This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Scan profiles

Learn how to build repeatable patterns by configuring scan profiles in your scan environment.

Table of Contents

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Learn how to build repeatable patterns by configuring scan profiles in your scan environment.

A scan profile is a configuration that defines the scan parameters, and toolchains for each build setup required for a scan. Use scan profiles to ensure accurate scans and reduce failures caused by missing or mismatched dependencies. Associate a project with an appropriate scan profile to ensure that each scan uses the correct configuration. You can also configure automated scan parameters in your scan profile to customize scan behavior in cloud environments.

Build tools in a scan profile help recreate the project’s build environment, ensuring reliable dependency resolution and accurate scans. See build tools to configure them and view the toolchains supported by Endor Labs.

Use one of the following methods to create a scan profile:

A scan workflow is a predefined sequence of scan steps that runs within a project. Each step applies a specific scan profile, enabling you to target different parts of your codebase. Analytics are generated once the entire workflow completes.

A project can have only one scan workflow at a time. Use scan workflows to combine multiple scan profiles and apply them selectively—for example, when your project uses different languages or build tools across various components.

Use the following method to create a scan workflow:

Configure build tools

Endor Labs uses build tools to scan projects, generate reliable Software Bill of Materials (SBOM), and detect security or operational risks. For languages like Java, Python, and .NET that depend on the build environment, it relies on specific runtime or package manager versions to ensure precise results. When tools are missing, you can define and install them in the CLI, and Endor Labs sets them up in an isolated sandbox during the scan. This feature is supported on Linux and macOS.

You need to install and initialize endorctl, before configuring the build toolchains in a scan profile.

Endor Labs GitHub App continuously monitors your projects for security and operational risks. The app monitors all the projects included in your GitHub workspace and scans run once every 24 hours.

For performing scans, the GitHub App checks the toolchain specifications in the following order:

  1. Scan workflow, if present.
  2. Toolchain configuration specified through endorctl API.
  3. Toolchain configuration specified in scanprofile.yaml file.
  4. Uses the system defaults.
  5. Enable auto detection and automatically detect the toolchains from your manifest files.

After installing and initializing the endorctl, run the endorctl scan with the --install-build-tools flag to automatically download and install any missing toolchains in an isolated sandbox to properly execute language-specific scans and dependency resolution.

  1. For the first time, run the endorctl scan to create a project with Endor Labs.

    endorctl scan

  2. Run the following command to automatically download and install build tools as part of your scan.

    endorctl scan --install-build-tools

  3. The system checks for the required toolchain specifications in the following order before installing them in the sandbox.

If you do not provide a tool profile, the default toolchains are installed in the sandbox while performing the endorctl scan with the install-build-tools flag. See Toolchain support matrix for details on default versions.

The following table outlines the toolchain profile support details across different languages and platforms.

Dependencies Support for API Support for profile yaml Support for Auto detection Default Version Platform
Java Supported Supported Java 8, 11, 17, 21 Java 17 Linux, Darwin
Maven Supported Supported Maven 3.8.8, 3.9.4 Maven 3.9.4 Linux, Darwin
Gradle Supported Supported Gradle 7.6.4, 8.4 Gradle 8.4 Linux, Darwin
Python Supported Supported Python 3.8, 3.9, 3.10, 3.11, 3.12, 3.13 Python 3.10 Linux, Darwin
NodeJS Supported Supported Node.js 16.20, 18.20, 20.19, 22.18, 24.6 Node.js 20.10.0 Linux, Darwin
Yarn Supported Supported Yarn 1.22, 2, 3, 4 Yarn 1.22.19 Linux, Darwin
pnpm Supported Supported pnpm 6.35, 7.33, 8.15, 9.15, 10.14 pnpm 8.10.2 Linux, Darwin
Golang Supported Supported Golang 1.12, 1.13, 1.14, 1.15, 1.16, 1.17, 1.18, 1.19, 1.20, 1.21, 1.22, 1.24 Golang 1.22.2 Linux, Darwin
.NET Supported Supported .NET 6, 7, 8, 9 .NET 7.0.401 Linux, Darwin
Scala Supported Supported Scala 1.9.0 Linux, Darwin
Rust Supported Supported Rust 1.77.9 Linux, Darwin
Kotlin Supported Supported Java 17 Linux, Darwin
Typescript Supported Supported 16.20, 18.20, 20.19, 22.18, 24.6 Node.js 20.10.0 Linux, Darwin
Android Supported Supported platform-tools Linux, Darwin
PHP Supported Supported 8.2 Linux
Ruby Supported Supported 3.2.1 Linux

Automated scan parameters are endorctl parameters and environment variables that you define in a scan profile. They apply to projects linked to that profile and help customize scan behavior during cloud scans.

