This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Release notes
Endor Labs helps you select, secure, and maintain dependencies, so development moves fast and supply chain risk remains low. The following release notes highlight the most recent major capabilities and any major bug fixes published by Endor Labs.
We are excited to introduce the latest features and enhancements in Endor Labs.
Upgrade to endorctl version 1.6.734 or later for container scans Breaking change
Endor Labs has significantly improved container scanning, enhancing the accuracy of findings. As a result, container scans performed with older endorctl versions may yield different or no results in some cases.
To ensure accurate scans, upgrade endorctl to version 1.6.734 or higher.
Run endorctl --version
to check your current version. For instructions on upgrading endorctl, see Install Endor Labs on your local system.
Endor Labs upgrade impact analysis now extends its capabilities to support Kotlin, Scala, and .NET projects, complementing the existing support for Python and Java to streamline dependency upgrades across more languages. For more information, see Remediation support matrix.
Container base images from untrusted sources may lack proper security audits or fail to comply with organizational standards, increasing the risk of vulnerabilities being exploited. To address this, you can now configure a finding policy to detect unauthorised base images and raise a critical finding. For more information, see Container policies.
Export multiple package versions in SBOM Enhancement
You can now export multiple package versions in an SBOM through the Endor Labs user interface. This feature allows aggregating multiple package versions of a project in a single SBOM file. You can choose packages and package versions of a project, which you can export as an SBOM file. For more information, see Export an SBOM at the project level.
My Packages removed from Endor Labs user interface
My Packages page is no longer available on the Endor Labs user interface. Instead, you can view packages and package versions associated with a project under Projects. Use the package versions filter in Projects to filter by specific package criteria.
We are excited to introduce the latest features and enhancements in Endor Labs.
Endor Labs Integration with Microsoft Defender for Cloud New
You can now set up an integration between Endor Labs and Microsoft Defender for Cloud.
This integration allows you to access reachability analysis directly within the Microsoft Defender for Cloud console, enabling you to prioritize fixes based on exploitability without switching between tools. Additionally, you can view detailed attack paths that reveal where vulnerable code is running throughout the SDLC and in the cloud, providing a new way to prioritize which vulnerabilities to remediate first.
For more information, see Set up Microsoft Defender for Cloud integration with Endor Labs.
Azure DevOps App New
Endor Labs now provides an Azure DevOps app that you can use to onboard your Azure Repos and continuously monitor in Endor Labs. You can seamlessly integrate your Azure project to an Endor Labs namespace. The Azure repos in the project are scanned every 24-hours, and you can initiate a rescan according to your convenience.
For more information, see Azure DevOps App.
Analytics dashboard New
Endor Labs’ new Analytics dashboard provides a comprehensive overview of your security metrics, tracking vulnerability trends, and resolution times across projects. You can use it to quickly assess risk levels, monitor progress, and identify areas for improving your security posture. For more information, see Analytics dashboard
Function level reachability for JavaScript projects (Beta) New
Endor Labs is excited to announce the function level reachability analysis for JavaScript/TypeScript projects.
You can now track the exact portion of the code in a dependency that is being reused by a program. Endor Labs generates call graphs for JavaScript/TypeScript projects to help you:
- Analyze the dependencies and relationships among various functions in JavaScript projects. They help identify functions or methods with known vulnerabilities or potential security issues.
- Examine the call graph to identify the functions that directly or indirectly call the vulnerable functions by tracing the paths of execution.
- Prioritize the vulnerabilities based on their severity, threat levels, and application importance.
Call graphs assist users in comprehending the potential consequences and enable them to prioritize the resolution of vulnerabilities that are more likely to result in additional exploitation.
For more information, see Scan JavaScript/TypeScript projects.
Configure Endor Labs to integrate with AWS CodeArtifact to use private libraries to build and scan your software.
You can set up an OpenID Connect provider in AWS and create roles with trust policies to allow Endor Labs access to your CodeArtifact repositories. For more information, see Configure package manager integrations with AWS CodeArtifact.
While scanning projects using the GitHub App, you can configure a scan profile and assign it to your projects directly from the Endor Labs user interface.
For more information, see Configure Scan profile.
Differentiate base image and application layer vulnerabilities Enhancement
While scanning containers, you can now distinguish the base image related vulnerabilities from those in the application layer by first scanning the base image, followed by scanning any images built on top of it.
For more information, see Discover base images.
Support for Go image with Bazel Enhancement
Endor Labs now supports scanning Go image with Bazel. For more information, see Select and build your Bazel targets.
Include resolved status for Jira integration Enhancement
Enhanced the RESOLVED STATUS configuration for Jira integrations. You can now specify a custom resolved status such as Completed for updating Jira tickets after findings are resolved. If no status is provided, Endor Labs will default to Done
, Resolved
, Closed
, or Fixed
based on the project settings. For more information, see Configure Jira integration.
Dependency detection for GitHub Action packages Enhancement
Endor Labs no longer detects test dependencies in GitHub Action packages. This update reduces the number of transitive dependencies detected for GitHub Action packages, thereby streamlining dependency analysis and improving overall clarity.
We are excited to introduce the latest features and enhancements in Endor Labs.
Find and evaluate AI models New
You can now view AI models from Hugging Face on the Endor Labs platform. Search for AI models and review their Endor scores, including security, activity, popularity, and quality. These scores help you make informed decisions before integrating models into your organization. See Discover AI models for more information.
Scan Java projects without pom.xml New
You can now scan Java projects that do not have a pom.xml
file. This feature enables Endor Labs to scan a non-Maven and non-Gradle Java artifact, and provide the list of unresolved dependencies, resolved dependencies, and dependency tree. You can set the environment variables ENDOR_JVM_USE_ARTIFACT_SCAN
,ENDOR_JVM_USE_ARTIFACT_SCAN_CLASSPATH
, and ENDOR_JVM_FIRST_PARTY_PACKAGE
to facilitate the scan of projects that contain such artifacts. See Scan projects without pom.xml for more information.
Export multiple package versions in SBOM New
You can now export multiple package versions in an SBOM through endorctl with the new command options --package-version-uuids
, --project-uuid
, and --project-name
. This feature allows aggregating multiple package versions across one or many projects in a single SBOM file. See Export multiple package versions in SBOM for more information.
Enhanced user interface to view findings of a project Enhancement
Endor Labs has a new user interface to view findings of a project.
- Findings list: The new findings come in a tabular format with columns that include location, EPSS, tags, and more.
- Preset filters: Preset filters help you to look for the category of findings you care about the most. For example, Prioritized Findings gives the list of critical vulnerability findings in the last 30 days that have either a reachable function or a reachable dependency, are not test dependencies, and have an available fix.
- Detailed drawers: This side panel drawer provides detailed metadata inside the drawer that includes risk details, fix info, and call graphs when available.
The new updates are designed to enhance your experience by providing:
- Modern look and feel: A refreshed, modern design that’s cleaner and more intuitive.
- Enhanced navigation bar: Streamlined menus to help you find what you need faster.
- Improved performance: Faster load times and smoother transitions for a more efficient workflow with default filters pre-loaded.
See View findings associated with a project for more information.
The following enhancements are now available for specifying project build toolchains:
-
Auto detection of build tools - You can enable auto detection of build tools for their projects based on the manifest files present in the repository. Auto detection is supported for Long Term Support (LTS) versions of Java, Python, Go, and .NET (C#) projects. See Enable auto detection for more information.
-
Specify toolchains with scanprofile.yaml - You must now specify build toolchains in the scanprofile.yaml
file, a multi-document yaml file with a structure similar to Kubernetes configuration files. Previously, build toolchains were defined in the profile.yaml
file. See Manage build tools for more information.
Jira integration Enhancement
When integrating Jira with Endor Labs, you can:
- Specify an issue type from the custom Jira project such as Bug, Task, Epic, Story, or any other value when raising a Jira ticket. This enables efficient categorization and tracking of issues within the project.
- Configure the integration to define custom fields with appropriate values, that align with your organization’s workflows. For instance, you can create key-value pairs like
Source = Endor Labs
to associate specific information with each Jira ticket raised from Endor Labs.
Note
Make sure the endortcl version is v1.6.547 to use ISSUE TYPE and v1.6.567 or higher to use Custom Fields.
See Set up Jira integration with Endor Labs for more information.
