit the historical git logs of the repository for all branches in the repository. Must be used together with --secrets . |
github-api-url |
GITHUB_API_URL |
Set the GitHub API URL used for API requests to Github Enterprise Cloud or GitHub Enterprise Server. This flag must be used for self-hosted source control systems such as GitHub Enterprise Server. (default https://api.github.com/ ) |
github-ca-path |
GITHUB_CA_PATH |
Set the path to the CA certificate used by GitHub Enterprise Server if it is untrusted by your system. |
github-token |
GITHUB_TOKEN |
Set the GitHub token used to authenticate with GitHub. |
github |
ENDOR_SCAN_GITHUB |
Fetch information from GitHub and generate findings for any GitHub misconfigurations (see also SCPM policies). |
include |
ENDOR_SCAN_INCLUDE |
Set to a regex pattern to only scan files and directories, in the scan path, that match this pattern. For example, --include=src/bar will only scan files under src/bar. Note that there must be a manifest file at the root of the include directory for the scan to be successful. See also --exclude and --languages . |
languages |
ENDOR_SCAN_LANGUAGES |
Set programming languages to scan. Used to limit scan to specific languages. |
output-type |
ENDOR_SCAN_SUMMARY_OUTPUT_TYPE |
Set output format (json, yaml, table, or summary). Use summary to only display policy violations and not all findings. (default json ) |
path |
ENDOR_SCAN_PATH |
Set the path to the repository to scan on the local filesystem. Example: --path=/Users/endorlabs/github/myrepo . |
phantom-dependencies |
ENDOR_SCAN_PHANTOM_DEPS |
Set to true to scan and detect dependencies used in source code but not declared in the package’s manifest files. |
pnpm |
ENDOR_PNPM_ENABLED |
Set to true to scan and detect dependencies for JavaScript projects that use PNPM package manager. |
pr-baseline |
ENDOR_SCAN_PR_BASELINE |
Set to the git reference that you are merging to, such as your default branch. Action policies will only flag issues that do not exist in the baseline so that developers are only alerted to issues on the current changes. Example: --pr-baseline=main . |
pr-incremental |
ENDOR_SCAN_PR_INCREMENTAL |
Only scan packages with dependencies that have changed compared to the baseline scan. Must be set together with --pr-baseline or --enable-pr-comments . |
pr |
ENDOR_SCAN_PR |
Set if this is a PR scan. PR scans are not used for reporting or monitoring and should be treated as point in time policy and finding test. |
pre-commit-checks |
ENDOR_SCAN_PRE_COMMIT_CHECKS |
Perform Git pre-commit checks on the changeset about to be committed. Must be used together with --secrets . |
quick-scan |
ENDOR_SCAN_QUICK_SCAN |
Perform a quick scan without call graph generation. |
registries |
ENDOR_SCAN_REGISTRIES |
Registries that must be used in addition to public or namespace registries. Format: "user:password@ecosystem://registry#priority". |
repository-http-clone-url |
ENDOR_SCAN_GITHUB_REPOSITORY_HTTP_CLONE_URL |
Set the GitHub repository http clone URL for --github scans. |
sarif-file |
ENDOR_SCAN_SUMMARY_SARIF_FILE |
Set the path to a SARIF file to save the finding result summary to. |
secrets |
ENDOR_SCAN_SECRETS |
Scan source code repository and generate findings for leaked secrets. See also --git-logs and --pre-commit-checks . |
tags |
ENDOR_SCAN_TAGS |
Specify a list of user-defined tags to add to this scan. Tags can be used to search and filter scans later. |
tools |
ENDOR_SCAN_TOOLS |
Scan source code repository for CI/CD tools. To include GitHub application data you must also set the --github flag and provide a GitHub token with read:org access. |
use-bazel |
ENDOR_SCAN_USE_BAZEL |
Uses Bazel to perform the endorctl scan. |
use-local-repo-cache |
ENDOR_SCAN_USE_LOCAL_CACHE |
Uses the local cache for dependency resolution. |
uuid |
ENDOR_SCAN_UUID |
Scan the specified project uuid. |
Feedback
Was this page helpful? Send your feedback to support@endor.ai