You can define the following parameters in your scan profile:

  • included_paths: Enable to specify a list of paths to include in the scan.

  • excluded_paths: Enable to specify a list of path to exclude from the scan.

  • languages: Enable to specify a list of languages to scan. If empty, default values are used.

  • call_graph_languages: Enable to specify a list of language to use for generating call graphs. If empty, default values are used.

  • additional_environment_variables: Enable to specify additional environment variables to set during the scan. Only the environment variables starting with ENDOR_ are passed to the scan, all others are ignored.

  • enable_automated_pr_scans: Enables automatic scanning of pull request changes.

  • enable_pr_comments: Enables adding scan results as comments in pull requests.

  • enable_sast_scan: Enables SAST during the scanning process.

  • disable_code_snippet_storage: Disables the storage of code snippets.

If you are using Bazel in your build, you can further configure:

  • bazel_configuration: Enable to specify configuration settings for Bazel scans. See Bazel flags for more details.

  • bazel_show_internal_targets: Enable to include internal build targets in the dependency analysis.

  • bazel_workspace_path: Enable to specify the path to the Bazel workspace.

  • bazel_include_targets: Enable to specify Bazel targets to include in the scan.

  • bazel_exclude_target: Enable to specify Bazel targets to exclude from the scan.

The following toolchain profile shows a yaml definition with configured automated scan parameters:

kind: AutomatedScanParameters
spec:
  automated_scan_parameters:
    included_paths:
      - python/**
    excluded_paths:
      - java/**
    languages:
      - python
    call_graph_languages:
      - python
    additional_environment_variables:
      - ENDOR_LOG_VERBOSE=true
      - ENDOR_LOG_LEVEL=debug
    enable_automated_pr_scans: true
    enable_pr_comments: true
    enable_sast_scan: true
    disable_code_snippet_storage: true
    bazel_configuration:
      bazel_show_internal_targets: true
      bazel_workspace_path: "go-bazel-repo/"
      bazel_include_targets:
      bazel_abs:
        - "//cmd:cmd"

Enable auto detection

The system can automatically detect toolchains required for your projects based on the manifest files present in your repository. Auto detection is supported for Java, Python, Go and .NET(C#) projects. Only the Long Term Support (LTS) versions of the toolchains are supported in auto detection. See the Toolchain support matrix for a complete list of supported toolchain versions for auto detection.

Endor Labs begins auto detection by scanning your project repository to locate manifest files and identify the languages used in your project. Based on the results, it runs language specific detectors to extract version information. Each detector operates independently and follows a consistent process. It reviews the associated manifest or build configuration files to determine the toolchain version. If a file contains multiple version fields, the detector uses a fixed priority order to select the most appropriate one.

After identifying a version, the detector sends the version details to the assigner. The assigner checks the Endor Labs toolchain support matrix to verify if the version is supported for the host operating system and architecture. If it doesn’t find an exact match, it selects the closest supported version based on the major version number. This version will be the toolchain used for your project scan.

For example, when analyzing Java projects, the Java detector checks config files like pom.xml or build.gradle to find the Java version used in the project.

flowchart TD
  subgraph C["Detectors find versions of detected languages"]
    L1["language 1 detector"]
    Lang["..."]
    L2["language n detector"]
  end
  A(["Scan Repository"])
  B["Detect Languages"]
  D["Assigners"]
  F{"Exact match"}
  G(["Select closest supported version by matching major version"])
  H(["Select exact supported version"])
  I["Yes"]
  J["No"]
  K["Match version with Endor Labs suported versions"]

  A --> B --> C --> D --> K --> F
  F --> I --> H
  F --> J --> G

  %% Force black border on subgraph
  classDef subgraphStyle stroke:#000000,stroke-width:1px,fill:#00F078;
  class C subgraphStyle
  classDef JavaStyle fill:#D3D3D3;
  class L1,L2,Lang JavaStyle
  classDef blueText fill:#3FE1F3,stroke:#000000,color:#000000;
  class I,J,K blueText

  %% NEW: Bigger node style and class
  classDef largeNode fill:#00F078,stroke:#000000,color:#000000;
  class A,B,D,E largeNode

  %% Optional: force large box padding via dummy <br> line
  style C width:520px

The following table lists the config files Endor Labs scans to detect the language and version used in your project.