Support for Bazel with Gazelle in vendored mode in Go projects Enhancement
Endor Labs now supports scanning Go projects that use Bazel with Gazelle in vendored mode. See Scan Go projects using Bazel with Gazelle in vendored mode
Kotlin 2.0 Support Enhancement
Endor Labs has extended Kotlin support to include version 2.0. With this enhancement, Endor Labs supports Kotlin projects from version 1.4 to 2.0.
Other enhancements Enhancement
-
Archived repositories - The Endor Labs GitHub App no longer scans archived repositories by default. To include archived repositories in the scan, you can adjust the preferences during the GitHub App installation or by editing the integration settings afterwards.
-
Name change from SCPM to RSPM - Endor Labs now uses RSPM (Repository Security Posture Management) as the standard terminology for all SCPM (Source Code Posture Management) policies and findings across the user interface and documentation. Previously, both RSPM and SCPM were used interchangeably.
-
Removal of Dismiss Findings - You can no longer dismiss a finding from the Findings page on the Endor Labs user interface. Instead, you can apply an exception policy if you want the finding to not trigger any action policy. See Apply exception to findings.
We are excited to introduce the latest features and enhancements in Endor Labs.
Enhanced user interface for Global Findings New
Endor Labs has a new user interface for viewing all findings.
- Findings list: The new findings come in a tabular format with columns that include location, EPSS, tags, and more
- Preset filters: These preset filters help you to look for the category of findings you care about the most.
For example, Prioritized Findings gives you a List of critical vulnerability findings in the last 30 days that have either a reachable function or a reachable dependency, are not test dependencies, and have an available fix.
- Detailed drawers: This side panel drawer provides detailed metadata inside the drawer that includes risk details, fix info, and call graphs when available.
The new updates are designed to enhance your experience by providing:
- Modern look and feel: A refreshed, modern design that’s cleaner and more intuitive.
- Enhanced navigation bar: Streamlined menus to help you find what you need faster.
- Improved performance: Faster load times and smoother transitions for a more efficient workflow with default filters pre-loaded.
.
Scan Scala projects with Bazel Enhancement
Users can now scan Scala projects with Bazel using endorctl scan --use-bazel
. By leveraging this command as a Bazel rule, you can analyze dependencies while using Bazel commands.
- Bazel Integration: Scan Scala projects by calling the endorctl scan command as a Bazel rule, ensuring smooth integration with Bazel workflows.
- Targeted Scanning: Choose between scanning the entire repository or specific Scala targets using Bazel rules. You can also use a Bazel query to scan targets based on specific criteria.
- Incremental Scans: Execute scans by focusing only on recently updated targets, optimizing the scanning process for enhanced efficiency.
For more information, see Scan with Bazel.
Discover container base images Enhancement
Endor Labs container scan automatically identifies the base image used in your container, along with its dependencies, such as software packages and libraries. This enables you to perform a comprehensive security assessment by detecting any vulnerabilities in the base image, ensuring your containers are secure.
You can view and filter dependencies based on the container images.
For more details, see Discover container images
.
Integrate Endor Labs with Google Cloud Build Enhancement
Integrate security scans into your Google Cloud Build pipelines to automatically detect vulnerabilities and issues during the development process. By performing scans within Google Cloud Build, you ensure that code changes are analyzed before deployment, strengthening the security and reliability of your cloud-native applications.
For more details, see Scan with Google Cloud Build.
We are excited to introduce you to the latest version of Endor Labs and endorctl - v1.6.448. This release includes new features and enhancements.
Upgrades and recommendations (Beta) New
Endor Labs upgrade and remediation workflows provide an end-to-end solution to help you discover, prioritize, manage, and resolve risks in your software development environment.
- Upgrade Impact Analysis: Endor Labs identifies and recommends upgrades for your dependencies. By pinpointing the distinct actions that can resolve your vulnerabilities and mitigate the risks associated with updates, your security program can make more informed risk management decisions and triage issues more effectively.
- Endor Patches: Endor Labs backports security fixes to your packages, allowing you to minimize the impact of software updates. By using an Endor patch, you can update the libraries with a minimal viable security patch that reduces your risk of breaking changes, bugs, or performance issues associated with an upgrade.
For more information, see Upgrades and remediation.
Endor Labs provides you with the following options to define tools necessary for building your software while performing endorctl scans:
- Specify tool chain configuration through endorctl API.
- Specify tool chain configuration through profile.yaml file.
- Falls back to the system default values for your tool chain specifications.
Endor Labs will automatically install build tools in a sandbox to ensure you can run highly accurate scans. Build tools are not installed on your host. For more information, see Manage build tools.
Support for Azure pipelines and Azure Advanced Security New
You can integrate endorctl inside an Azure pipeline and view the scan results in Azure Advanced Security.
When you integrate endorctl in the Azure pipeline, endorctl scan runs and generates SARIF files during the pipeline run. The SARIF file is consumed by Advanced Security in your Azure repository. By configuring this integration, you can use Endor Labs seamlessly within the Azure ecosystem to enhance security and streamline workflows. For more information, see Scan with Azure Pipelines.
Changes to endorctl CLI options Enhancement
Endor Labs is introducing two new endorctl CLI options --include-path
and --exclude-path
to replace the existing include
and exclude
options.
- Using these new options, you can specify the file paths or patterns to exclude or include from the endorctl scan using Glob style expressions which are easier to use.
- You can easily scope your scans by defining inclusion or exclusion patterns. See scoping scans for more details.
The existing --include
and --exclude
options are deprecated. However, if these options are already in use, such as in a script, the updates remain backwards compatible, ensuring continued functionality.
Changes to the default view on the Findings page Enhancement
By default, Endor Labs now displays findings that meet the following criteria in the Findings page:
- Critical severity vulnerabilities
- Reachable vulnerabilities
- Vulnerabilities with EPSS probability above 1%
- Security vulnerabilities
- Vulnerabilities created in the last week
Previously, the Findings page displayed all findings when you opened the Findings page.
You can use the basic or advanced filters to view additional findings. For more information, see View Findings.
Container action policy templates Enhancement
Endor Labs now provides action policy templates that you can use to quickly create action policies specific to container scanning. For more information, see Action policy templates.
PDM package manager support for Python projects Enhancement
Endor Labs now offers support for scanning Python projects that use PDM as their package manager. For more information, see Scan Python projects.
New fields to filter project dependencies Enhancement
You can filter project dependencies and export additional fields for project dependencies with the following new fields:
- License File
- License Matched Text
- License Name
- License Type
- License URL
Sign up with GitHub Enhancement
You can now sign up to Endor Labs with your GitHub account.
Quickstart with Endor Labs GitHub App Enhancement
Endor Labs GitHub App is now available as an option in quick start. The Endor Labs GitHub App allows you to quickly set up your GitHub repositories in Endor Labs and initiate scans. For more information, see Quick start with GitHub App.
We are excited to introduce you to the latest version of Endor Labs and endorctl - v1.6.372. This release includes new features and enhancements.
Scan containers (Beta) New
Endor Labs introduces comprehensive container image scanning to help you identify and prioritize risks while ensuring compliance.
Key Features:
- Operating system packages: Detects packages installed via the container’s base OS package manager.
- Programming language packages: Identifies packages installed through language-specific package managers.
- Libraries and dependencies: Scans for static and dynamic libraries, and runtime dependencies required by the application.
In addition, Endor Labs generates an SBOM (Software Bill of Materials) that details all components, their versions, and associated metadata, providing a complete inventory of the container’s contents.
Customize notification templates Enhancement
Endor Labs provides out-of-the-box notification templates with standard information for policy violation messages in GitHub PR comments, webhooks, email, and Slack notifications. You can use the default template or customize it to fit your organization’s specific requirements. Additionally, you can create your custom templates using Go Templates.
For more details, see
1 - December 2024
We are excited to introduce the latest features and enhancements in Endor Labs.
Upgrade to endorctl version 1.6.734 or later for container scans Breaking change
Endor Labs has significantly improved container scanning, enhancing the accuracy of findings. As a result, container scans performed with older endorctl versions may yield different or no results in some cases.
To ensure accurate scans, upgrade endorctl to version 1.6.734 or higher.
Run endorctl --version
to check your current version. For instructions on upgrading endorctl, see Install Endor Labs on your local system.
Endor Labs upgrade impact analysis now extends its capabilities to support Kotlin, Scala, and .NET projects, complementing the existing support for Python and Java to streamline dependency upgrades across more languages. For more information, see Remediation support matrix.
Container base images from untrusted sources may lack proper security audits or fail to comply with organizational standards, increasing the risk of vulnerabilities being exploited. To address this, you can now configure a finding policy to detect unauthorised base images and raise a critical finding. For more information, see Container policies.
