Manage scan profiles

Learn how to build repeatable patterns by configuring scan profiles in your scan environment.

Endor Labs often requires pre-built or installed software to scan your application. Building software allows Endor Labs to ensure that your software bill of materials is accurate, especially in software languages such as Python, Java, or .NET where lock files are significantly less common.

Since software frequently relies on specific versions of a runtime or package manager, Endor Labs references the tools used in your software build process. This ensures that your software bill of materials and all associated risk information are accurate. Endor Labs provides ways to define the tools necessary for building your software for repeatable patterns used in CI or when build tools are not installed.

Endor Labs will automatically install build tools in a sandbox to ensure you can run highly accurate scans. The build tools are not installed on your host but are installed in an isolated sandbox. The feature is currently supported for Linux and macOS operating systems.

A scan profile is a configuration that defines the parameters, toolchains, and projects for scanning operations. Scan profile is used to configure build toolchain and scan parameters required for a scan. Associate a project with a scan profile so that the scans for that project uses the configuration in the scan profile.

Important

The flag --install-build-tools ensures that the necessary build tools are available in the sandbox environment to properly execute language-specific scans and dependency resolution.

You need to install and initialize endorctl CLI, before configuring the build toolchains in a scan profile.

The following pages describe the various methods in which you can create a scan profile.

Configure build tools for Endor Labs GitHub App

Endor Labs GitHub App continuously monitors your projects for security and operational risks. The app monitors all the projects included in your GitHub workspace and scans run once every 24 hours. For performing scans, the GitHub App checks the toolchain specifications in the following order:

Toolchain configuration specified through endorctl API.
Toolchain configuration specified in scanprofile.yaml file.
Enable auto detection and automatically detect the toolchains from your manifest files.
Uses the system defaults.

Configure build tools for repeatable CI patterns

After installing and initializing the endorctl CLI, run the endorctl scan using the --install-build-tools command to dynamically download and install the required build tools.

endorctl scan --install-build-tools

Run the endorctl scan

Here is the recommended flow for performing the endorctl scan.

For the first time, run the endorctl scan to create a project with Endor Labs.

endorctl scan

To automatically download and install build tools as part of your scan, run the endorctl scan using the --install-build-tools command.

endorctl scan --install-build-tools

The system checks for the required toolchain specifications in the following order before installing them in the sandbox.

System default toolchain versions

If you do not provide a tool profile, the default toolchains are installed in the sandbox while performing the endorctl scan with the install-build-tools flag. See Toolchain reference for details on default versions.

Toolchain support matrix

The following table outlines the toolchain profile support details across different languages and platforms.

Dependencies	Support for API	Support for profile yaml	Support for Auto detection	Default Version	Platform
Java	Supported	Supported	Java 8, 11, 17, 21	Java 17	Linux, Darwin
Maven	Supported	Supported	Maven 3.8.8, 3.9.4	Maven 3.9.4	Linux, Darwin
Gradle	Supported	Supported	Gradle 7.6.4, 8.4	Gradle 8.4	Linux, Darwin
Python	Supported	Supported	Python 3.8, 3.9, 3.10, 3.11, 3.12	Python 3.10	Linux, Darwin
NodeJS	Supported	Supported	NodeJS 20.10	Node JS 20.10.0	Linux, Darwin
Yarn	Supported	Supported	Yarn 1.22	Yarn 1.22.19	Linux, Darwin
PNPM	Supported	Supported	PNPM 8.10	PNPM 8.10.2	Linux, Darwin
Golang	Supported	Supported	Golang 1.21, 1.22, 1.23	Golang 1.22.2	Linux, Darwin
.NET	Supported	Supported	.NET 6, 7, 8, 9	.NET 7.0.401	Linux, Darwin
Scala	Supported	Supported		Scala 1.9.0	Linux, Darwin
Rust	Supported	Supported		Rust 1.77.9	Linux, Darwin
Kotlin	Supported	Supported		Java 17	Linux, Darwin
Typescript	Supported	Supported		Node JS 20.10.0	Linux, Darwin
Android	Supported	Supported		platform-tools	Linux, Darwin
PHP	Supported	Supported		8.2	Linux
Ruby	Supported	Supported		3.2.1	Linux

Reference toolchain specification

The following reference toolchain specification has examples for defining toolchains in linux | amd64 architecture.