Language Build Tool Config File
Java Maven pom.xml
Java Gradle build.gradle, gradle-wrapper.properties
.NET global.json, *.csproj
Golang go.mod
Python setup.py, .python-version, pyproject.toml
NodeJS package.json, .nvmrc, .node-version
Yarn package.json, .yarnrc.yml, yarnrc
pnpm package.json

The following examples illustrate how to define versions in each config file.

Java with Maven

Config file: pom.xml

Define the Java version using any one of the following options:

  • Using version fields

    <properties>
  <maven.compiler.source>1.8</maven.compiler.source>
  <maven.compiler.target>1.8</maven.compiler.target>
  <maven.compiler.release>11</maven.compiler.release>
  <java.version>17</java.version>
</properties>

  • Using plugin configuration

    <build>
  <plugins>
    <plugin>
      <artifactId>maven-compiler-plugin</artifactId>
      <version>3.8.1</version>
      <configuration>
      <source>11</source>
      <target>11</target>
      </configuration>
    </plugin>
  </plugins>
</build>
Java with Gradle

Config file: build.gradle

Define the Java version using sourceCompatibility and targetCompatibility.

sourceCompatibility='17'
targetCompatibility='17'

Ensure the Gradle wrapper version is defined in gradle/wrapper/gradle-wrapper.properties.

distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-all.zip
Python

Specify the Python version in any of the following config files.

setup.py

Use python_requires inside the setup() block.

setup(
    ...
    python_requires='>=3.8, <4'
)
pyproject.toml

Use requires-python to define the Python version range.

[project]
requires-python = ">=3.8, <4.0"

[tool.poetry.dependencies]
python = "3.12.1"
.python-version

Specify the exact Python version.

3.12.1
Node.js

Specify the NodeJS version in any of the following config files.

package.json

Use engines.node

"engines": {
  "node": ">=16.0.0 <19"
}
.nvmrc

Specify the exact NodeJS version.

18.17.1
.node-version

Specify the exact NodeJS version.

18.17.1
Yarn

Specify the Yarn version in any of the following config files.

package.json

Use engines.yarn

"engines": {
  "yarn": ">=1.22.0 <2.0.0"
}
.yarnrc.yml

Use yarnPath

yarnPath: ".yarn/releases/yarn-3.2.1.cjs"
.yarnrc

Use yarnPath

yarnPath: ".yarn/releases/yarn-3.2.1.cjs"
PNPM

Config file: package.json

Specify the pnpm version using engines.pnpm

"engines": {
  "pnpm": ">=6.0.0"
}
.NET

Specify the .NET version using any of the following config files.

global.json

Use sdk.version

{
  "sdk": {
    "version": "7.0.203"
  }
}
*.csproj

Use TargetFramework or TargetFrameworks

<TargetFramework>net6.0</TargetFramework>
Golang

Config file: go.mod

Use the go directive.

module github.com/example/project

go 1.21

To enable auto detection for endorctl scans, run:

endorctl scan --install-build-tools --enable-build-tools-version-detection

When using the GitHub App, you can enable auto detection either by a project or enable it for all projects in a tenant.

  • To enable the auto detection by a project, update the project’s meta.annotations with "ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true".

    meta:
  annotations: {"ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true"}

      endorctl api update -r Project --uuid=<project-uuid> -i

  • To enable auto detection across all projects in a tenant, update the system config’s meta.annotations with "ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true".

    meta:
  annotations: {"ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true"}

    endorctl api update -r SystemConfig --uuid=<system-config-uuid> -i

The updates are applied during the next scheduled scan or whenever you perform a manual re-scan.

Configure scan profile through Endor Labs API

You can use the endorctl api command to configure the toolchains for your project.