Export multiple package versions in SBOM Enhancement
You can now export multiple package versions in an SBOM through the Endor Labs user interface. This feature allows aggregating multiple package versions of a project in a single SBOM file. You can choose packages and package versions of a project, which you can export as an SBOM file. For more information, see Export an SBOM at the project level.
My Packages removed from Endor Labs user interface
My Packages page is no longer available on the Endor Labs user interface. Instead, you can view packages and package versions associated with a project under Projects. Use the package versions filter in Projects to filter by specific package criteria.
2 - November 2024
We are excited to introduce the latest features and enhancements in Endor Labs.
Endor Labs Integration with Microsoft Defender for Cloud New
You can now set up an integration between Endor Labs and Microsoft Defender for Cloud.
This integration allows you to access reachability analysis directly within the Microsoft Defender for Cloud console, enabling you to prioritize fixes based on exploitability without switching between tools. Additionally, you can view detailed attack paths that reveal where vulnerable code is running throughout the SDLC and in the cloud, providing a new way to prioritize which vulnerabilities to remediate first.
For more information, see Set up Microsoft Defender for Cloud integration with Endor Labs.
Azure DevOps App New
Endor Labs now provides an Azure DevOps app that you can use to onboard your Azure Repos and continuously monitor in Endor Labs. You can seamlessly integrate your Azure project to an Endor Labs namespace. The Azure repos in the project are scanned every 24-hours, and you can initiate a rescan according to your convenience.
For more information, see Azure DevOps App.
Analytics dashboard New
Endor Labs’ new Analytics dashboard provides a comprehensive overview of your security metrics, tracking vulnerability trends, and resolution times across projects. You can use it to quickly assess risk levels, monitor progress, and identify areas for improving your security posture. For more information, see Analytics dashboard
Function level reachability for JavaScript projects (Beta) New
Endor Labs is excited to announce the function level reachability analysis for JavaScript/TypeScript projects.
You can now track the exact portion of the code in a dependency that is being reused by a program. Endor Labs generates call graphs for JavaScript/TypeScript projects to help you:
- Analyze the dependencies and relationships among various functions in JavaScript projects. They help identify functions or methods with known vulnerabilities or potential security issues.
- Examine the call graph to identify the functions that directly or indirectly call the vulnerable functions by tracing the paths of execution.
- Prioritize the vulnerabilities based on their severity, threat levels, and application importance.
Call graphs assist users in comprehending the potential consequences and enable them to prioritize the resolution of vulnerabilities that are more likely to result in additional exploitation.
For more information, see Scan JavaScript/TypeScript projects.
Configure Endor Labs to integrate with AWS CodeArtifact to use private libraries to build and scan your software.
You can set up an OpenID Connect provider in AWS and create roles with trust policies to allow Endor Labs access to your CodeArtifact repositories. For more information, see Configure package manager integrations with AWS CodeArtifact.
While scanning projects using the GitHub App, you can configure a scan profile and assign it to your projects directly from the Endor Labs user interface.
For more information, see Configure Scan profile.
Differentiate base image and application layer vulnerabilities Enhancement
While scanning containers, you can now distinguish the base image related vulnerabilities from those in the application layer by first scanning the base image, followed by scanning any images built on top of it.
For more information, see Discover base images.
Support for Go image with Bazel Enhancement
Endor Labs now supports scanning Go image with Bazel. For more information, see Select and build your Bazel targets.
Include resolved status for Jira integration Enhancement
Enhanced the RESOLVED STATUS configuration for Jira integrations. You can now specify a custom resolved status such as Completed for updating Jira tickets after findings are resolved. If no status is provided, Endor Labs will default to Done
, Resolved
, Closed
, or Fixed
based on the project settings. For more information, see Configure Jira integration.
Dependency detection for GitHub Action packages Enhancement
Endor Labs no longer detects test dependencies in GitHub Action packages. This update reduces the number of transitive dependencies detected for GitHub Action packages, thereby streamlining dependency analysis and improving overall clarity.
3 - October 2024
We are excited to introduce the latest features and enhancements in Endor Labs.
Find and evaluate AI models New
You can now view AI models from Hugging Face on the Endor Labs platform. Search for AI models and review their Endor scores, including security, activity, popularity, and quality. These scores help you make informed decisions before integrating models into your organization. See Discover AI models for more information.
Scan Java projects without pom.xml New
You can now scan Java projects that do not have a pom.xml
file. This feature enables Endor Labs to scan a non-Maven and non-Gradle Java artifact, and provide the list of unresolved dependencies, resolved dependencies, and dependency tree. You can set the environment variables ENDOR_JVM_USE_ARTIFACT_SCAN
,ENDOR_JVM_USE_ARTIFACT_SCAN_CLASSPATH
, and ENDOR_JVM_FIRST_PARTY_PACKAGE
to facilitate the scan of projects that contain such artifacts. See Scan projects without pom.xml for more information.
Export multiple package versions in SBOM New
You can now export multiple package versions in an SBOM through endorctl with the new command options --package-version-uuids
, --project-uuid
, and --project-name
. This feature allows aggregating multiple package versions across one or many projects in a single SBOM file. See Export multiple package versions in SBOM for more information.
Enhanced user interface to view findings of a project Enhancement
Endor Labs has a new user interface to view findings of a project.
- Findings list: The new findings come in a tabular format with columns that include location, EPSS, tags, and more.
- Preset filters: Preset filters help you to look for the category of findings you care about the most. For example, Prioritized Findings gives the list of critical vulnerability findings in the last 30 days that have either a reachable function or a reachable dependency, are not test dependencies, and have an available fix.
- Detailed drawers: This side panel drawer provides detailed metadata inside the drawer that includes risk details, fix info, and call graphs when available.
The new updates are designed to enhance your experience by providing:
- Modern look and feel: A refreshed, modern design that’s cleaner and more intuitive.
- Enhanced navigation bar: Streamlined menus to help you find what you need faster.
- Improved performance: Faster load times and smoother transitions for a more efficient workflow with default filters pre-loaded.
See View findings associated with a project for more information.
The following enhancements are now available for specifying project build toolchains:
-
Auto detection of build tools - You can enable auto detection of build tools for their projects based on the manifest files present in the repository. Auto detection is supported for Long Term Support (LTS) versions of Java, Python, Go, and .NET (C#) projects. See Enable auto detection for more information.
-
Specify toolchains with scanprofile.yaml - You must now specify build toolchains in the scanprofile.yaml
file, a multi-document yaml file with a structure similar to Kubernetes configuration files. Previously, build toolchains were defined in the profile.yaml
file. See Manage build tools for more information.
Jira integration Enhancement
When integrating Jira with Endor Labs, you can:
- Specify an issue type from the custom Jira project such as Bug, Task, Epic, Story, or any other value when raising a Jira ticket. This enables efficient categorization and tracking of issues within the project.
- Configure the integration to define custom fields with appropriate values, that align with your organization’s workflows. For instance, you can create key-value pairs like
Source = Endor Labs
to associate specific information with each Jira ticket raised from Endor Labs.
Note
Make sure the endortcl version is v1.6.547 to use ISSUE TYPE and v1.6.567 or higher to use Custom Fields.
See Set up Jira integration with Endor Labs for more information.
Support for Bazel with Gazelle in vendored mode in Go projects Enhancement
Endor Labs now supports scanning Go projects that use Bazel with Gazelle in vendored mode. See Scan Go projects using Bazel with Gazelle in vendored mode
Kotlin 2.0 Support Enhancement
Endor Labs has extended Kotlin support to include version 2.0. With this enhancement, Endor Labs supports Kotlin projects from version 1.4 to 2.0.
Other enhancements Enhancement
-
Archived repositories - The Endor Labs GitHub App no longer scans archived repositories by default. To include archived repositories in the scan, you can adjust the preferences during the GitHub App installation or by editing the integration settings afterwards.
-
Name change from SCPM to RSPM - Endor Labs now uses RSPM (Repository Security Posture Management) as the standard terminology for all SCPM (Source Code Posture Management) policies and findings across the user interface and documentation. Previously, both RSPM and SCPM were used interchangeably.
-
Removal of Dismiss Findings - You can no longer dismiss a finding from the Findings page on the Endor Labs user interface. Instead, you can apply an exception policy if you want the finding to not trigger any action policy. See Apply exception to findings.
