scan

Use the scan command to perform endorctl scan.

Use the scan command to perform scans against a repository.

Usage

To perform a full scan including reachability analysis for the open source software of the packages you build in a repository and monitor the checked out version of your code run the command:

endorctl scan

To scan leaked secrets and monitor all results in the checked out version of your repository:

endorctl scan --secrets

To scan for leaked secrets in all branches of your repository use the command:

endorctl scan --secrets --git-logs

To scan for misconfigurations in a GitHub repository (i.e https://github.com/endorlabs/app-java-demo):

export GITHUB_TOKEN=<insert-your-github-token>
endorctl scan --github --repository-http-clone-url=https://github.com/endorlabs/app-java-demo

To scan for CI/CD tools run the following command:

export GITHUB_TOKEN=<insert-your-github-token-with-read:org-access>
endorctl scan --tools --github

To include GitHub application data you must also set the --github flag and provide a GitHub token with read:org access.

To run a scan as a test in a pull request without monitoring the version of your code over time run the command:

endorctl scan --pr

To scan and discover GitHub action workflows (Beta) in your ci-cd pipeline run the command:

endorctl scan --ghactions

Along with performing the regular dependency analysis on your repository, it discovers the GitHub actions configured in your CI/CD pipeline and maps them as GitHub action dependencies in your package.

To scan binaries and artifacts run the following command:

endorctl scan --package --path --project-name

You must provide the path of your file using --path and specify a name for your project using --project-name.

Options

The command endorctl scan uses the following flags and environment variables:

Flag Environment Variable Description
as-default-branch ENDOR_SCAN_AS_DEFAULT_BRANCH Set this as the default branch.
bazel-exclude-targets ENDOR_SCAN_BAZEL_EXCLUDE_TARGETS Set this variable to exclude a list of Bazel targets included in a provided Bazel query.
bazel-include-targets ENDOR_SCAN_AS_INCLUDE_TARGETS Set this variable to perform a scan on a list of targets using Bazel. Only the specified list of targets are scanned. If you do not specify bazel-include-targets, you must use identify targets using bazel-targets-query. If you specify targets, then the results from bazel-targets-query are ignored.
bazel-targets-query ENDOR_SCAN_BAZEL_TARGETS Set this variable to query for a list of Bazel targets to include in a scan.
bazel-workspace-path ENDOR_SCAN_BAZEL_WORKSPACE_PATH Set this variable to specify the path of the Bazel workspace.
build ENDOR_SCAN_BUILD Enable the scan to build the project if needed.
call-graph-languages ENDOR_SCAN_CALLGRAPH_LANGUAGES Set programming languages for call graph generation (go, java, python, rust) (default [go,java,python,rust]).
dependencies ENDOR_SCAN_DEPENDENCIES Scan git commits and generate findings for all dependencies.
detached-ref-name ENDOR_SCAN_DETACHED_REF_NAME Set the name of the git reference to a user-provided name. Example: --detached-ref-name="$CI_DEFAULT_BRANCH". Use with CI environments that checkout commits, such as GitLab.
disable-private-package-analysis ENDOR_SCAN_DISABLE_PRIVATE_PACKAGE_ANALYSIS Disable the call graph analysis of private dependencies that are not part of the repository.
droid-gpt ENDOR_SCAN_DROID_GPT Use DroidGPT to interpret build errors and generate remediation advice.
exclude ENDOR_SCAN_EXCLUDE Set to a regex pattern such as ‘foo.*’ to exclude any files or directories, in the scan path, that match this pattern. For example, --exclude='*.py' will ignore the following: foo.py, src/foo.py, foo.py/bar.sh; and --exclude='tests' will ignore tests/foo.py as well as a/b/tests/c/foo.py. See also --include and --languages.
exit-on-policy-warning ENDOR_SCAN_EXIT_ON_POLICY_WARNING Return a non-zero exit code if there are policy violation warnings.
ghactions ENDOR_SCAN_GHACTIONS Scan and discover GitHub action workflows in your ci-cd pipeline.
git-logs ENDOR_SCAN_GIT_LOGS Audit the historical git logs of the repository for all branches in the repository. Must be used together with --secrets.
github-api-url GITHUB_API_URL Set the GitHub API URL used for API requests to Github Enterprise Cloud or GitHub Enterprise Server. This flag must be used for self-hosted source control systems such as GitHub Enterprise Server. (default https://api.github.com/)
github-ca-path GITHUB_CA_PATH Set the path to the CA certificate used by GitHub Enterprise Server if it is untrusted by your system.
github-token GITHUB_TOKEN Set the GitHub token used to authenticate with GitHub.
github ENDOR_SCAN_GITHUB Fetch information from GitHub and generate findings for any GitHub misconfigurations (see also SCPM policies).
include ENDOR_SCAN_INCLUDE Set to a regex pattern to only scan files and directories, in the scan path, that match this pattern. For example, --include=src/bar will only scan files under src/bar. Note that there must be a manifest file at the root of the include directory for the scan to be successful. See also --exclude and --languages.
languages ENDOR_SCAN_LANGUAGES Set programming languages to scan. Used to limit scan to specific languages.
output-type ENDOR_SCAN_SUMMARY_OUTPUT_TYPE Set output format (json, yaml, table, or summary). Use summary to only display policy violations and not all findings. (default json)
package ENDOR_SCAN_PACKAGE Scan binaries and artifacts. You must provide the path of your file using --path and specify a name for your project using --project-name parameters.
path ENDOR_SCAN_PATH Set the path to the repository to scan on the local filesystem. Example: --path=/Users/endorlabs/github/myrepo.
pnpm ENDOR_PNPM_ENABLED Set to true to scan and detect dependencies for JavaScript projects that use PNPM package manager.
pr-baseline ENDOR_SCAN_PR_BASELINE Set to the git reference that you are merging to, such as your default branch. Action policies will only flag issues that do not exist in the baseline so that developers are only alerted to issues on the current changes. Example: --pr-baseline=main.
pr-incremental ENDOR_SCAN_PR_INCREMENTAL Only scan packages with dependencies that have changed compared to the baseline scan. Must be set together with --pr-baseline or --enable-pr-comments.
pr ENDOR_SCAN_PR Set if this is a PR scan. PR scans are not used for reporting or monitoring and should be treated as point in time policy and finding test.
pre-commit-checks ENDOR_SCAN_PRE_COMMIT_CHECKS Perform Git pre-commit checks on the changeset about to be committed. Must be used together with --secrets.
project-name ENDOR_SCAN_PROJECT_NAME Give a name for the project while scanning binaries and artifacts. It is used with the --package parameter.
quick-scan ENDOR_SCAN_QUICK_SCAN Perform a quick scan without call graph generation.
registries ENDOR_SCAN_REGISTRIES Registries that must be used in addition to public or namespace registries. Format: "user:password@ecosystem://registry#priority".
repository-http-clone-url ENDOR_SCAN_GITHUB_REPOSITORY_HTTP_CLONE_URL Set the GitHub repository http clone URL for --github scans.
sarif-file ENDOR_SCAN_SUMMARY_SARIF_FILE Set the path to a SARIF file to save the finding result summary to.
secrets ENDOR_SCAN_SECRETS Scan source code repository and generate findings for leaked secrets. See also --git-logs and --pre-commit-checks.
tags ENDOR_SCAN_TAGS Specify a list of user-defined tags to add to this scan. Tags can be used to search and filter scans later.
tools ENDOR_SCAN_TOOLS Scan source code repository for CI/CD tools. To include GitHub application data you must also set the --github flag and provide a GitHub token with read:org access.
use-bazel ENDOR_SCAN_USE_BAZEL Uses Bazel to perform the endorctl scan.
use-local-repo-cache ENDOR_SCAN_USE_LOCAL_CACHE Uses the local cache for dependency resolution.
uuid ENDOR_SCAN_UUID Scan the specified project uuid.