  1. Run the endorctl scan to create a project in Endor Labs.

    endorctl scan

  2. Fetch the UUID of the project. For example, to fetch the UUID of app-java-demo project, you can use:

    UUID=$(endorctl api list -r Project --filter="meta.name matches https://github.com/endorlabs/app-java-demo" --field-mask=uuid | jq -r '.list.objects[].uuid')

  3. Create a ScanProfile object using the following command. Set the environment variable using set EDITOR=vim before executing the following command.

    endorctl api create -i -r ScanProfile

    You can configure automated scan parameters in your scan profile. See automated scan parameters to learn more.

    Here is an example that you can use to create a ScanProfile object for installing Java 8 and Maven 3.9.4 in Linux and macOS. After executing this command, you can fetch the UUID of the ScanProfile object. See toolchain support matrix for a complete description of supported toolchains.

    meta:
  name: "demo"
spec:
  automated_scan_parameters:
      languages:
        - java
      additional_environment_variables:
        - ENDOR_LOG_VERBOSE=true
        - ENDOR_LOG_LEVEL=debug
      enable_automated_pr_scans: true
      enable_pr_comments: true
      enable_sast_scan: true
      disable_code_snippet_storage: true
      bazel_configuration:
        bazel_show_internal_targets: true
        bazel_workspace_path: "go-bazel-repo/"
        bazel_include_targets:
          - "//cmd:cmd"
  toolchain_profile:
      os:
        linux:
          arch:
            amd64:
              java_tool_chain:
                version:
                  name: "1.8.412"
                  urls:
                    - "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/8u412-b08/openlogic-openjdk-8u412-b08-linux-x64.tar.gz"
                  relative_tool_chain_path: "openlogic-openjdk-8u412-b08-linux-x64/"
                  sha256_sum: "eb06c9d62e031e3290f499a828cae66d4fadbf62eb8f490c63c8406b1a80172e"
                maven_version:
                  name: "3.9.4"
                  urls:
                    - "https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.9.4/apache-maven-3.9.4-bin.tar.gz"
                  relative_tool_chain_path: "apache-maven-3.9.4"
                  sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"
        darwin:
          arch:
            arm64:
              java_tool_chain:
                version:
                  name: "1.8.412"
                  urls:
                    - "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/8u412-b08/openlogic-openjdk-8u412-b08-mac-x64.zip"
                  relative_tool_chain_path: "openlogic-openjdk-8u412-b08-mac-x64/jdk1.8.0_412.jdk/Contents/Home"
                  sha256_sum: "a16d297418f6800dfc5abfd4dfd8a16c0504d7e1f3b6fc9051cf2460f14a955e"
                maven_version:
                  name: "3.9.4"
                  urls:
                    - "https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.9.4/apache-maven-3.9.4-bin.tar.gz"
                  relative_tool_chain_path: "apache-maven-3.9.4"
                  sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"

  4. Associate the scan_profile_uuid to your project UUID project-uuid using the following command.

    endorctl api update -r Project --uuid=<project-uuid> -d '{"spec":{"scan_profile_uuid":"<scanprofile-uuid>"}}' --field-mask 'spec.scan_profile_uuid'

Configure scan profile through Endor Labs user interface

While scanning projects using the GitHub App, you can configure a scan profile and assign it to your projects directly from the Endor Labs user interface.

Create and customize a new scan profile to define scan parameters, toolchains, and projects.

  1. Sign in to Endor Labs and click Settings under Manage in the left sidebar.
  2. Select SCAN PROFILES and click New Scan Profile.
  3. Enter a name for the scan profile and click Create Scan Profile.
  4. Configure various settings like automated scan parameters and paths. See Configure General scan profile settings for more information.
  5. Select TOOLCHAINS and configure the toolchains. See Configure toolchains for more information.
  6. Select PROJECTS to associate the scan profile with projects. See Associate projects with a scan profile.

Configure the necessary scan settings to tailor scans for your projects.

  1. Select the features that you want to enable for the scan profile.

    • Enable pull request scans: Automatically scans changes in the pull request.
    • Enable pull request comments: Adds scan results as comments in the pull request.
    • Disable code snippet storage for SAST: Disable storing the code snippet.

    See automated scan parameters to learn more.

