Introduction to Endor Labs

Endor Labs helps Security and DevOps teams build secure applications without the productivity tax associated with traditional security and compliance obligations.

Endor Labs addresses three primary software supply chain security use cases:

• Secure open-source code
• Secure repositories and pipelines
• Meet AppSec compliance requirements

Secure Open Source Code

Secure and manage the open source software (OSS) packages that are used in your application code:

• Vulnerability prioritization: Reachability-based SCA utilizes program analysis to understand code behavior at build time, identifying reachable vulnerabilities at the function level to help you prioritize risk in the context of your code.

• Full visibility of OSS risks: Scan direct and transitive dependencies (including “phantom dependency” detection) and cross-references with a proprietary database with function-specific annotations on CVEs dating back to 2018.

• Select healthy OSS dependencies: Prevent risky OSS from entering your ecosystem with Endor Score and DroidGPT, allowing you to implement governance of OSS selection and improve developer productivity.

Secure Repositories and Pipelines

Track potential process deviations and failures in your pipelines:

• SCM config management: Gain visibility into the configuration of source code management systems and understand the delivery process through secure configuration baselines and out-of-the-box policies.

• Detect and prioritize secret leaks: Identify potential secret leaks in your source code and implement policies that block secrets from being hard coded.

Meet AppSec Compliance Requirements

Demonstrate compliance with stakeholder and industry requirements:

• License compliance risk management: Manage legal and compliance risks related to OSS licensing as part of an open source software governance program, including an Open Source Program Office (OSPO).

• SBOM and VEX: Automatically generate SBOMs for each software package and annotate with Vulnerability Exploitability eXchange (VEX) documents so that your stakeholders can get visibility into your software inventory and assess status of vulnerabilities.

Integrate Endor Labs into SDLC workflows

Endor Labs integrates into various stages of the software delivery lifecycle, including:

1. In a developer’s Integrated Developer Environment (IDE) or their local workstation.
2. As a test in a continuous integration job before software installation or build process.
3. As a test in a continuous integration job after software installation or build process.
4. In day-to-day ticketing and messaging workflows.

The diagram below illustrates how a DevSecOps program can integrate Endor Labs into their software delivery workflows:

• Endor Labs IDE plugins help development teams select better dependencies and catch potential issues early in the software development process.
• Endor Labs secret scanning is performed as a test before building software, allowing teams to quickly identify potential secret leaks in their source code.
• Endor Labs software composition analysis and reachability analysis occur as post-build/install steps in the CI pipeline. This post-build/install scanning provides a more accurate bill of materials and helps prioritize issues.
• Endor Labs scans for the configuration of your source code management system as a regular scan on your repositories. This configuration generally changes infrequently and defines how your development team delivers and tests your software.
• Endor Labs helps establish ticketing and messaging workflows through policies to notify your team of urgent issues or policy violations for appropriate resolution.