This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Manage scan profiles

Learn how to build repeatable patterns by configuring scan profiles in your scan environment.

1: Configure scan profile through Endor Labs UI

2: Configure scan profile through Endor Labs API

3: Configure scan profile through scanprofile.yaml

4: Enable auto detection

Endor Labs often relies on specific versions of a runtime or package manager and requires build tools to scan your application. This ensures accurate software bill of materials (SBOM) and associated risk data for languages like Python, Java, or .NET where lock files are significantly less common.

Since software frequently relies on specific versions of a runtime or package manager, Endor Labs references the tools used in your software build process. You can define and install these build tools in CLI when they are not available in your environment. Endor Labs installs these tools in an isolated sandbox during the scan. The feature is currently supported for Linux and macOS operating systems.

A scan profile is a configuration that defines the parameters, toolchains, and projects for scanning operations. Scan profile is used to configure build toolchain and scan parameters required for a scan. Associate a project with a scan profile so that the scans for that project uses the configuration in the scan profile.

Important

The flag --install-build-tools ensures that the necessary build tools are available in the sandbox environment to properly execute language-specific scans and dependency resolution.

You need to install and initialize endorctl CLI, before configuring the build toolchains in a scan profile.

The following pages describe the various methods in which you can create a scan profile.

Configure build tools for Endor Labs GitHub App

Endor Labs GitHub App continuously monitors your projects for security and operational risks. The app monitors all the projects included in your GitHub workspace and scans run once every 24 hours. For performing scans, the GitHub App checks the toolchain specifications in the following order:

Toolchain configuration specified through endorctl API.
Toolchain configuration specified in scanprofile.yaml file.
Enable auto detection and automatically detect the toolchains from your manifest files.
Uses the system defaults.

Configure build tools in CLI

After installing and initializing the endorctl CLI, run the endorctl scan using the --install-build-tools command to dynamically download and install the required build tools.

For the first time, run the endorctl scan to create a project with Endor Labs.

endorctl scan

Run the following command to automatically download and install build tools as part of your scan.

endorctl scan --install-build-tools

The system checks for the required toolchain specifications in the following order before installing them in the sandbox.

System default toolchain versions

If you do not provide a tool profile, the default toolchains are installed in the sandbox while performing the endorctl scan with the install-build-tools flag. See Toolchain reference for details on default versions.

Toolchain support matrix

The following table outlines the toolchain profile support details across different languages and platforms.

Dependencies	Support for API	Support for profile yaml	Support for Auto detection	Default Version	Platform
Java	Supported	Supported	Java 8, 11, 17, 21	Java 17	Linux, Darwin
Maven	Supported	Supported	Maven 3.8.8, 3.9.4	Maven 3.9.4	Linux, Darwin
Gradle	Supported	Supported	Gradle 7.6.4, 8.4	Gradle 8.4	Linux, Darwin
Python	Supported	Supported	Python 3.8, 3.9, 3.10, 3.11, 3.12	Python 3.10	Linux, Darwin
NodeJS	Supported	Supported	NodeJS 20.10	Node JS 20.10.0	Linux, Darwin
Yarn	Supported	Supported	Yarn 1.22, 2, 3, 4	Yarn 1.22.19	Linux, Darwin
PNPM	Supported	Supported	PNPM 8.10	PNPM 8.10.2	Linux, Darwin
Golang	Supported	Supported	Golang 1.21, 1.22, 1.23	Golang 1.22.2	Linux, Darwin
.NET	Supported	Supported	.NET 6, 7, 8, 9	.NET 7.0.401	Linux, Darwin
Scala	Supported	Supported		Scala 1.9.0	Linux, Darwin
Rust	Supported	Supported		Rust 1.77.9	Linux, Darwin
Kotlin	Supported	Supported		Java 17	Linux, Darwin
Typescript	Supported	Supported		Node JS 20.10.0	Linux, Darwin
Android	Supported	Supported		platform-tools	Linux, Darwin
PHP	Supported	Supported		8.2	Linux
Ruby	Supported	Supported		3.2.1	Linux

Note

.NET 5 and earlier versions are not supported for auto detection or manual configuration.

Configure automated scan parameters

Use automated scan parameters to configure endorctl parameters and environment variables for cloud scans. They can be used with projects linked to a scan profile and must be defined in the scan profile.

