Scan for open source risks

Scan and detect publicly exposed open source issues posing risks to your organization.

Endor Labs supports the following major capabilities to help teams reduce the risk and expense of software dependencies across their lifecycle:

  • SCA - Software composition analysis is the identification of the bill of materials for first-party software packages and the mapping of vulnerabilities to these software component versions. SCA helps teams to maintain compliance and get visibility into the risks of their software inventory.
  • Endor Scores - Endor Labs provides a holistic risk score that includes the security, quality, popularity and activity of a package. Risk scores help in identifying leading indicators of risk in addition to if a software component is outdated, or unmaintained. Risk analysis helps teams to go beyond vulnerabilities and approach the risk of their software holistically.
  • Reachability Analysis - Reachability analysis is Endor Labs’ capability to perform static analysis on your software packages to give context to how each vulnerability may be reached in the context of your code. This includes mapping vulnerabilities back to vulnerable functions so that deep static analysis can target vulnerabilities with higher levels of granularity as well as the identification of unused software dependencies.

The resource requirements, both minimum and recommended, for build runners or workers executing scans using endorctl are listed here.

Note: Large applications may require additional resources to complete or enhance the scan performance.

Minimum Resources

CPU Memory
4 core 16 GB RAM

Recommended Resources

CPU Memory
8 core 32 GB RAM

Supported languages

The following table shows Endor Labs language coverage:

Language SCA Endor Scores Reachability Analysis
Java Supported Supported Supported
Python Supported Supported Supported
Rust Supported Supported Supported
JavaScript Supported Supported Supported *
Golang Supported Supported Supported
.NET (C#) Supported Supported Supported
Kotlin Supported Supported Supported
Scala Supported Supported Supported
Ruby Supported Supported Unsupported
Swift/Objective-C Supported Supported Unsupported
PHP Supported Supported Unsupported

* For JavaScript, reachability is currently limited to the package level; function-level reachability will be supported in the future.

Complete support matrix

The following comprehensive matrix lists the supported languages, build tools, manifest files, and supported requirements.

Language Package Managers / Build Tool Manifest files Supported Requirements
Java Maven pom.xml JDK version 11-19; Maven 3.6.1 and higher versions
Gradle build.gradle JDK version 11-19; Gradle 6.0.0 and higher versions
Bazel workspace, MODULE.bazel, BUILD.bazel JDK version 11-19; Bazel versions 5.x.x, 6.x.x, and 7.x.x
Kotlin Maven pom.xml JDK version 11-19; Maven 3.6.1 and higher versions
Gradle build.gradle JDK version 11-19; Gradle 6.0.0 and higher versions
Golang Go go.mod, go.sum Go 1.12 and higher versions
Bazel workspace, MODULE.bazel, BUILD.bazel Bazel versions 5.x.x, 6.x.x, and 7.x.x
Rust Cargo cargo.toml, cargo.lock Rust 1.63.0 and higher versions
JavaScript NPM package-lock.json, package.json NPM 6.14.18 and higher versions
PNPM pnpm-lock.yaml, package.json PNPM 3.0.0 and higher versions
Yarn yarn.lock, package.json Yarn all versions
TypeScript NPM package-lock.json, package.json NPM 6.14.18 and higher versions
PNPM pnpm-lock.yaml, package.json PNPM 3.0.0 and higher versions
Yarn yarn.lock, package.json Yarn all versions
Python Pip requirements.txt Python 3.6 and higher versions; Pip 10.0.0 and higher versions
Poetry pyproject.toml, poetry.lock
PyPI setup.py, setup.cfg, pyproject.toml
Bazel workspace, MODULE.bazel Bazel versions 5.x.x, 6.x.x, and 7.x.x
.NET (C#) Nuget *.csproj, package.lock.json, projects.assets.json, Directory.Build.props, Directory.Packages.props, *.props .NET 1.0 and higher versions
Scala sbt build.sbt sbt 1.3 and higher versions
Ruby Bundler Gemfile, *.gemspec, gemfile.lock Ruby 2.6 and higher versions
Swift/Objective-C CocoaPods Podfile, Podfile.lock CocoaPods 0.9.0 and higher versions
PHP Composer composer.json, composer.lock PHP 5.3.2 and higher versions; Composer 2.2.0 and higher versions

See the detailed procedure for all supported languages:


Java

Learn how to implement Endor Labs in repositories with Java packages.

Kotlin (Beta)

Learn how to implement Endor Labs in repositories with Kotlin packages.

Go

Learn how to implement Endor Labs in repositories with Go packages.

Python

Learn how to implement Endor Labs in repositories with Python packages.

JavaScript/TypeScript

Learn how to implement Endor Labs in repositories with Javascript or Typescript packages.

Ruby

Learn how to implement Endor Labs in repositories with Ruby packages.

.NET

Learn how to implement Endor Labs in repositories with .NET packages.

Bazel

Learn how to implement Endor Labs in monorepos using Bazel

Swift/Objective-C (Beta)

Learn how to implement Endor Labs in repositories with CocoaPods packages.

Scala

Learn how to implement Endor Labs in repositories with Scala packages.

PHP

Learn how to implement Endor Labs in repositories with PHP packages using composer.

Rust

Learn how to implement Endor Labs in repositories with Rust packages.