4 - September 2024
We are excited to introduce the latest features and enhancements in Endor Labs.
Enhanced user interface for Global Findings New
Endor Labs has a new user interface for viewing all findings.
- Findings list: The new findings come in a tabular format with columns that include location, EPSS, tags, and more
- Preset filters: These preset filters help you to look for the category of findings you care about the most.
For example, Prioritized Findings gives you a List of critical vulnerability findings in the last 30 days that have either a reachable function or a reachable dependency, are not test dependencies, and have an available fix.
- Detailed drawers: This side panel drawer provides detailed metadata inside the drawer that includes risk details, fix info, and call graphs when available.
The new updates are designed to enhance your experience by providing:
- Modern look and feel: A refreshed, modern design that’s cleaner and more intuitive.
- Enhanced navigation bar: Streamlined menus to help you find what you need faster.
- Improved performance: Faster load times and smoother transitions for a more efficient workflow with default filters pre-loaded.
.
Scan Scala projects with Bazel Enhancement
Users can now scan Scala projects with Bazel using endorctl scan --use-bazel
. By leveraging this command as a Bazel rule, you can analyze dependencies while using Bazel commands.
- Bazel Integration: Scan Scala projects by calling the endorctl scan command as a Bazel rule, ensuring smooth integration with Bazel workflows.
- Targeted Scanning: Choose between scanning the entire repository or specific Scala targets using Bazel rules. You can also use a Bazel query to scan targets based on specific criteria.
- Incremental Scans: Execute scans by focusing only on recently updated targets, optimizing the scanning process for enhanced efficiency.
For more information, see Scan with Bazel.
Discover container base images Enhancement
Endor Labs container scan automatically identifies the base image used in your container, along with its dependencies, such as software packages and libraries. This enables you to perform a comprehensive security assessment by detecting any vulnerabilities in the base image, ensuring your containers are secure.
You can view and filter dependencies based on the container images.
For more details, see Discover container images
.
Integrate Endor Labs with Google Cloud Build Enhancement
Integrate security scans into your Google Cloud Build pipelines to automatically detect vulnerabilities and issues during the development process. By performing scans within Google Cloud Build, you ensure that code changes are analyzed before deployment, strengthening the security and reliability of your cloud-native applications.
For more details, see Scan with Google Cloud Build.
5 - August 2024
We are excited to introduce you to the latest version of Endor Labs and endorctl - v1.6.448. This release includes new features and enhancements.
Upgrades and recommendations (Beta) New
Endor Labs upgrade and remediation workflows provide an end-to-end solution to help you discover, prioritize, manage, and resolve risks in your software development environment.
- Upgrade Impact Analysis: Endor Labs identifies and recommends upgrades for your dependencies. By pinpointing the distinct actions that can resolve your vulnerabilities and mitigate the risks associated with updates, your security program can make more informed risk management decisions and triage issues more effectively.
- Endor Patches: Endor Labs backports security fixes to your packages, allowing you to minimize the impact of software updates. By using an Endor patch, you can update the libraries with a minimal viable security patch that reduces your risk of breaking changes, bugs, or performance issues associated with an upgrade.
For more information, see Upgrades and remediation.
Endor Labs provides you with the following options to define tools necessary for building your software while performing endorctl scans:
- Specify tool chain configuration through endorctl API.
- Specify tool chain configuration through profile.yaml file.
- Falls back to the system default values for your tool chain specifications.
Endor Labs will automatically install build tools in a sandbox to ensure you can run highly accurate scans. Build tools are not installed on your host. For more information, see Manage build tools.
Support for Azure pipelines and Azure Advanced Security New
You can integrate endorctl inside an Azure pipeline and view the scan results in Azure Advanced Security.
When you integrate endorctl in the Azure pipeline, endorctl scan runs and generates SARIF files during the pipeline run. The SARIF file is consumed by Advanced Security in your Azure repository. By configuring this integration, you can use Endor Labs seamlessly within the Azure ecosystem to enhance security and streamline workflows. For more information, see Scan with Azure Pipelines.
Changes to endorctl CLI options Enhancement
Endor Labs is introducing two new endorctl CLI options --include-path
and --exclude-path
to replace the existing include
and exclude
options.
- Using these new options, you can specify the file paths or patterns to exclude or include from the endorctl scan using Glob style expressions which are easier to use.
- You can easily scope your scans by defining inclusion or exclusion patterns. See scoping scans for more details.
The existing --include
and --exclude
options are deprecated. However, if these options are already in use, such as in a script, the updates remain backwards compatible, ensuring continued functionality.
Changes to the default view on the Findings page Enhancement
By default, Endor Labs now displays findings that meet the following criteria in the Findings page:
- Critical severity vulnerabilities
- Reachable vulnerabilities
- Vulnerabilities with EPSS probability above 1%
- Security vulnerabilities
- Vulnerabilities created in the last week
Previously, the Findings page displayed all findings when you opened the Findings page.
You can use the basic or advanced filters to view additional findings. For more information, see View Findings.
Container action policy templates Enhancement
Endor Labs now provides action policy templates that you can use to quickly create action policies specific to container scanning. For more information, see Action policy templates.
PDM package manager support for Python projects Enhancement
Endor Labs now offers support for scanning Python projects that use PDM as their package manager. For more information, see Scan Python projects.
New fields to filter project dependencies Enhancement
You can filter project dependencies and export additional fields for project dependencies with the following new fields:
- License File
- License Matched Text
- License Name
- License Type
- License URL
Sign up with GitHub Enhancement
You can now sign up to Endor Labs with your GitHub account.
Quickstart with Endor Labs GitHub App Enhancement
Endor Labs GitHub App is now available as an option in quick start. The Endor Labs GitHub App allows you to quickly set up your GitHub repositories in Endor Labs and initiate scans. For more information, see Quick start with GitHub App.
6 - July 2024
We are excited to introduce you to the latest version of Endor Labs and endorctl - v1.6.372. This release includes new features and enhancements.
Scan containers (Beta) New
Endor Labs introduces comprehensive container image scanning to help you identify and prioritize risks while ensuring compliance.
Key Features:
- Operating system packages: Detects packages installed via the container’s base OS package manager.
- Programming language packages: Identifies packages installed through language-specific package managers.
- Libraries and dependencies: Scans for static and dynamic libraries, and runtime dependencies required by the application.
In addition, Endor Labs generates an SBOM (Software Bill of Materials) that details all components, their versions, and associated metadata, providing a complete inventory of the container’s contents.
Customize notification templates Enhancement
Endor Labs provides out-of-the-box notification templates with standard information for policy violation messages in GitHub PR comments, webhooks, email, and Slack notifications. You can use the default template or customize it to fit your organization’s specific requirements. Additionally, you can create your custom templates using Go Templates.
For more details, see
7 - Previous releases
Endor Labs releases that are older than six months.
7.1 - June 2024
We are excited to introduce you to the latest version of Endor Labs and endorctl - v1.6.330. This release includes new features and enhancements.
New Features
Endor Labs offerings
Endor Labs application now comes packaged in the following new license bundles, designed to offer flexible and comprehensive solutions to meet your organization’s unique needs.
- Endor Labs Supply Chain - Endor Labs Supply Chain is a single platform for open-source dependency management, CI/CD security, and compliance, providing comprehensive tools to ensure your software supply chain’s integrity and security.
- Endor Labs Open Source Core - Endor Labs Open Source Core includes basic SCA and SBOM capabilities, offering essential tools for open-source software management and security assessment.
- Endor Labs Open Source Pro - Endor Labs Open Source Pro includes all components of Endor Labs Open Source Core with additional features, providing an advanced suite for open-source software management.
- Endor Labs CI/CD - Endor Labs CI/CD includes components to strengthen the security posture of source code repositories and verify the integrity of your builds, ensuring secure and reliable CI/CD pipelines.
- Endor Labs SBOM Hub - Endor Labs SBOM Hub includes components to help manage your third-party SBOMs and generate findings, providing a centralized solution for software bill of materials management.
- Endor Labs Secrets - Endor Labs Secrets includes components to help you detect and prevent secret leaks.
For more details on Endor Labs’ offerings and the features they include, see pricing and packaging.
Exception policies
Exception policies define the conditions for applying an exception to a finding. When an exception is applied to a finding, it is tracked as an exception and action policies do not apply to it. Findings with exceptions are filtered out from Endor Labs reports by default.
For example, exception policies can be used to:
- Exclude a specific finding for a specific package from build breaking policies.
- Exclude specific vulnerabilities that are accepted across your organization.