You can define the following parameters in your scan profile:

included_paths: Enable to specify a list of paths to include in the scan.
excluded_paths: Enable to specify a list of path to exclude from the scan.
languages: Enable to specify a list of languages to scan. If empty, default values are used.
call_graph_languages: Enable to specify a list of language to use for generating call graphs. If empty, default values are used.
additional_environment_variables: Enable to specify additional environment variables to set during the scan. Only the environment variables starting with ENDOR_ are passed to the scan, all others are ignored.
enable_automated_pr_scans: Enables automatic scanning of pull request changes.
enable_pr_comments: Enables adding scan results as comments in pull requests.
enable_sast_scan: Enables SAST during the scanning process.
disable_code_snippet_storage: Disables the storage of code snippets.

If you are using Bazel in your build, you can further configure:

bazel_configuration: Enable to specify configuration settings for Bazel scans. See Bazel flags for more details.
bazel_show_internal_targets: Enable to include internal build targets in the dependency analysis.
bazel_workspace_path: Enable to specify the path to the Bazel workspace.
bazel_include_targets: Enable to specify Bazel targets to include in the scan.
bazel_exclude_target: Enable to specify Bazel targets to exclude from the scan.

The following toolchain profile shows a yaml definition with configured automated scan parameters:

kind: AutomatedScanParameters
spec:
  automated_scan_parameters:
    included_paths:
      - python/**
    excluded_paths:
      - java/**
    languages:
      - python
    call_graph_languages:
      - python
    additional_environment_variables:
      - ENDOR_LOG_VERBOSE=true
      - ENDOR_LOG_LEVEL=debug
    enable_automated_pr_scans: true
    enable_pr_comments: true
    enable_sast_scan: true
    disable_code_snippet_storage: true
    bazel_configuration:
      bazel_show_internal_targets: true
      bazel_workspace_path: "go-bazel-repo/"
      bazel_include_targets:
      bazel_abs:
        - "//cmd:cmd"

1 - Configure scan profile through Endor Labs UI

Learn how to configure scan profile through the Endor Labs user interface.

While scanning projects using the GitHub App, you can configure a scan profile and assign it to your projects directly from the Endor Labs user interface.

Create a new scan profile

Create and customize a new scan profile to define scan parameters, toolchains, and projects.

Sign in to Endor Labs and click Settings under Manage in the left sidebar.
Select SCAN PROFILES and click New Scan Profile.
Enter a name for the scan profile and click Create Scan Profile.
Configure various settings like automated scan parameters and paths. See Configure General scan profile settings for more information.
Select TOOLCHAINS and configure the toolchains. See Configure toolchains for more information.
Select PROJECTS to associate the scan profile with projects. See Associate projects with a scan profile.

Configure general scan profile settings

Configure the necessary scan settings to tailor scans for your projects.

Select the features that you want to enable for the scan profile.
- Enable pull request scans: Automatically scans changes in the pull request.
- Enable pull request comments: Adds scan results as comments in the pull request.
- Disable code snippet storage for SAST: Specify the flag to disable storing the code snippet.
See automated scan parameters to learn more.
Select the languages to scan and the languages for which you need to generate call graphs.

If you don’t select any language, all the languages detected in the repository will automatically be selected for the scan.
Enter the paths to include or exclude in the scan.
Enter any additional environment variables, if required. Only the environment variables starting with ENDOR_ are passed to the scan, all others are ignored.
Configure Bazel settings, if required.
- Select Show Internal Targets as Dependencies to include internal build targets in your dependency analysis while using Bazel as your build system.
- Configure the following Bazel settings:
  - Bazel Workspace Path: Specify the location of the Bazel workspace.
  - Target Selection: Choose one of the following methods to define which targets should be scanned:
    - Include Targets: Specify individual Bazel targets to be scanned.
    - Targets Query: Use a Bazel query expression to define the targets dynamically.
  - Excluded Targets: If using Include Targets, do not set Excluded Targets, as they cannot be used together.
See Scan using Bazel for more details on Bazel scanning and target queries.
Click Save Scan Profile to save the toolchain configuration.

Configure toolchains

Create and save a scan profile.

Select the operating system for the scan profile.
Select the architecture.
Select the toolchain available for the operating system-architecture combination.
Select the tool associated with the toolchain. For package managers like Python (pip), JavaScript (npm), and Android, you can configure a list of packages to install before the scan.
Select the version of the tool (or enter the package name if you chose a package in the previous step) and click Add to Profile.

You can only assign one version of the tool for a scan profile for a particular operating system-architecture combination.

You can also click Custom and define the custom version of the tool. See Configure custom versions for more information.

The following image shows the creation of a scan profile for Go and JavaScript scans.
Click Save Scan Profile to save the toolchain configuration.