  2. Select the languages to scan and the languages for which you need to generate call graphs.

    If you don’t select any language, all the languages detected in the repository will automatically be selected for the scan.

  3. Enter the paths to include or exclude in the scan.

  4. Enter any additional environment variables, if required. Only the environment variables starting with ENDOR_ are passed to the scan, all others are ignored.

  5. Select an exporter to define what scan results to send, in which format, and to which external system.

    For example, you can select the SARIF exporter to export the scan results in the SARIF format. See Export findings to GitHub Advanced Security for more information.

  6. Configure Bazel settings, if required.

    • Select Show Internal Targets as Dependencies to include internal build targets in your dependency analysis while using Bazel as your build system.

    • Configure the following Bazel settings:

      • Bazel Workspace Path: Specify the location of the Bazel workspace.

      • Target Selection: Choose one of the following methods to define which targets should be scanned:

        • Include Targets: Specify individual Bazel targets to be scanned.
        • Targets Query: Use a Bazel query expression to define the targets dynamically.

      • Excluded Targets: If using Include Targets, do not set Excluded Targets, as they cannot be used together.

    See Scan using Bazel for more details on Bazel scanning and target queries.

  7. Click Save Scan Profile to save the toolchain configuration.

Create and save a scan profile.

  1. Select the operating system for the scan profile.

  2. Select the architecture.

  3. Select the toolchain available for the operating system-architecture combination.

  4. Select the tool associated with the toolchain. For package managers like Python (pip), JavaScript (npm), and Android, you can configure a list of packages to install before the scan.

  5. Select the version of the tool (or enter the package name if you chose a package in the previous step) and click Add to Profile.

    You can only assign one version of the tool for a scan profile for a particular operating system-architecture combination.

    You can also click Custom and define the custom version of the tool. See Configure custom versions for more information.

    The following image shows the creation of a scan profile for Go and JavaScript scans. Create Scan Profile

  6. Click Save Scan Profile to save the toolchain configuration.

When you assign a version of the tool, you can choose to apply a custom version that is not provided by Endor Labs.

You must provide the following information.

  • Version name
  • The URL to download the archive package
  • SHA256 checksum of the package
  • The relative toolchain path, if required. The toolchain is extracted to the specified relative toolchain path if provided.

The following image shows a custom configuration for the Golang toolchain with Go 1.22.7 instead of the bundled 1.22.6.

Custom toolchain

Assign projects to your scan profile.

  1. Select Actions > Add Projects.

    Add Projects

  2. Search the project and click Add to Scan Profile. You can associate multiple projects with a scan profile, but you cannot apply multiple scan profiles to a single project.

You can set a default scan profile for a namespace, and all projects within that namespace will use this profile. Child namespaces inherit the default scan profile unless you override it by setting a different profile as the default within the child namespace.

  1. Sign in to Endor Labs and click Settings under Manage in the left sidebar.
  2. Select SCAN PROFILES to view the list of scan profiles.
  3. Choose a scan profile, click the vertical ellipsis on the right side, and select Set As Default.

Instead of configuring a custom version for a tool every time a required version is not provided by Endor Labs, you can create a standard version and use it across all scan profiles. For example, you can add dotnet 5.0—which is not a standard supported version—to your build tools and make it available.

  1. Sign in to Endor Labs and click Settings under Manage in the left sidebar.
  2. Select SCAN PROFILES and click BUILD TOOLS.
  3. Click New Build Tool.
  4. Select the OS and Architecture.
  5. Enter the required version, the download URL, and the SHA 256 checksum for verification. In advanced options, you can optionally specify a relative toolchain path. For example, you can enter these values to configure dotnet 5.0 build chain:
  6. Use the Relative Toolchain Path to specify a custom installation directory for the tool.
  7. Click Add Build Tool.

You will be able to choose this build tool in TOOLCHAINS, while creating a scan profile.

Configure scan profile through scanprofile.yaml

You can create a build tool profile for your Endor Labs scans in each repository to specify the build tools to automatically download for each scan.

