Endor Labs provides the following action policy templates that you can use to quickly create action policies. Each policy template provides parameters to help you customize the conditions under which a policy action takes place.
Note: All action policy templates automatically only match new findings for PR scans. If the finding already exists in the baseline, then it is not considered to be a match. The assumption is that there is a baseline to compare against (see the
--pr-baseline
and/or--enable-pr-comments
options).
Container vulnerabilities
Matches container findings for vulnerabilities that meet specific parameters. The following parameters are supported:
Parameter | Description |
---|---|
Vulnerability ID | Full vulnerability identifier, for example, CVE-2024-3727 or GHSA-qh2h-chj9-jffq (case insensitive). |
Severity | Only match findings with this severity. |
Fix Availability | Select ‘Fix Available’ to only match findings if a patch is available to fix the issue in the dependency. |
Relationship | Select ‘Direct Dependency’ to only match findings for direct dependencies, or ‘Transitive Dependency’ to only match findings for transitive dependencies. |
EPSS Percentile Threshold | Only match findings with an EPSS percentile threshold equal to or higher than this threshold (0.00-100.00). The EPSS percentile threshold represents the percentile ranking among all vulnerabilities that a vulnerability will be exploited. |
EPSS Probability Threshold | Only match findings with an EPSS probability score equal to or higher than this threshold (0.00-1.00). The EPSS probability score represents the probability [0-1] of exploitation in the wild in the next 30 days following score publication. |
Source Code Ecosystem | Match finding ecosystem. |
Exclude if Dependency Name Contains | Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
Exclude if Package Name Contains | Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. |
Exclude findings for transitive dependencies via other projects? | Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. |
Custom finding attributes
Allows you to define a custom action policy based on the attributes of the finding. The following parameters are supported:
Parameter | Description |
---|---|
Finding Name Contains | Match full or partial finding name. |
Finding Category | Match finding category. |
Finding Type | Match finding type. |
Severity | Match finding severity. |
Fix Availability | Select ‘Fix Available’ to only match findings if a patch is available to fix the issue in the dependency. |
Relationship | Select ‘Direct Dependency’ to only match findings for direct dependencies, or ‘Transitive Dependency’ to only match findings for transitive dependencies. |
Dependency Reachability | Select ‘Reachable Dependency’ and ‘Potentially Reachable Dependency’ to only match findings where the vulnerable dependency is reachable. |
Function Reachability | Select ‘Reachable Function’ and ‘Potentially Reachable Function’ to only match findings where the vulnerable function is reachable. |
Exclude Test | Select ‘Yes’ to exclude test dependencies. |
Source Code Ecosystem | Match finding ecosystem. |
Finding Meta Tag | Only match findings that have this meta tag (set by the policy that created the finding). Note that these are different and separate from the system-defined finding tags. |
Exclude if Dependency Name Contains | Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
Exclude if Package Name Contains | Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. |
Exclude findings for transitive dependencies | Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. |
Include CI/CD dependency findings | Select ‘Yes’ to include findings related to CI/CD dependencies. Note that CI/CD dependency findings are different from CI/CD tool findings. CI/CD dependency findings are for vulnerabilities in CI/CD dependency versions, while CI/CD tool findings are for the usage of a given tool. Findings related to CI/CD tools are included by default. |
Finding types
Findings are classified into the following types when the packages scanned include:
Finding Type | Description |
---|---|
Custom | Custom findings defined in custom policies. |
Dependency With Low Activity Score | Low Endor activity score. |
Dependency With Low Popularity Score | Low Endor popularity score. |
Dependency With Low Quality Score | Low Endor quality score. |
Dependency With Multiple Low Scores | More than one Low Endor Score. |
Dependency With Very Low Activity Scores | Very low Endor activity score. |
Dependency With Very Low Popularity Score | Very low Endor popularity score. |
Dependency With Very Low Quality Score | Very low Endor quality score. |
License Risk | Missing, unknown, restricted, or problematic licenses. |
Malware Dependency | Known malicious dependencies reported by Open Source Vulnerabilities (OSV). |
Malware OSS Review | Potentially suspicious code that needs review. |
Missing Source Code | Associated source code is not auditable. |
Outdated Dependency | Outdated code with older versions of the released dependencies. |
Typosquatted Dependency | Dependencies with intentionally similar names to popular packages. |
Unmaintained Dependency | Unmaintained dependencies introducing vulnerabilities. |
Unpinned Dependency | Variable version specifications of dependencies. |
Unused Dependency | Unused dependencies in the code. |
Detected secrets
Allows you to define the action taken when a leaked secret is detected based on the validation status of the secret.