- Mark an identified issue as a false positive.
The application also comes with templates that you can use to quickly create exception policies. Each exception policy template provides parameters to help you customize the conditions under which an exception is applied. See exception policies
Enhancements
GitHub Action policies
To address security and safety risks in GitHub actions, Endor Labs has introduced the following new out-of-the-box finding policies for GitHub Actions.
Policies for evaluating configuration settings in workflow files
- Default workflow token permission should be read only
- Workflows should not be allowed to create and approve pull requests
- Restrict the use of runner groups for public repositories
- Restrict runner groups to specific repositories
- Restrict GitHub Actions to selected repositories
Policies for assessing configuration settings in workflow files
- Script injection detected in GitHub workflow file
- Non OIDC cloud authentication detected in GitHub workflow file
- Secrets object detected in GitHub workflow file
- Untrusted code checkout detected in workflow file
See GitHub Action policies.
7.2 - May 2024
We are excited to introduce you to the latest version of Endor Labs and endorctl - v1.6.273. This release includes new features and enhancements.
New Features
Detect GitHub Actions (Beta)
Endor Labs provides comprehensive visibility into GitHub Action workflows used in your code repositories and helps you to:
- Assess the authenticity and reliability of the dependencies in your CI environment. This enables you to determine potential exposure to known or headline incidents.
- Ensures that the code in your CI workflows does not change without your knowledge. This reduces breaking changes and helps you manage your supply chain risks.
- Detect and identify if any vulnerable or malicious software is part of your CI environment.
For more information, see View GitHub Action findings.
To detect and view GitHub Action findings, run the endorctl scan with the --ghactions
flag.
For more information, see endorctl scan command.
Enhancements
Endor Labs introduces new widgets on the Dashboard to help you track the development hours and the cost metrics of your organization.
- The newly introduced Vulnerability Prioritization Funnel systematically assesses and categorizes vulnerabilities based on their severity and category. By applying this funnel approach, organizations can prioritize addressing the most critical, exploitable, and actionable vulnerabilities first, maximizing their security efforts.
- Visualize Dev Hours Saved and Cost Saved metrics on the dashboard to make more informed decisions, optimize resource allocation, and better manage project budgets.
For more information, see View Dashboards.
Support for .NET Prop files (Beta)
Endor Labs now provides the support to scan the following .NET Prop files.
- Package references in
Directory.Build.props
or Directory.Packages.props
files.
- Package references in any
*.props
file and the prop file is imported in the *.csproj
file.
- Package references in
*.Targets
file
For more information, see Scan .NET projects
npm for Windows operating systems
You can now use npm to install endorctl on Windows operating systems.
For more information, see Install endorctl with npm
Finding policies for Repository Security Posture Management
The following new out-of-the-box finding policies are included in the application for repository security posture management (RSPM).
Policy |
Severity |
Restrict the use of runner groups for public repositories |
High |
Restrict runner groups to specific repositories |
Medium |
Restrict the use of runner groups for public repositories |
High |
Script injection detected in GitHub workflow files |
High |
Organization webhooks must be configured with a secret |
Medium |
Repository webhooks must be configured with a secret |
Medium |
Default workflow token permission should be read only |
High |
Restrict general action permissions to organization members |
High |
Default member permissions should be restricted |
Medium |
For more information, see RSPM Policies.
endorctl commands
Note the updates to the following flags used with the endorctl scan.
Flag |
Environment variable |
Description |
Usage |
--dependencies |
ENDOR_SCAN_DEPENDENCIES |
Scan commits and generate findings for all dependencies. |
Using this flag will generate findings for dependencies only. Previously it was generating findings for tools and dependencies. To fetch findings for both tools and dependencies, run the endorctl scan with --tools and --dependencies . |
--github |
ENDOR_SCAN_GITHUB |
Scans GitHub repositories and generates findings for GitHub misconfigurations. |
Using this flag will generate findings for misconfigurations only. Previously it was generating findings for misconfigurations, tools, and dependencies. |
--tools |
ENDOR_SCAN_TOOLS |
Scans repositories and generates findings for CI/CD tools used in the source code repository. |
Using this flag will generate findings for CI/CD tools only. Use it with --github to include GitHub app. It requires a valid github token with read:org access . |
--pr-incremental |
ENDOR_SCAN_PR_INCREMENTAL |
Scan packages with dependencies that have changed compared to the baseline scan |
Use it with --pr-baseline or --enable-pr-comments to perform an incremental scan by ignoring any packages that have the same dependencies as the baseline. |
For more information, see endorctl scan command.
Dependency reachability
Note the following updates when you perform a deep scan for the following languages:
-
Python - The dependencies that are used in source code but not declared in the package’s manifest files are detected by default when you perform a deep scan on Python projects.
-
JavaScript/TypeScript - You must include the flag --call-graph-languages
with value javascript,typescript
to detect dependencies that are used in the source code but not declared in the JavaScript or TypeScript package’s manifest files.
The flag --phantom-dependencies
and its corresponding environment variable ENDOR_SCAN_PHANTOM_DEPS
is deprecated from this release.
7.3 - April 2024
We are excited to introduce you to the latest version of Endor Labs and endorctl - v1.6.220. This release includes new features and enhancements.
New Features
Sign artifacts (Beta)
You can now use Endor Labs to sign and verify software artifacts. Enhance your software supply chain security by:
-
Ensuring the authenticity of your software: Understand the origins of your software and confirm its legitimacy. Verify this through integrity checks and cryptographic validation. Using a cryptographic signature ensures that container images and other build artifacts are genuine and crafted by the organization. This adds an extra layer of security to the software supply chain, making sure that only trusted and unaltered items are scheduled deployed and released.
-
Tracking software origins: Streamline audits, issue resolution, and ownership attribution by linking your software artifacts to their respective source code repository, version, and additional ownership details. Complete traceability ensures transparency, enabling organizations to validate the entire lifecycle of their software, from creation to deployment.
For more information, see Artifact Signing.
Reachability analysis for Kotlin and Scala projects (Beta)
Endor Labs is excited to announce the reachability analysis for Kotlin and Scala projects.
You can now track the exact portion of the code in a dependency that is being reused by a program. Endor Labs generates call graphs for Kotlin and Scala projects to help you:
- Analyze the dependencies and relationships among various functions in Kotlin projects. They help identify functions or methods with known vulnerabilities or potential security issues.
- Users can examine the call graph to identify the functions that directly or indirectly call the vulnerable functions by tracing the paths of execution.
- Users can prioritize the vulnerabilities based on their severity, threat levels, and application importance.
Call graphs assist users in comprehending the potential consequences and enable them to prioritize the resolution of vulnerabilities that are more likely to result in additional exploitation.
Scan Swift and Objective-C projects (Beta)
We are excited to further extend our language scanning capabilities by incorporating support for the Swift and Objective-C projects. Endor Labs resolves dependencies in your projects by analyzing the Podfile and Podfile.lock files. Users can view finding policy violations and dependency graphs.
Manage your software risk and better understand the bill of materials associated with your software for Swift and Objective-C projects using CocoaPods.
For more information, see Endor Labs for Swift/Objective-C.
Enhancements
Scan EAR and WAR Java artifacts
You can now run endorctl
scans on the EAR and WAR package file formats which include a pom.xml configuration file.
For more information, see Scan artifacts.
Flag name change for detecting dependency reachability
For better clarity, the flag --disable-phantom
is renamed to --phantom-dependencies
. The corresponding environmental variable is renamed from ENDOR_SCAN_DISABLE_PHANTOM
to ENDOR_SCAN_PHANTOM_DEPS
. Set this flag to true
to scan and detect dependencies used in source code but not declared in the package’s manifest files.
For more information, see endorctl scan command.
7.4 - March 2024
We are excited to introduce you to the latest version of Endor Labs and endorctl - v1.6.194. This release includes the following new features.
Integrate Endor Labs with Vanta
Integrate Vanta with Endor Labs to receive Endor Labs findings in Vanta, enabling organizations to manage risk by automating compliance requirements and streamlining security reviews. This enables you to view security findings in real-time and accelerate your security audit processes.
For more information, see Set up Vanta integration with Endor Labs
Integrate Endor Labs with Slack
Integrate Endor Labs with Slack and automatically receive policy violations as notifications in your Slack channels. If you are using Slack for team communication and notifications, this integration helps you to seamlessly integrate Endor Labs into your organization’s existing workflows.
