Set up continuous monitoring with GitHub
Endor Labs provides a GitHub App that continuously monitors users’ projects for security and operational risk.
endorctl
, while you wait for the approval.
Getting started with the GitHub App
To get started with the Endor Labs GitHub App, follow these steps:
- Sign in to Endor Labs.
- Install the GitHub App in your organization.
- (Optional) If you use private software dependencies, configure package manager integrations.
- Review your projects as they are scanned.
Prerequisites for GitHub cloud installations
Before installing and scanning projects with Endor Labs GitHub App, make sure you have:
- A GitHub Cloud account and organization. If you don’t have one, create one using github.com.
- Administrative permissions to your GitHub organization.
Install the GitHub App
To automatically scan repositories using the GitHub App:
- Sign in to Endor Labs.
- Choose Projects and click Add Project.
- From GITHUB tab, choose GitHub App
- Click Install GitHub App.
- Click Configure.
- You will be redirected to GitHub to install the GitHub App. Select Install.
- Review the permissions required for Endor Labs and click Install and Authorize"
Endor Labs GitHub App scans your repositories every 24 hours and reports any new findings or changes to release versions of your code. Once you have installed the GitHub App Endor Labs will attempt to scan your repositories every 24 hours and report back any new findings or changes to release versions of your code.
Technical limitations of the GitHub App
The Endor Labs GitHub App provides visibility across a GitHub organization, but it has technical limitations that do not account for the unique requirements of your application. Here are some of these limitations:
Bill of materials variance
The Endor Labs GitHub App approximates software package builds to create a bill of materials and perform static analysis on your software dependencies. This requires building packages with specific versions of the package manager and runtime environment.
If there are differences in the build environment, it can result in variances in the bill of materials. For the most accurate information, use Endor Labs CLI as a post-build step in your software delivery process.
Factors contributing to variances in the bill of materials include:
- The time a software package was built
- The version of a software package manager
- The type of package manager being used
- The version of the runtime environment a package is installed on
Custom package build steps
Endor Labs requires executing custom build steps outside of standard package manager commands to build software packages and get an accurate bill of materials and perform static analysis. In some cases, a complete bill of materials may not be generated or static analysis may not be performed.
Custom resource profiles
Large applications may require significant memory allocations to perform static analysis on a package. The services scanning the GitHub App use 16GB of memory by default. Applications that require more memory may not obtain vulnerability prioritization information using the GitHub App. Scan large applications in a CI environment using a runner with sufficient resource allocations.
Authentication for private software components
Private software components hosted in an internal package repository may require authentication credentials to create a complete bill of materials or perform static analysis.
If your authentication information to your private package repository is hosted outside of the repository, you will need to configure a package manager integration. See Set up package manager integration for more details.
Feedback
Was this page helpful? Send your feedback to support@endor.ai