Create a new file .endorctl/scanprofile.yaml file in the root directory of your repository and specify the required versions of the tools. You can specify the Operating system, architecture, automated scan parameters, language, tool, and install information in the scanprofile.yaml file:

The following snippet shows the overall structure of a scanprofile.yaml file with automated scan parameters. See automated scan parameters to learn more.

kind: "AutomatedScanParameters"
spec:
    languages:
      - java
    call_graph_languages:
      - java
    additional_environment_variables:
      - ENDOR_LOG_VERBOSE=true
      - ENDOR_LOG_LEVEL=debug
    enable_automated_pr_scans: true
    enable_pr_comments: true
    enable_sast_scan: true
    disable_code_snippet_storage: true
    bazel_configuration:
      bazel_show_internal_targets: true
      bazel_workspace_path: "go-bazel-repo/"
      bazel_include_targets:
        - "//cmd:cmd"

The following example shows a scan profile to scan Java and Bazel projects in CI with Maven 3.9.4, custom environment variables, and support for both Linux and macOS toolchains.


kind: "AutomatedScanParameters"
spec:
    languages:
      - java
    additional_environment_variables:
      - ENDOR_LOG_VERBOSE=true
      - ENDOR_LOG_LEVEL=debug
    enable_automated_pr_scans: true
    enable_pr_comments: true
    enable_sast_scan: true
    disable_code_snippet_storage: true
    bazel_configuration:
      bazel_show_internal_targets: true
      bazel_workspace_path: "go-bazel-repo/"
      bazel_include_targets:
        - "//cmd:cmd"


---
kind: "ToolchainProfile"
spec:
  os:
    linux:
      arch:
        amd64:
          java_tool_chain:
            version:
              name: "1.8.412"
              urls:
                - "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/8u412-b08/openlogic-openjdk-8u412-b08-linux-x64.tar.gz"
              relative_tool_chain_path: "openlogic-openjdk-8u412-b08-linux-x64/"
              sha256_sum: "eb06c9d62e031e3290f499a828cae66d4fadbf62eb8f490c63c8406b1a80172e"
            maven_version:
              name: "3.9.4"
              urls:
                - "https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.9.4/apache-maven-3.9.4-bin.tar.gz"
              relative_tool_chain_path: "apache-maven-3.9.4"
              sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"
    darwin:
      arch:
        arm64:
          java_tool_chain:
            version:
              name: "1.8.412"
              urls:
                - "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/8u412-b08/openlogic-openjdk-8u412-b08-mac-x64.zip"
              relative_tool_chain_path: "openlogic-openjdk-8u412-b08-mac-x64/jdk1.8.0_412.jdk/Contents/Home"
              sha256_sum: "a16d297418f6800dfc5abfd4dfd8a16c0504d7e1f3b6fc9051cf2460f14a955e"
            maven_version:
              name: "3.9.4"
              urls:
                - "https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.9.4/apache-maven-3.9.4-bin.tar.gz"
              relative_tool_chain_path: "apache-maven-3.9.4"
              sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"

Configure scan workflow through Endor Labs API

Configure scan workflows through the Endor Labs API to automate how your projects are scanned. You can create, modify, and delete scan workflows. You can also define the order of scan profile execution and associate workflows with specific projects in your tenant.

Ensure you have the following before creating a scan workflow:

  • Make sure you install and configure endorctl in your system.
  • Ensure your scan workflow includes at least one scan profile.
  • All scan profiles you reference must already exist in your tenant.
  • You can associate only one scan workflow with each project.

Create a scan workflow using endorctl api and associate it with a project in your tenant.

  1. Run the endorctl scan to create a project in Endor Labs.

    endorctl scan

  2. Fetch the UUID of the project. For example, to fetch the UUID of app-java-demo project, run:

    UUID=$(endorctl api list -r Project --filter="meta.name matches https://github.com/endorlabs/app-java-demo" --field-mask=uuid | jq -r '.list.objects[].uuid')

  3. Use the following command to create a ScanWorkflow object and associate it with your project. Specify the title and UUID of one or more scan profiles available in your tenant. Replace the following placeholders with your actual values:

    • demo with name the of the scan workflow.
    • project-uuid with the UUID of your project from step 2.
    • scan profile 1 and scan profile 2 with the names of your scan profiles.
    • uuid of scan profile 1 and uuid of scan profile 2 with the corresponding UUIDs of the scan profiles.
    endorctl api create -r ScanWorkflow -d'{
    "meta":
    {
        "name":"demo",
        "kind": "ScanWorkflow",
        "parent_kind":"Project",
        "parent_uuid":"project-uuid"
    },
    "spec":
        {
        "steps":
        [
            {
                "title":"scan profile 1",
                "scan_profile_uuid":"uuid of scan profile 1"
            },
            {
                "title":"scan profile 2",
                "scan_profile_uuid":"uuid of scan profile 2"
            },
        ]
        }
}'

Here is an example to create a scan workflow titled demo-workflow with a Java scan profile and Python scan profile.

endorctl api create -r ScanWorkflow -d'{
    "meta":
    {
        "name":"demo-workflow",
        "kind": "ScanWorkflow",
        "parent_kind":"Project",
        "parent_uuid":"68369123e4a717bd735c24bc"
    },
    "spec":
        {
        "steps":
        [
            {
                "title":"java",
                "scan_profile_uuid":"68450261ec0014616fa6c0c3"
            },
            {
                "title":"python",
                "scan_profile_uuid":"6845023bbe385224df4a0526"
            }
        ]
        }
}'

The provision result shows the list and execution history of scan workflows in your namespace, including the scan profiles used, their order, and the outcome of each step. It verifies that prerequisites such as resources, configurations, and dependencies are ready before scanning or analytics begin. You can use it to troubleshoot failures, check that the correct scan profiles ran, and confirm workflows run as expected.

Run the following command to view the list of scan workflows in your namespace and their execution results.

endorctl api list -r ScanWorkflowResult

You can delete an existing scan workflow from your tenant by using endorctl API and specifying its UUID.

  1. Get a list of scan workflows in your namespace.

    endorctl api list -r ScanWorkflow

  2. Run the following command to delete a scan workflow. Replace abcde12345 with the UUID of the scan workflow.

    endorctl api delete -r ScanWorkflow --uuid abcde12345

Configure scan workflow through Endor Labs user interface

Configure scan workflows to define how your projects are scanned. You can assign scan profiles to scanning steps and control their order of execution, and manage these settings in the Endor Labs user interface.

Set up a scan workflow to define scanning steps, assign profiles, and manage how your projects are scanned.

  1. Sign in to Endor Labs and select Projects in the left sidebar.
  2. Select the project for which you want to configure a scan workflow.
  3. Navigate to Settings and select Scan Workflow.
  4. Click Add Step to add an existing scan profile.
  5. Enter a descriptive name in Step title to describe the workflow step.
  6. Select a scan profile from your namespace for this step.
  7. Click Save to add this step, and repeat to add as many steps as you need.
  8. Toggle Enabled for each step to choose which steps to include in the workflow during the scan.
  9. Configure additional options in GitHub App features. See GitHub App features for more information.
  10. Click Save.

Configure GitHub App features in scan workflows to enable pull request scanning, AI security reviews, and custom scan settings for your projects.

  1. Select the pull request flags you want to enable for the scan workflow.

    • Pull request scans: Automatically scan changes in the pull request.
    • Pull request comments: Add scan results as comments in the pull request.

  2. Select the AI Security Review settings that you want to enable for the scan workflow.

    • AI Security Review Scans: Automatically analyze code repositories with AI, detect vulnerabilities and misconfigurations, and generate detailed security reports.
    • Disable Code Summary: Exclude the code summary from the AI Security Review scan report.
    • Enter a Custom Prompt to modify how AI Code Security Review detects and categorizes security related changes. You can use this only when AI Security Review Scans is enabled.

  3. Select Disable code snippet storage for SAST to exclude code summary from the AI Security Review scan report. See automated scan parameters to learn more.

  4. Enter any additional environment variables, if required. Only the environment variables starting with ENDOR_ are passed to the scan, all others are ignored.

  5. Click Save.

Customize the scan workflow to control which profiles, checks, and features are applied to your project.

To edit the steps in your scan workflow:

  1. Select the project for which you want to configure a scan workflow.
  2. Navigate to Settings and select Scan Workflow.
  3. Click Edit Step and update the step title.
  4. Select a different scan profile to replace the one associated with the step.
  5. Click Save.

To remove a step from the scan workflow:

  1. Select the project for which you want to configure a scan workflow.
  2. Navigate to Settings and select Scan Workflow.
  3. Click Remove.