For more information, see Set up Slack integration with Endor Labs
Gain a profound understanding of your software development lifecycle environment by discovering all CI/CD tools used in your organization, business units, or teams.
- Automated tool discovery: Endor Labs automatically identifies and discovers all CI/CD tools during the endorctl scan process, providing a hassle-free experience.
- Comprehensive mapping: The end result is a comprehensive mapping of your CI/CD tools, categorized and correlated with the last timestamp of your scan.
- Enhanced visibility: This feature enhances your understanding of the software development environment posture by providing an accurate picture of the CI/CD tools in use.
For more information, see Discover CI/CD tools.
7.5 - February 2024
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.6.137. This release includes the following new features.
Sign up for Endor Labs’ Free trial
Discover the power of Endor Labs and the endorctl CLI with our brand-new 30-day free trial. Secure your open source software by prioritizing open source risk, reducing technical debt, and meeting compliance objectives like SBOMs & VEX. With Endor Labs’ reachability analysis, DevSecOps teams can get to the right context faster, manage risks effectively, and accelerate product development.
What’s in the trial:
-
Complete access: Enjoy all the features without limitations for an entire month.
-
Getting started: Use Endor Labs’ guided walkthrough to understand the main features of the application.
-
Quick start: Use the quick start to get started with the application.
-
Seamless integration: Effortlessly integrate Endor Labs into your development workflows.
Setup namespaces (Beta)
Leverage namespaces to establish a logical and hierarchical structure for your projects, providing enhanced organization and clarity. As an administrator, you can:
- Organizational logic: Create logical partitions based on organizational units, business units, project requirements, or teams.
- Access control: Define hierarchy and control access to project resources within a namespace, ensuring a tailored and secure project environment.
- Policy governance: Establish robust policy governance by defining rules of engagement within namespaces and setting different or identical guardrails across namespaces.
For more information, see Set up namespaces.
Scan Kotlin projects (Beta)
Scan your Kotlin projects to perform:
- Quick Scan: Quickly assess software composition using
endorctl scan --quick-scan
.
- Deep Scan: Conduct comprehensive analysis with dependency resolution, reachability analysis, and call graph generation using the
endorctl scan
.
- Maven and Gradle Integration: Seamlessly integrate with Maven and Gradle for efficient builds and dependency resolution.
- Configuration Flexibility: Configure Maven private registries and specify Gradle configurations with ease.
- Static Analysis: In-depth analysis of Kotlin code for precise insights into dependency reachability.
For more information, see Endor Labs for Kotlin.
Dependency discovery for Go projects using Bazel (Beta)
Scan Go projects with Bazel integration using the endorctl scan
command. By leveraging this command as a Bazel rule, you can analyze dependencies while using Bazel commands.
- Bazel Integration: Scan Go projects by calling the
endorctl scan
command as a Bazel rule, ensuring smooth integration with Bazel workflows.
- Targeted Scanning: Choose between scanning the entire repository or specific Go targets using language-specific Bazel rules. Alternatively, employ a Bazel query to scan targets based on specific criteria.
- Incremental Scans: Execute scans with precision by focusing on recently updated targets, optimizing the scanning process for enhanced efficiency.
For more information, see Language-specific Bazel.
Scan binary artifacts (Beta)
Execute endorctl
scans on binaries and artifacts without the complexities of accessing source code or build systems.
- Language support: The scanning functionality extends to Java and Python packages, covering a wide spectrum of pre-built, bundled, or locally downloaded components.
- Artifact/Package specification: Easily initiate scans by specifying the file path to their artifact or binary package, streamlining the scanning process.
- Comprehensive scan: Scan specified packages to gain insights into resolved dependencies, transitive dependencies, and comprehensive call graphs, providing you with a holistic view of software components.
For more information, see Binaries and artifacts.
7.6 - December 2023
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.6.92. This release includes several enhancements.
JavaScript/TypeScript dependency reachability (Beta)
Endor Labs provides superior JavaScript dependency reachability. Apart from analyzing manifest files, Endor Labs enumerates the import statements in your JavaScript code to match the import statements with the pre-installed packages and recursively traverses all files to create a dependency tree with the actual versions that are installed and used in the project.
Endor Labs expertly resolves JavaScript dependencies to identify:
- Dependencies listed in the manifest file but not used by the application
- Dependencies used by the application but not listed in the manifest file
- Dependencies listed in the manifest as transitive but used directly by the application
- Dependencies categorized as test dependencies but used directly by the application
The dependencies used in the source code but not declared in the package’s manifest files are tagged as Phantom.
Note
Dependency reachability is in the Beta phase and is turned off by default. To detect phantom dependencies, run the endorctl scan with the flag --disable-phantom=false
.
PNPM package manager support for JavaScript/TypeScript projects (Beta)
Users can now scan the JavaScript projects that have PNPM as their package manager. PNPM 3.0.0 and higher versions are supported.
Note
To scan Javascript projects using PNPM, set the environment variable ENDOR_PNPM_ENABLED
to true
and then run the endorctl scan.
Dependency discovery for Python and Java projects using Bazel
Users can now scan their Java and Python projects using Bazel through the endorctl scan command. You can call the endorctl scan command as a Bazel rule and analyze the dependencies by using the Bazel commands.
You can scan the entire repository or you can only scan specific Java or Python targets using language-specific Bazel rules. You can also use a Bazel query and scan all targets matching your query criteria. This helps in executing incremental scans on your repository and scans only the recently updated targets.
7.7 - November 2023
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.6.25. This release includes several new features.
New Features
Sign in to Endor Labs using email
Users can now sign into Endor Labs using just their email address in addition to signing through enterprise SSO or using one of GitHub, GitLab, or Google accounts.
To get started:
- From the sign-in page, click Log in with email link and enter your email address. The link sent to your email address is valid for the next 15 minutes.
- Check your email account and use the link to complete the sign-in process.
- Enter a name for your tenant on the Endor Labs application and start using the application.
Install endorctl with Homebrew
Use Homebrew to efficiently install endorctl on macOS operating systems.
Install endorctl from Endor Lab’s tap with Homebrew by running the following commands. The tap is updated regularly with the latest endorctl release.
brew tap endorlabs/tap
brew install endorctl
Install endorctl with npm
Use npm to efficiently install endorctl on macOS and Linux operating systems.
Make sure that you have npm installed in your local environment and use the following command to install endorctl using npm.
endorctl is available as an npm package and is updated regularly with the latest endorctl release.
7.8 - October 2023
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.6.5. This release includes several enhancements.
Enhancements
Command line flag changes for enhanced usability
Endor Labs has updated several flags to improve the overall usability for users. These changes are backwards compatible. All deprecated commands are hidden.
New scan options
New Flag |
New Variable |
Description |
dependencies |
ENDOR_SCAN_DEPENDENCIES |
Scan Git commits and generate findings for all dependencies. |
droid-gpt |
ENDOR_SCAN_DROID_GPT |
Leverage the power of DroidGPT to interpret build errors and generate remediation advice. |
github |
ENDOR_SCAN_GITHUB |
Fetch information from GitHub, scan Git commits and generate findings for all dependencies, as well as any GitHub misconfigurations. |
secrets |
ENDOR_SCAN_SECRETS |
Scan the source code repository and generate findings for leaked secrets. |
Use the flags in combination with each other to make them more use case-specific.
Renamed flags
Deprecated Flag |
New Flag |
New Variable |
Description |
ci-baseline |
pr-baseline |
ENDOR_SCAN_PR_BASELINE |
Set to the Git reference that you are merging to, such as your default branch. Action policies will only flag issues that do not exist in the baseline so that developers are only alerted to issues on the current changes. Example: --pr-baseline=main . |
ci-run-uuid |
pr-uuid |
ENDOR_API_PR_UUID |
Only list resources from a specific PR scan. |
ci-run |
pr |
ENDOR_SCAN_PR |
Set if this is a PR scan. PR scans are not used for reporting or monitoring and should be treated as point in time policy and finding test. |
ci-tags |
tags |
ENDOR_SCAN_TAGS |
Specify a list of user-defined tags to add to the scan. Tags can be used to search and filter scans later. |
secrets-full-history |
git-logs |
ENDOR_SCAN_GIT_LOGS |
Audit the historical Git logs of the repository for all branches in the repository. Must be used together with --secrets . |
Troubleshoot build errors with DroidGPT
Endor Labs integrates with third-party Artificial Intelligence (AI) tools to help you troubleshoot errors while performing software composition analysis, dependency resolution, or generating call graphs during an endorctl scan.
