This guide provides instructions on how to get started with Endor Labs using the Endor Labs GitHub App. You can install the GitHub App or the GitHub App (Pro).
Note
The GitHub App (Pro) facilitates PR remediation. See PR remediation for more information.Prerequisites for GitHub App
Before installing and scanning projects with Endor Labs GitHub App, make sure you have:
- A GitHub cloud account and organization. If you don’t have one, create one at GitHub.
- Administrative permissions to your GitHub organization. Installing the Endor Labs GitHub App in your organization requires approval or permissions from your GitHub organizational administrator.
- Endor Labs GitHub App requires read permissions to Dependabot alerts, actions, administration, checks, code, commit statuses, issues, metadata, packages, pull requests, repository hooks, and security events. It does not need write access to any resources.
Quickstart with GitHub App
-
Sign in to Endor Labs and select Getting Started from the left sidebar.
-
Select SCAN WITH GITHUB APP and click Install GitHub App.
To enable automatic PR remediation, select Enable Automated Pull Requests to install the GitHub App (Pro).
Warning
You can only install either the GitHub App or the GitHub App (Pro) in your environment. -
Choose the user and the organization where you wish to install the app.
-
Select whether to install and authorize Endor Labs on all your repositories or select the specific repositories that you wish to scan.
-
Click Install & Authorize.
If the button to install says Install and Request instead of Install and Authorize, you don’t have permission to install the GitHub App. Select Install and Request to notify your organizational administrator of your request. -
Select the Endor Labs namespace that you want to use and click Next.
-
Select the scan types to enable under SCANNERS.
The following scanners are available:
- SCA: Perform software composition analysis.
- RSPM: Scan the repository for misconfigurations.
- Secret: Scan the repository for exposed secrets.
- CI/CD: Scan the repository and identify all the CI/CD tools used in the repository.
- SAST: Scan your source code for weakness and generate SAST findings.
- AI Models: Scan your repository and discover AI models in your source code.
-
Select the PULL REQUEST SCANS to automatically scan the PRs submitted by users.
-
Select Pull Request Comments to enable GitHub Actions to comment on PRs for policy violations.
-
Select Include Archived Repositories to scan your archived repositories. By default, the GitHub archived repositories aren’t scanned.
-
In Define Scanning Preferences, select either:
-
Quick Scan to gain rapid visibility into your software composition. It performs dependency resolution but does not conduct reachability analysis to prioritize vulnerabilities. The quick scan enables users to swiftly identify potential vulnerabilities in dependencies, ensuring a smoother and more secure merge into the main branch.
-
Full Scan to perform dependency resolution, reachability analysis, and generate call graphs for supported languages and ecosystems. This scan enables users to get complete visibility and identifies all issues dependencies, call graph generation before merging into the main branch. Full scans may take longer to complete, potentially delaying PR merges.
See GitHub scan options for more information on the scans that you can do with the GitHub App.
-
-
-
Click Create.
You will be redirected back to Endor Labs.
After installation, Endor Labs scans your repositories and generates findings. Subsequently, Endor Labs scans your repository every 24 hours. See Findings for more information on the findings generated by the scans.
Review the scan results
- Sign in to the Endor Labs user interface and click Projects on the left sidebar.
- Select your project to view the findings page. See Findings for more information.