Manage build tools (Beta)
Endor Labs often requires pre-built or installed software to scan your application. Building software allows Endor Labs to ensure that your software bill of materials is accurate, especially in software languages such as Python, Java, or .NET where lock files are significantly less common.
Since software frequently relies on specific versions of a runtime or package manager, Endor Labs references the tools used in your software build process. This ensures that your software bill of materials and all associated risk information are accurate. Endor Labs provides ways to define the tools necessary for building your software for repeatable patterns used in CI or when build tools are not installed.
Endor Labs will automatically install build tools in a sandbox to ensure you can run highly accurate scans. The build tools are not installed on your host but are installed in an isolated sandbox. The feature is currently supported for Linux and macOS operating systems.
Scan Profile is used to configure build tool chain and scan parameters that are passed to the Github App. A Project should be associated to one Scan Profile so that the scans for that project uses the configuration in the Scan Profile.
You need to install and initialize endorctl CLI, before configuring the build toolchains in a scan profile.
The following pages describe the various methods in which you can create a scan profile.
- Configure scan profile through the Endor Labs UI
- Configure scan profile through the Endor Labs API
- Configure scan profile through
scanprofile.yaml
file - Automatically detect tool chains
- Uses system defaults
Configure build tools for Endor Labs GitHub App
Endor Labs GitHub App continuously monitors your projects for security and operational risks. The app monitors all the projects included in your GitHub workspace and scans run once every 24 hours. For performing scans, the GitHub App checks the toolchain specifications in the following order:
- Toolchain configuration specified through endorctl API.
- Toolchain configuration specified in scanprofile.yaml file.
- Enable auto detection and automatically detect the toolchains from your manifest files.
- Uses the system defaults.
Configure build tools for repeatable CI patterns
After installing and initializing the endorctl CLI, run the endorctl scan using the --install-build-tools
command to dynamically download and install the required build tools.
endorctl scan --install-build-tools
Run the endorctl scan
Here is the recommended flow for performing the endorctl scan.
- For the first time, run the endorctl scan to create a project with Endor Labs.
endorctl scan
- To automatically download and install build tools as part of your scan, run the endorctl scan using the
--install-build-tools
command.
endorctl scan --install-build-tools
-
The system checks for the required toolchain specifications in the following order before installing them in the sandbox.
System default toolchain versions
If you do not provide a tool profile, the default toolchains are installed in the sandbox while performing the endorctl scan with the install-build-tools
flag. See Toolchain reference for details on default versions.
Toolchain support matrix
The following table outlines the toolchain profile support details across different languages and platforms.
Dependencies | Support for API/profile.yaml | Support for Auto detection | Defaults | Platform |
---|---|---|---|---|
Java | Supported | Java 8, 11, 17, 21 | Java 17 | Linux, Darwin |
Maven | Supported | Maven 3.8.8, 3.9.4 | Maven 3.9.4 | Linux, Darwin |
Gradle | Supported | Gradle 7.6.4, 8.4 | Gradle 8.4 | Linux, Darwin |
Python | Supported | Python 3.8, 3.9, 3.10, 3.11, 3.12 | Python 3.10 | Linux, Darwin |
NodeJS | Supported | NodeJS 20.10 | Node JS 20.10.0 | Linux, Darwin |
Yarn | Supported | Yarn 1.22 | Yarn 1.22.19 | Linux, Darwin |
PNPM | Supported | PNPM 8.10 | PNPM 8.10.2 | Linux, Darwin |
Golang | Supported | Golang 1.21, 1.22, 1.23 | Golang 1.22.2 | Linux, Darwin |
.NET | Supported | .NET 6, 7, 8 | .NET 7.0.401 | Linux, Darwin |
Scala | Supported | Scala 1.9.0 | Linux, Darwin | |
Rust | Supported | Rust 1.77.9 | Linux, Darwin | |
MIRAI | Supported | MIRAI 1.1.10 | Linux, Darwin | |
Kotlin | Supported | Java 17 | Linux, Darwin | |
Typescript | Supported | Node JS 20.10.0 | Linux, Darwin | |
Android | Supported | platform-tools | Linux, Darwin | |
PHP | Supported | 8.2 | Linux | |
Ruby | Supported | 3.2.1 | Linux |
Reference toolchain specification
The following reference toolchain specification has examples for defining toolchains in linux | amd64
architecture.