In the event of an error, DroidGPT generates explanations and actionable advice for how to resolve the error on the given host system. These suggestions are displayed as part of the error log messages on the command line and can help you understand why build errors occurred during the scan process and how to resolve them.
Important
Recommendations generated are meant solely for informational purposes. Before implementing these suggestions, it is strongly advised to thoroughly verify and assess them to ensure their accuracy and suitability for your specific circumstances and work environments.
Use the ENDOR_SCAN_DROID_GPT
environment variable or the --droid-gpt
flag to enable DroidGPT error logging on your system.
- Enable error logging while performing a scan.
endorctl scan --droid-gpt
- Enable error logging while checking the system specifications required for performing a scan.
endorctl host-check --droid-gpt
Example:
Here is an example of the recommendations generated by DroidGPT while scanning a Ruby repository where the manifest file is not correctly configured.
*** NOTE: Use the following AI-generated advice at your own risk ***
DroidGPT suggests the following as a possible remediation:
1. The error message indicates that there is a problem parsing the Gemfile, which is preventing the dependency tree from being generated.
2. Specifically, the error message states that there are no gemspecs at the specified location, which is causing Bundler to fail.
3. To fix this issue, you should check that the Gemfile is correctly configured and that all necessary gemspecs are present.
4. Additionally, you may want to try running `bundle install` to ensure that all dependencies are properly installed.
5. Please note that this advice is generated by an AI and there may be additional factors at play that are not captured in the error message. As such, there is no guarantee that these steps will resolve the issue, and you should proceed with caution.
7.9 - Archive releases
Release 1.5.251
New Features
Prioritize vulnerabilities with C# call graphs
Users can now use call graphs in the Endor Labs application to analyze the dependencies and relationships among various functions in .NET C# projects.
- Endor Labs generates the call graphs for your C# projects and identifies functions or methods with known vulnerabilities or potential security issues.
- Users can examine the call graph to identify the functions that directly or indirectly call the vulnerable functions by tracing the paths of execution.
- Users can prioritize the vulnerabilities based on their severity, threat levels, and application importance.
Call graphs assist users in comprehending the potential consequences and enable them to prioritize the resolution of vulnerabilities that are more likely to result in additional exploitation.
Users can view policy violations in their source code before committing the code to the repository during the automated pre-commit checks. The information is included as comments on the respective pull requests. Users can easily identify and take remedial measures early in the development life cycle.
Based on the actions configured in your action policy, the workflow is designed to either warn you or fail the build based on the severity of these policy violations.
Integrate Endor Labs with webhooks to send Endor Labs notifications to webhooks and pass information to any third-party applications such as Slack, Microsoft Teams, and many more. Users can monitor the webhook channels to investigate and take remedial measures.
With a webhook integration, you can configure Endor Labs to send information to the webhook as an HTTP POST request as soon as a notification is generated. You can also modify the key format and value associated with the notification in the payload.
Use the Endor Labs Jenkins pipeline to scan all the repositories in your organization at once and view consolidated findings. This pipeline runs on your organization’s Jenkins infrastructure and enables administrators to run organization-level supervisory scans easily. It is designed to work in GitHub Cloud and GitHub enterprise server environments.
Enhancements
Detect malware packages
When software applications depend on malicious packages, the confidentiality, integrity, and availability of systems and data belonging to software development organizations or to application end-users is compromised.
Endor Labs now detects application dependencies that are known to be malicious, as reported by the Open Source Vulnerabilities (OSV). Use the newly introduced Malware category on the Findings page to filter and view malware findings. Users can prioritize, and take necessary remedial actions such as patching or replacing the affected packages.
Endor Labs provides the support to integrate with private Nuget package repositories, in addition to scanning public C# projects and repositories. Users can configure this integration from Manage > Integrations > Nuget. Endor Labs will fetch the resources from the authenticated endpoints and perform the scan.
Secrets enhancements
-
Scan for secrets in pre-commits - Users can scan for secrets in the code before committing the code to the code repository during the automated pre-commit checks. This helps identify and remove sensitive information from the code files early in the development life cycle.
-
Secrets deduplication - A single secret may exist at multiple places in your code or repository. Duplicate secrets increase the attack surface and the risk of unauthorized access. Managing duplicate secrets can be complex and error-prone. Endor Labs intelligently categorizes instances of identical secrets found within your application components and repositories and raises a single finding so that you can manage them efficiently.
Release 1.5.194
Enhancements
Support for private Composer package repositories
In addition to scanning public PHP projects and repositories, Endor Labs provides the support to integrate with private Composer package repositories. Users can configure this integration from Manage > Integrations > Packagist. Endor Labs will fetch the resources from the authenticated endpoints and perform the scan.
Release 1.5.171
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.5.171. This release includes new features.
New Features
Support for scanning secrets in code
Endor Labs scans your code files and repositories for secrets such as API keys, registration tokens, client secrets, client IDs, access tokens, bearer tokens, refresh tokens, or registration tokens of several popular services such as GitHub, Git Lab, AWS, Dropbox, Adobe, Atlassian, Bitbucket, Coinbase, Databricks, and many more services.
Using Endor Labs’ secrets scan, users can:
- View findings for secrets exposed in the code and take remedial actions based on their severity.
- Detect valid and active secrets in their code repositories and immediately secure them.
- Perform the endorctl scan to audit their codebase regularly for secrets and take necessary mitigation measures.
Release 1.5.159
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.5.159. This release includes new features and enhancements.
New Features
Support for PHP project scanning
Endor Labs further extends its language scanning capabilities by incorporating support for PHP. In addition to the current support for Java, JavaScript, Rust, Python, Go, Ruby, .NET C#, and Scala, users can now scan and monitor their PHP projects.
Endor Labs scans PHP projects and resolves dependencies by analyzing both composer.json and composer.lock files. Users can view finding policy violations and dependency graphs.
Using Endor Labs, users can gain significant insights into the structure and relationships of their PHP project’s dependencies, aiding in managing dependencies effectively, identifying potential issues, and ensuring a well-organized and maintainable codebase.
Enhancements
Support for Ruby private registry
In addition to scanning public Ruby projects and repositories, Endor Labs provides the support to integrate with private Ruby registries that are not available publicly. Users can configure this integration from Manage > Integrations > RubyGems. Endor Labs will fetch the resources from the authenticated endpoints and perform the scan.
Release 1.5.131
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.5.131. This release includes new features.
New Features
Support for Scala language scan
Endor Labs further extends its language scanning capabilities by incorporating support for Scala projects. In addition to the current support for Java, JavaScript, Rust, Python, Go, Ruby, and .NET C#, users can now scan and monitor their Scala projects managed by sbt.
Endor Labs scans Scala projects by executing sbt plugins and inspecting the build.sbt file to retrieve information about direct and transitive dependencies.
Using Endor Labs, users can gain significant insights into the structure and relationships of their Scala project’s dependencies, aiding in managing dependencies effectively, identifying potential issues, and ensuring a well-organized and maintainable codebase.
Release 1.5.117
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.5.117. This release includes new features and enhancements.
New Features
Support for .NET scan
Endor Labs further extends its language scanning capabilities by incorporating support for the .NET C# framework. In addition to the current support for Java, JavaScript, Rust, Python, Go, and Ruby, users can now scan and monitor their .NET C# projects and repositories.
Endor Labs leverages the packages.lock.json file to monitor the packages for dependencies and discovers unresolved, resolved, direct, and transitive dependencies. Users will also be able to view finding policy violations and dependency graphs.
Organizations can maintain secure .NET development and runtime environments while designing, coding, debugging, testing, and deploying complex C# projects and applications.
Endor Labs extension for Visual Studio Code
Developers can now use Endor Labs directly from their Visual Studio Code’s Integrated Development Environment (IDE). The Endor Labs extension scans your repositories and highlights issues that may exist in the open-source dependencies.
The extension helps developers fix code at its origin phase and during the early stages of development. They can successfully perform early security reviews and mitigate the need for expensive fixes during later stages.
Enhancements
Use Python call graphs for vulnerability prioritization
Users can now use call graphs in Endor Labs application to analyze the dependencies and relationships among various functions in Python projects.
- Endor Labs generates the call graphs for your Python projects and identifies functions or methods with known vulnerabilities or potential security issues.
- Users can examine the call graph to identify the functions that directly or indirectly call the vulnerable functions by tracing the paths of execution.
- Users can prioritize the vulnerabilities based on their severity, threat levels, and application importance.
