Scan for open source risks

Scan and detect publicly exposed open source issues posing risks to your organization.

Endor Labs supports the following major capabilities to help teams reduce the risk and expense of software dependency management across the lifecycle of software reuse.

  • SCA - Software composition analysis is the identification of the bill of materials for first-party software packages and the mapping of vulnerabilities to these software component versions. SCA helps teams to maintain compliance and get visibility into the risks of their software inventory.
  • Endor Scores - Endor Labs provides a holistic risk score that includes the security, quality, popularity and activity of a package. Risk scores help in identifying leading indicators of risk in addition to if a software component is outdated, or unmaintained. Risk analysis helps teams to go beyond vulnerabilities and approach the risk of their software holistically.
  • Reachability Analysis - Reachability analysis is Endor Labs’ capability to perform static analysis on your software packages to give context to how each vulnerability may be reached in the context of your code. This includes mapping vulnerabilities back to vulnerable functions so that deep static analysis can target vulnerabilities with higher levels of granularity as well as the identification of unused software dependencies.
  • Upgrade Impact Analysis - Upgrade impact analysis allows security teams to set better expectations with their development teams by identifying breaking changes associated with an update of a direct dependency.

The resource requirements, both minimum and recommended, for build runners or workers executing scans using endorctl are listed here.

Note: Large applications may require additional resources to complete or enhance the scan performance.

Minimum Resources
CPU Memory
4 core 16 GB RAM
CPU Memory
8 core 32 GB RAM

Supported languages

The following table shows Endor Labs language coverage:

Language SCA Endor Scores Reachability Analysis Upgrade Impact Analysis Install Toolchains
Java Supported Supported Supported Supported Supported
Python Supported Supported Supported Supported Supported
Rust Supported Supported Supported Unsupported Supported
JavaScript Supported Supported Supported Unsupported Supported
Golang Supported Supported Supported Unsupported Supported
.NET (C#) Supported Supported Supported Supported Supported
Kotlin Supported Supported Supported Supported Supported
Scala Supported Supported Supported Supported Supported
Ruby Supported Supported Unsupported Unsupported Unsupported
Swift/Objective-C Supported Supported Unsupported Unsupported Unsupported
PHP Supported Supported Unsupported Unsupported Unsupported

Complete support matrix

The following comprehensive matrix lists the supported languages, build tools, manifest files, and supported requirements.

Language Package Managers / Build Tool Manifest Files Extensions Supported Requirements
Java Maven pom.xml .java JDK version 11-22; Maven 3.6.1 and higher versions
Gradle build.gradle .java JDK version 11-22; Gradle 6.0.0 and higher versions
Bazel workspace, MODULE.bazel, BUILD.bazel .java JDK version 11-22; Bazel versions 5.x.x, 6.x.x, and 7.x.x
Kotlin Maven pom.xml .kt JDK version 11-22; Maven 3.6.1 and higher versions
Gradle build.gradle .kt JDK version 11-22; Gradle 6.0.0 and higher versions
Golang Go go.mod, go.sum .go Go 1.12 and higher versions
Bazel workspace, MODULE.bazel, BUILD.bazel .go Bazel versions 5.x.x, 6.x.x, and 7.x.x
Rust Cargo cargo.toml, cargo.lock .rs Rust 1.63.0 and higher versions
JavaScript npm package-lock.json, package.json .js npm 6.14.18 and higher versions
pnpm pnpm-lock.yaml, package.json .js pnpm 3.0.0 and higher versions
Yarn yarn.lock, package.json .js Yarn all versions
TypeScript npm package-lock.json, package.json .ts npm 6.14.18 and higher versions
pnpm pnpm-lock.yaml, package.json .ts pnpm 3.0.0 and higher versions
Yarn yarn.lock, package.json .ts Yarn all versions
Python pip requirements.txt .py Python 3.6 and higher versions; pip 10.0.0 and higher versions
Poetry pyproject.toml, poetry.lock .py
PyPI setup.py, setup.cfg, pyproject.toml .py
Bazel workspace, MODULE.bazel .py Bazel versions 5.x.x, 6.x.x, and 7.x.x
.NET (C#) Nuget *.csproj, package.lock.json, projects.assets.json, Directory.Build.props, Directory.Packages.props, *.props .cs .NET 1.0 and higher versions
Scala sbt build.sbt .sc or .scala sbt 1.3 and higher versions
Bazel workspace, MODULE.bazel .sc or .scala Bazel versions 5.x.x, 6.x.x, and 7.x.x
Ruby Bundler Gemfile, *.gemspec, gemfile.lock .rb Ruby 2.6 and higher versions
Swift/Objective-C CocoaPods Podfile, Podfile.lock .swift, .h, .m CocoaPods 0.9.0 and higher versions
PHP Composer composer.json, composer.lock .php PHP 5.3.2 and higher versions; Composer 2.2.0 and higher versions

See the detailed procedure for all supported languages:


Java

Learn how to implement Endor Labs in repositories with Java packages.

Kotlin

Learn how to implement Endor Labs in repositories with Kotlin packages.

Go

Learn how to implement Endor Labs in repositories with Go packages.

Python

Learn how to implement Endor Labs in repositories with Python packages.

JavaScript/TypeScript

Learn how to implement Endor Labs in repositories with Javascript or Typescript packages.

Ruby

Learn how to implement Endor Labs in repositories with Ruby packages.

.NET

Learn how to implement Endor Labs in repositories with .NET packages.

Bazel

Learn how to implement Endor Labs in monorepos using Bazel

Swift/Objective-C

Learn how to implement Endor Labs in repositories with CocoaPods packages.

Scala

Learn how to implement Endor Labs in repositories with Scala packages.

PHP

Learn how to implement Endor Labs in repositories with PHP packages using composer.

Rust

Learn how to implement Endor Labs in repositories with Rust packages.