Bazel is an open-source build and test tool, which is commonly used in monorepos. Bazel is used to quickly build software across multiple languages.
Using Endor Labs, organizations relying on Bazel can:
- Test their software for potential issues and violations of organizational policy
- Prioritize vulnerabilities in the context of their applications
- Understand the relationships between software components in their applications
System specifications for deep scan
Before you proceed to run a deep scan, ensure that your system meets the following specification.
Project Size | Processor | Memory |
---|---|---|
Small projects | 4-core processor | 16 GB |
Mid-size projects | 8-core processor | 32 GB |
Large projects | 16-core processor | 64 GB |
Software prerequisites
Ensure that the following prerequisites are in place for a successful scan.
- One or more WORKSPACE files must be present in your repository.
- The
bazel
command must be installed and available on the host system. To install Bazel, see the Bazel documentation. - Bazel versions 5.x.x and 6.x.x are supported.
Select and build your Bazel targets
Endor Labs supports scanning targets using the following language-specific Bazel rules:
-
Bazel Rules for Java support included for 4.1 or higher versions.
-
Bazel Rules for Python support included for 0.9.0 or higher versions.
-
Bazel Rules for Golang support included for 0.40.1 or higher versions with Bazel versions 5.x.x, 6.x.x. 0.42.0 or higher versions with Bazel versions 7.x.x.
-
Bazel Rules for Scala support is available for versions 5.0.0 to 6.6.0, including 5.0.0 and 6.6.0.
-
To scan with Endor Labs you’ll need to specify a list of targets to scan or a Bazel query for which all targets matching your query criteria are scanned.
-
To select your Bazel targets you can search using the Bazel query language for specific targets to scan, or scan all targets that match a given query.
Here are some examples.
- To get all targets created with a
java_binary
build rule you can use the query:
bazel query 'kind(java_binary, //...)'
- To get all targets created with a
py_binary
build rule you can use the query:
bazel query 'kind(py_binary, //...)'
- To get all targets created with a
go_binary
build rule under thegolang
directory you can use the query:
bazel query 'kind(go_binary, //...)'
- To get all targets created with a
scala_binary
build rule under thescala
directory you can use the query:
bazel query 'kind(scala_binary, //...)'
In general, refine your query to select the most important targets in your monorepo and align with your existing build workflows.
You can choose to build the targets before running the scan. Use the bazel build
commands to do this by passing a comma-separated list of targets. For example, //:test
and //:test2
run bazel build //:test,//:test2
. endorctl will attempt a scan if the targets are not built. endorctl uses bazel build //:test
and bazel query 'deps( //:test)' --output graph
to build your targets.
Run a scan
Use the following options to scan your repositories. Perform a scan after building the projects. See
Once you’ve selected your targets you can define the targets for scanning using one of three command line arguments:
To include or exclude specific targets, you can pass a comma-separated list of targets to --bazel-exclude-targets
or --bazel-include-targets
.
To scan a specific list of targets, use the command:
endorctl scan --use-bazel --bazel-include-targets=//your-target-name
To scan a list of targets using the Bazel query language, use the following command and replace the following query with your own.
endorctl scan --use-bazel --bazel-targets-query='kind(java_binary, //...)
If your workspace file is not located at the root of the repository you must define the WORKSPACE file location for the targets you would like to scan.
For example:
endorctl scan --use-bazel --bazel-targets-query='kind(java_binary, //...) --bazel-workspace-path=./src/java
For Go projects, if you use Bazel with Gazelle in vendored mode, you need to provide the path of your go.mod
file in the command option, --bazel-vendor-manifest-path
.
For example:
endorctl scan --use-bazel --bazel-include-targets=//your-target-name --bazel-vendor-manifest-path=<path to go.mod>
Option 1 - Quick scan
Perform a quick scan to get quick visibility into your software composition. This scan won’t perform reachability analysis to help you prioritize vulnerabilities.
endorctl scan --use-bazel --bazel-include-targets=//your-target-name --quick-scan
You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan --use-bazel --bazel-include-targets=//your-target-name --quick-scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Option 2 - Deep scan
Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully.
You can run a deep scan with the following commands:
endorctl scan --use-bazel --bazel-include-targets=//your-target-name
Use the following flags to save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan --use-bazel --bazel-include-targets=//your-target-name -o json | tee /path/to/results.json
When a deep scan is performed all private software dependencies are completely analyzed by default if they have not been previously scanned. This is a one-time operation and will slow down initial scans, but won’t impact subsequent scans.
Organizations might not own some parts of the software internally and findings are actionable by another team. These organizations can choose to disable this analysis using the flag disable-private-package-analysis
. By disabling private package analysis, teams can enhance scan performance but may lose insights into how applications interact with first-party libraries.
Use the following command flag to disable private package analysis:
endorctl scan --use-bazel --bazel-include-targets=//your-target-name --disable-private-package-analysis
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Understand the scan process
To understand the scan process for Java projects, see Endor Labs for Java.
To understand the scan process for Python projects, see Endor Labs for Python.
To understand the scan process for Go projects, see Endor Labs for GO.
Known limitations
- Scanning Java binaries using Bazel is not supported.