Call graphs assist users in comprehending the potential consequences and enable them to prioritize the resolution of vulnerabilities that are more likely to result in additional exploitation.
EPSS probability filter for findings
Users can now use the new Exploit Prediction Scoring System EPSS probability filter on the Findings page to refine their findings search results by the EPSS score range.
View Notifications
Users can now view the Jira tickets created for action policies in Manage > Notifications on the sidebar. Users have the ability to observe specific information such as the status of tickets (whether they are open or closed), the associated action policy, and other important details. This aids in seamless troubleshooting and identification of both unresolved and resolved issues.
Release 1.5.104
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.5.104. This release comes with the following new features.
New Features
Integrate Endor Labs with Jira
Integrate Endor Labs with Jira and receive alert notifications for your action policies in your Jira accounts. With this integration, administrators can automate the process of generating Jira tickets within their organization’s existing security workflows.
Administrators can choose to raise bugs or create tasks in Jira and notify required people about any failures.
Set up SAML integration for Endor Labs
Set up SAML integration on Endor Labs, using an Identity Provider (IdP) that supports Security Assertion Markup Language (SAML), such as Okta, Microsoft Active Directory Federation Services (AD FS), Azure Active Directory (AD), Google, or OneLogin.
Administrators can use their existing Single Sign On (SSO) process in their organization and allow their users to seamlessly sign in to Endor Labs without providing credentials.
Support for Ruby language scan
Endor Labs broadens its language scanning capabilities by incorporating support for the Ruby programming language. In addition to the current support for Java, JavaScript, Rust, Python, and Go, users can now scan and monitor their Ruby projects and repositories.
Endor Labs monitors the packages for dependencies and discovers unresolved, resolved, direct, and transitive dependencies. Users will also be able to view finding policy violations and dependency graphs.
Release 1.5.43
Endor Labs and endorctl version 1.5.43 includes:
- A portfolio level view of all findings across your repositories
- SARIF output format support for GitHub Integrations
- Custom identity provider claim requests to allow for custom attribute based access controls
- Support for Gradle version 8
- The ability to ask natural language questions of open source software via DriodGPT
- The ability to configure, enable and disable your organizations desired findings
New Capabilities
A portfolio level view of all findings across your repositories
Organizations are now able to review all findings across their entire portfolio. Each project monitored by Endor Labs is aggregated into a global view of findings so that organizations can easily search for updates.
In CI pipelines developers can now upload their findings to GitHub via a SARIF output of their findings. This enables developers to not have to leave GitHub to review detailed results.
DroidGPT
Organizations can now ask natural language questions about open source software using DroidGPT. As part of Endor Lab’s open source explorer organizations can now ask questions like “What is the most secure package for json to csv conversion?”
Release 0.5.126
Endor Labs and endorctl version 0.5.126 includes:
- Support for policy actions in CI pipelines (Beta)
- Environmental configuration checks for scanning
- Significant performance improvements
- Improved sorting and filtering for findings
New Capabilities
Support for policy actions in CI pipelines (Beta)
Endor Labs now enables users to configure policy that returns an error in CI pipelines. This can allow users to fail CI checks when a policy is violated to enforce organizational governance policy.
Endor Labs comes with out-of-the-box policy templates to enable teams to configure policy on known vulnerabilities, outdated, unmaintained and unused software dependencies.
Environmental checks for scanning
Endor Labs now helps ensure that your machine is well setup for scanning by providing inline configuration checks on commands. If your host is not properly configured or does not have the required software to perform a given scan or command, the command line utility, endorctl will inform you.
Improved sorting and filtering for findings
Findings can now be filtered and displayed based on categories to help users better report on what they care about and focus their attention.
Supported categories include:
- Vulnerabilities
- Supply Chain Risk
- License Compliance
- Supply Chain Posture Management Risk
- General Security Risks
- General Operational Risks
Release 0.5.100
Endor Labs and endorctl version 0.5.100 includes:
- Scanning for JavaScript and Python is generally available.
New Capabilities
General Availability of Python and JavaScript Support
Endor Labs support for JavaScript and Python Language Scanning is now generally available.
Release 0.5.80
Endor Labs and endorctl version 0.5.80 includes:
- Support for GitLab and Bitbucket source control repository scanning
- Support for Keyless Authentication in GCP with workload identity
Major Changes
- Previously, Endor Labs supported remote cloning of GitHub based repositories. This option has been removed. Only locally cloned repositories are supported.
New Capabilities
Support for GitLab and Bitbucket based
Endor Labs now supports the ability to scan source control repositories hosted in GitLab and Bitbucket.
Keyless Authentication for GCP
Endor Labs now supports the ability to leverage keyless authentication for workload identity federation in Google Cloud.
Release 0.5.50
Endor Labs and endorctl version 0.5.50 includes:
- Support for parallel language scanning
- Identification of potential typos in dependencies
- Support to export Vulnerability Exploitability eXchange (VEX) data for packages
- Dependency License Identification
- Support for user authorization roles
New Capabilities
Parallel Language Scanning Support
Endor Labs now supports the ability to scan different languages in parallel to accelerate scan speed and performance.
Identification of potential typos in dependencies
Endor Labs now supports the ability to monitor and alert on dependencies imported as typos of much more widely used dependencies in your environment.
Export Vulnerability Exploitability eXchange (VEX) for packages
Endor Labs now enables software producers to export VEX documents with automated triage of unreachable vulnerable functions to support software consumer vulnerability triage efforts.
Dependency license identification support
Endor Labs now identifies the license associated with an associated software dependency for open source license management.
Authorization Roles
Endor Labs now comes with out of the box authorization roles for platform users. Authorization roles include:
- Policy Editor - The policy editor role allows users to edit policy.
- Code Scanner - The code scanner role allows users with this permission to scan code. This is the minimum role for a CI/CD based service account.
- Read-only - The read only permission gives users full read only access to Endor Labs.
- Admin - The Admin permission gives users full read and write access to Endor Labs.
Major Bug Fixes Resolved in version 0.5.50
- Previously, Endor Labs failed to scan a repository and identify packages within a repository if the repository was cloned with a shallow Git clone. This has been addressed in 0.5.50.
Release 0.5.40
Endor Labs and endorctl version 0.5.40 includes:
- Support for EAR and WAR File scanning for Maven
- Fat/Uber JAR support for Maven
- Vulnerable function reachability analysis
- Call path visualizations for findings
New Capabilities
Enhanced Java Scanning Support
When scanning Java based web applications using EAR, WAR and Uber JAR files, Endor Labs now builds a bill of materials for these packages and is able to successfully perform static analysis for vulnerability prioritization.
Vulnerable function reachability analysis
Endor Labs now identifies if a vulnerable function associated with a known vulnerability is reachable through static analysis in a provided Java package.
Call Path Visualizations
Endor Labs will now display reachable function paths to dependencies and functions associated with known vulnerabilities.
Release 0.5.31
Endor Labs and endorctl version 0.5.31 includes:
- The ability to export a Software Bill of Materials (SBOM) for a specified software package
- Windows support for endorctl
- Beta support for Gradle with Java
- Authorization Policies for enhanced access control with Endor Labs
New Capabilities
Support for exporting SBOMs
SBOMs may now be generated for any supported software package that you create in CycloneDX format. Endor Labs supports XML and json formats for CycloneDX and by default exports in CycloneDX 1.4.
Windows Support for endorctl
Endor Labs now supports Windows for the endorctl binary. This allows Windows users who previously were using the Endor Labs Docker image to migrate to a supported binary on their native platform.
Support for Gradle
Endor Labs now supports Gradle 7 and above as a build tool for Java packages. Java packages using Gradle 7 or above can now successfully have their dependencies resolved and generate call graphs for their packages.
Authorization Policies
Endor Labs users can now set granular authorization policies for each supported identity provider. Users may now specify a unique user identity such as a GitHub handle or Google Workspace email address to authorize users. Authorization rules may also be timeboxed to ensure that a user only has access to Endor Labs for a predefined time.
Previously, new users could only be authorized by requiring them to be sent an email invitation to the platform.
Major Bug Fixes Resolved in version 0.5.31
Release date: 28 October, 2022
- Previously, some packages failed dependency resolution due to a nil pointer exception. This resolution error has been addressed.
- Previously, when filtering findings based on their attributes filters only respected the current page being searched on. This issue has now been addressed.
- Previously, some findings that had an upstream patch available were displayed as having a fix unavailable. This issue has been addressed.