Skip to main content
Use the scan command to perform scans against a repository.

Usage

Run the following command to perform a full scan including reachability analysis for the open source packages you build in a repository.
If your project contains multiple programming languages, you can specify them as a comma-separated list using the --languages flag:
Provide <languages-list> as a comma-separated list using the supported languages: . To scan leaked secrets and monitor all results in the checked out version of your repository.
Run the following command to perform a regular scan for leaked secrets including the dependencies.
Run the following command to scan for leaked secrets in all branches of your repository.
The above command performs a scan of the repository’s Git logs using the following logic:
  • If endorctl scans the repository’s Git log history for the first time, it performs a full scan
  • endorctl also performs a full rescan if you change any of the rules in the namespace
  • In all other cases, endorctl runs an incremental scan based on the last scan time
If the system invalidates detected secrets and you want to re-validate them, force a full rescan with the following command. To scan for misconfigurations in a GitHub repository like https://github.com/endorlabs/app-java-demo.
To run a scan as a test in a pull request without monitoring the version of your code over time run the command.
To scan workflow files under .github/workflows and discover Actions used in your pipelines, run the following command.
For CI integration options including the GitHub App and the Endor Labs GitHub Action, see GitHub Actions scanning. The command performs regular dependency analysis on your repository. It also discovers GitHub Actions workflows in your CI/CD pipeline and maps them as GitHub action dependencies in your package. To scan binaries and artifacts run the following command.
You must provide the path of your file using --path and specify a name for your project using --project-name. To scan and discover AI/LLM models in your repository, run the following command
To run a scan in dry run mode with local scanning and read-only access, run the following command. Dry run mode does not store scan results for monitoring and is best when used by developers running local scans.
You can also use --dry-run with --secrets, --sast, or --ai-sast flags. When you use --dry-run with --ai-sast, you must also set --diff-scope to scope the scan to changed files. Do not use --dry-run with container scanning.

Options

The command endorctl scan uses the following flags and environment variables:

AI model discovery flags

Bazel flags

Pull request (CI) flags

GitHub configuration flags

Call graph flags

Policy flags

Secrets scan flags

SAST scan flags

Sandbox flags

Miscellaneous flags