kind: ToolchainProfile
spec:
os:
linux:
arch:
amd64:
java_tool_chain:
version:
name: "1.8.412"
urls:
- "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/8u412-b08/openlogic-openjdk-8u412-b08-linux-x64.tar.gz"
relative_tool_chain_path: "openlogic-openjdk-8u412-b08-linux-x64/"
sha256_sum: "eb06c9d62e031e3290f499a828cae66d4fadbf62eb8f490c63c8406b1a80172e"
maven_version:
name: "3.9.4"
urls:
- "https://archive.apache.org/dist/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz"
relative_tool_chain_path: "apache-maven-3.9.4"
sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"
gradle_version:
name: "8.4"
urls:
- "https://services.gradle.org/distributions/gradle-8.4-bin.zip"
relative_tool_chain_path: "gradle-8.4/"
sha256_sum: "3e1af3ae886920c3ac87f7a91f816c0c7c436f276a6eefdb3da152100fef72ae"
python_tool_chain:
version:
name: "3.10"
urls:
- "https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.10.14+20240415-x86_64-unknown-linux-gnu-pgo+lto-full.tar.zst"
relative_tool_chain_path: "python/"
sha256_sum: "add8cc6cbb4f2a3f8af2272e62b7604f7529a8c357c0af0f8a9f7d3dd444ef1e"
java_script_tool_chain:
nodejs_version:
name: "20.10.0"
urls:
- "https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.gz"
relative_tool_chain_path: "node-v20.10.0-linux-x64/"
sha256_sum: "d3f0908a9d9190a8525c5b9a716ed91bb57e908555841b0c47f75b2a001ff91b"
yarn_version:
name: "1.22.19"
urls:
- "https://github.com/yarnpkg/yarn/releases/download/v1.22.19/yarn-v1.22.19.tar.gz"
relative_tool_chain_path: "yarn-v1.22.19/"
sha256_sum: "732620bac8b1690d507274f025f3c6cfdc3627a84d9642e38a07452cc00e0f2e"
dotnet_tool_chain:
version:
name: "8.0.303"
urls:
- "https://download.visualstudio.microsoft.com/download/pr/60218cc4-13eb-41d5-aa0b-5fd5a3fb03b8/6c42bee7c3651b1317b709a27a741362/dotnet-sdk-8.0.303-linux-x64.tar.gz"
sha256_sum: "214ee467f75c42f1512748fe7ca8dd82da2af29cdf54be614a8997f0466ef070"
darwin:
arch:
arm64:
java_tool_chain:
version:
name: "1.8.412"
urls:
- "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/8u412-b08/openlogic-openjdk-8u412-b08-mac-x64.zip"
relative_tool_chain_path: "openlogic-openjdk-8u412-b08-mac-x64/jdk1.8.0_412.jdk/Contents/Home"
sha256_sum: "a16d297418f6800dfc5abfd4dfd8a16c0504d7e1f3b6fc9051cf2460f14a955e"
maven_version:
name: "3.9.4"
urls:
- "https://archive.apache.org/dist/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz"
relative_tool_chain_path: "apache-maven-3.9.4"
sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"
dotnet_tool_chain:
version:
name: "8.0.303"
urls:
- "https://download.visualstudio.microsoft.com/download/pr/d81d84cf-4bb8-4371-a4d2-88699a38a83b/9bddfe1952bedc37e4130ff12abc698d/dotnet-sdk-8.0.303-osx-arm64.tar.gz"
relative_tool_chain_path: "dotnet-sdk-8.0.303-osx-arm64"
sha256_sum: "c6f4150833e51d55cc4c4a435d7cc53269f3d6db308b34f4e001900c6fdf8149"
---
kind: AutomatedScanParameters
spec:
languages:
- java
- python
additional_environment_variables:
- ENDOR_LOG_VERBOSE=false
- ENDOR_LOG_LEVEL=info
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.