Parameter | Description |
---|---|
Validation Status | Select secret validation status: Valid, Invalid, or Unable to Validate. |
Outdated releases
Matches findings based on older versions of software or dependencies and are not actively updated. The following parameters are supported:
Parameter | Description |
---|---|
Relationship | Select ‘Direct Dependency’ to only match findings for direct dependencies, or ‘Transitive Dependency’ to only match findings for transitive dependencies. |
Dependency Reachability | Select ‘Reachable Dependency’ and ‘Potentially Reachable Dependency’ to only match findings where the vulnerable dependency is reachable. |
Exclude Test | Exclude test dependencies from this policy. |
Source Code Ecosystem | Match finding ecosystem. |
Exclude if Dependency Name Contains | Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
Exclude if Package Name Contains | Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. |
Exclude findings for transitive dependencies via other projects? | Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. |
Unmaintained dependencies
Matches findings based on dependencies that are no longer maintained or may have reached end-of-life. The following parameters are supported:
Parameter | Description |
---|---|
Relationship | Select ‘Direct Dependency’ to only match findings for direct dependencies, or ‘Transitive Dependency’ to only match findings for transitive dependencies. |
Dependency Reachability | Select ‘Reachable Dependency’ and ‘Potentially Reachable Dependency’ to only match findings where the vulnerable dependency is reachable. |
Exclude Test | Exclude test dependencies from this policy. |
Source Code Ecosystem | Match finding ecosystem. |
Exclude if Dependency Name Contains | Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
Exclude if Package Name Contains | Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. |
Exclude findings for transitive dependencies via other projects? | Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. |
Unpinned direct dependencies
Matches findings based on direct dependencies that do not have a version or a range of versions specified. Supported configuration parameters for this action policy template are:
Parameter | Description |
---|---|
Exclude Test | Exclude test dependencies from this policy. |
Source Code Ecosystem | Match finding ecosystem. |
Exclude if Dependency Name Contains | Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
Exclude if Package Name Contains | Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. |
Exclude findings for transitive dependencies via other projects? | Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. |
Unreachable direct dependencies
Matches findings based on dependencies that are not directly used or called within a project. Supported configuration parameters for this action policy template are:
Parameter | Description |
---|---|
Exclude Test | Exclude test dependencies from this policy. |
Source Code Ecosystem | Match finding ecosystem. |
Exclude if Dependency Name Contains | Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
Exclude if Package Name Contains | Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. |
Exclude findings for transitive dependencies via other projects? | Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. |
Vulnerabilities
Matches findings that are vulnerabilities that meet specific parameters. The following parameters are supported:
Parameter | Description |
---|---|
Vulnerability ID | Full vulnerability identifier, for example, CVE-2024-3727 or GHSA-qh2h-chj9-jffq (case insensitive). |
Severity | Only match findings with this severity. |
Fix Availability | Select ‘Fix Available’ to only match findings if a patch is available to fix the issue in the dependency. |
Relationship | Select ‘Direct Dependency’ to only match findings for direct dependencies, or ‘Transitive Dependency’ to only match findings for transitive dependencies. |
Dependency Reachability | Select ‘Reachable Dependency’ and ‘Potentially Reachable Dependency’ to only match findings where the vulnerable dependency is reachable. |
Function Reachability | Select ‘Reachable Function’ and ‘Potentially Reachable Function’ to only match findings where the vulnerable function is reachable. |
Exclude Test | Select ‘Yes’ to exclude test dependencies from this policy. |
EPSS Percentile Threshold | Only match findings with an EPSS percentile threshold equal to or higher than this threshold (0.00-100.00). The EPSS percentile threshold represents the percentile ranking among all vulnerabilities that a vulnerability will be exploited. |
EPSS Probability Threshold | Only match findings with an EPSS probability score equal to or higher than this threshold (0.00-1.00). The EPSS probability score represents the probability [0-1] of exploitation in the wild in the next 30 days following score publication. |
Source Code Ecosystem | Match finding ecosystem. |
Exclude if Dependency Name Contains | Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy. |
Exclude if Package Name Contains | Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency. |
Exclude findings for transitive dependencies via other projects? | Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed. |
Include CI/CD dependency findings | Select ‘Yes’ to include findings related to CI/CD dependencies. Note that CI/CD dependency findings are different from CI/CD tool findings. CI/CD dependency findings are for vulnerabilities in CI/CD dependency versions, while CI/CD tool findings are for the usage of a given tool. Findings related to CI/CD tools are included by default. |