kind: ToolchainProfile
spec:
  os:
    linux:
      arch:
        amd64:
          java_tool_chain:
            version:
              name: "1.8.412"
              urls:
                - "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/8u412-b08/openlogic-openjdk-8u412-b08-linux-x64.tar.gz"
              relative_tool_chain_path: "openlogic-openjdk-8u412-b08-linux-x64/"
              sha256_sum: "eb06c9d62e031e3290f499a828cae66d4fadbf62eb8f490c63c8406b1a80172e"
            maven_version:
              name: "3.9.4"
              urls:
                - "https://archive.apache.org/dist/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz"
              relative_tool_chain_path: "apache-maven-3.9.4"
              sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"
            gradle_version:
              name: "8.4"
              urls:
                - "https://services.gradle.org/distributions/gradle-8.4-bin.zip"
              relative_tool_chain_path: "gradle-8.4/"
              sha256_sum: "3e1af3ae886920c3ac87f7a91f816c0c7c436f276a6eefdb3da152100fef72ae"
          python_tool_chain:
            version:
              name: "3.10"
              urls:
                - "https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.10.14+20240415-x86_64-unknown-linux-gnu-pgo+lto-full.tar.zst"
              relative_tool_chain_path: "python/"
              sha256_sum: "add8cc6cbb4f2a3f8af2272e62b7604f7529a8c357c0af0f8a9f7d3dd444ef1e"
          java_script_tool_chain:
            nodejs_version:
              name: "20.10.0"
              urls:
                - "https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.gz"
              relative_tool_chain_path: "node-v20.10.0-linux-x64/"
              sha256_sum: "d3f0908a9d9190a8525c5b9a716ed91bb57e908555841b0c47f75b2a001ff91b"
            yarn_version:
              name: "1.22.19"
              urls:
                - "https://github.com/yarnpkg/yarn/releases/download/v1.22.19/yarn-v1.22.19.tar.gz"
              relative_tool_chain_path: "yarn-v1.22.19/"
              sha256_sum: "732620bac8b1690d507274f025f3c6cfdc3627a84d9642e38a07452cc00e0f2e"
          dotnet_tool_chain:
              version:
                name: "9.0.200"
                urls:
                  - "https://download.visualstudio.microsoft.com/download/pr/3606de37-1325-4f5f-bbe9-1bc44b3c1c7f/91872629e9f0c205cace9c462d5e89a4/dotnet-sdk-9.0.200-linux-x64.tar.gz"
                sha256_sum: "c07281a0abbd2c3200e70fc94d374baeadfbb43c9c3fe90c6038253555b84335"


---
kind: AutomatedScanParameters
spec:
  languages:
    - java
    - python
  additional_environment_variables:
    - ENDOR_LOG_VERBOSE=false
    - ENDOR_LOG_LEVEL=info

Automated scan parameters

Automated scan parameters define the behavior of cloud scans in Endor Labs. You can set these parameters using the Endor Labs user interface, API, or yaml file inputs.

You can define the following parameters in your scan profile:

included_paths: Enable to specify a list of paths to include in the scan.
excluded_paths: Enable to specify a list of path to exclude from the scan.
languages: Enable to specify a list of languages to scan. If empty, default values are used.
call_graph_languages: Enable to specify a list of language to use for generating call graphs. If empty, default values are used.
additional_environment_variables: Enable to specify additional environment variables to set during the scan. Only the environment variables starting with ENDOR_ are passed to the scan, all others are ignored.
enable_automated_pr_scans: Enables automatic scanning of pull request changes.
enable_pr_comments: Enables adding scan results as comments in pull requests.
enable_sast_scan: Enables SAST during the scanning process.
disable_code_snippet_storage: Disables the storage of code snippets.

If you are using Bazel in your build, you can further configure:

bazel_configuration: Enable to specify configuration settings for Bazel scans. See Bazel flags for more details.
bazel_show_internal_targets: Enable to include internal build targets in the dependency analysis.
bazel_workspace_path: Enable to specify the path to the Bazel workspace.
bazel_include_targets: Enable to specify Bazel targets to include in the scan.
bazel_exclude_target: Enable to specify Bazel targets to exclude from the scan.

The following toolchain profile shows a yaml definition with configured automated scan parameters:

kind: AutomatedScanParameters
spec:
  automated_scan_parameters:
    included_paths:
      - python/**
    excluded_paths:
      - java/**
    languages:
      - python
    call_graph_languages:
      - python
    additional_environment_variables:
      - ENDOR_LOG_VERBOSE=true
      - ENDOR_LOG_LEVEL=debug
    enable_automated_pr_scans: true
    enable_pr_comments: true
    enable_sast_scan: true
    disable_code_snippet_storage: true
    bazel_configuration:
      bazel_show_internal_targets: true
      bazel_workspace_path: "go-bazel-repo/"
      bazel_include_targets:
        - "//cmd:cmd"

Feedback

Was this page helpful?

Thanks for the feedback. Write to us at support@endor.ai to tell us more.