Configure a custom version for a tool

When you assign a version of the tool, you can choose to apply a custom version that is not provided by Endor Labs.

You must provide the following information.

Version name
The URL to download the archive package
SHA256 checksum of the package
The relative toolchain path, if required. The toolchain is extracted to the specified relative toolchain path if provided.

The following image shows a custom configuration for the Golang toolchain with Go 1.22.7 instead of the bundled 1.22.6.

Custom toolchain

Associate projects with a scan profile

Assign projects to your scan profile.

Select Actions > Add Projects.
Search the project and click Add to Scan Profile. You can associate multiple projects with a scan profile, but you cannot apply multiple scan profiles to a single project.

Set a default scan profile

You can set a default scan profile for a namespace, and all projects within that namespace will use this profile. Child namespaces inherit the default scan profile unless you override it by setting a different profile as the default within the child namespace.

Sign in to Endor Labs and click Settings under Manage in the left sidebar.
Select SCAN PROFILES to view the list of scan profiles.
Choose a scan profile, click the vertical ellipsis on the right side, and select Set As Default.

Configure build tools

Instead of configuring a custom version for a tool every time a required version is not provided by Endor Labs, you can create a standard version and use it across all scan profiles. For example, you can add dotnet 5.0—which is not a standard supported version—to your build tools and make it available.

Sign in to Endor Labs and click Settings under Manage in the left sidebar.
Select SCAN PROFILES and click BUILD TOOLS.
Click New Build Tool.
Select the OS and Architecture.
Enter the required version, the download URL, and the SHA 256 checksum for verification. In advanced options, you can optionally specify a relative toolchain path. For example, you can enter these values to configure dotnet 5.0 build chain:
- OS - Linux
- ARCHITECTURE - arm64
- TOOLCHAINS - .NET
- NAME - 5.0.408
- URL - https://builds.dotnet.microsoft.com/dotnet/Sdk/5.0.408/dotnet-sdk-5.0.408-linux-arm64.tar.gz
- SHA256 - da88dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use the Relative Toolchain Path to specify a custom installation directory for the tool.
Click Add Build Tool.

You will be able to choose this build tool in TOOLCHAINS, while creating a scan profile.

2 - Configure scan profile through Endor Labs API

Learn how to configure scan profile through Endor Labs API

You can use the endorctl api command to configure the toolchains for your project.

Run the endorctl scan to create a project.

endorctl scan

Fetch the UUID of the project, for example, to fetch the UUID of the app-java-demo project, you can use:

UUID=$(endorctl api list -r Project --filter="meta.name matches https://github.com/endorlabs/app-java-demo" --field-mask=uuid | jq -r '.list.objects[].uuid')

Create a ScanProfile object using the following command. Set the environment variable using set EDITOR=vim before executing the following command.

endorctl api create -i -r ScanProfile

You can configure automated scan parameters in your scan profile. See automated scan parameters to learn more.

Here is an example that you can use to create a ScanProfile object for installing .NET 8.0.303. After executing this command, you can fetch the UUID of the ScanProfile object. See Reference toolchain specification for a complete description of supported toolchains.

meta:
  name: "demo"
spec:
  automated_scan_parameters:
      languages:
        - java
      additional_environment_variables:
        - ENDOR_LOG_VERBOSE=true
        - ENDOR_LOG_LEVEL=debug
      enable_automated_pr_scans: True
      enable_pr_comments: True
      enable_sast_scan: True
      disable_code_snippet_storage: True
      bazel_configuration:
        bazel_show_internal_targets: True
        bazel_workspace_path: "go-bazel-repo/"
        bazel_include_targets:
          - "//cmd:cmd"
  toolchain_profile:
      os:
        linux:
          arch:
            amd64:
              java_tool_chain:
                version:
                  name: "1.8.412"
                  urls:
                    - "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/8u412-b08/openlogic-openjdk-8u412-b08-linux-x64.tar.gz"
                  relative_tool_chain_path: "openlogic-openjdk-8u412-b08-linux-x64/"
                  sha256_sum: "eb06c9d62e031e3290f499a828cae66d4fadbf62eb8f490c63c8406b1a80172e"
                maven_version:
                  name: "3.9.4"
                  urls:
                    - "https://archive.apache.org/dist/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz"
                  relative_tool_chain_path: "apache-maven-3.9.4"
                  sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"
        darwin:
          arch:
            arm64:
              java_tool_chain:
                version:
                  name: "1.8.412"
                  urls:
                    - "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/8u412-b08/openlogic-openjdk-8u412-b08-mac-x64.zip"
                  relative_tool_chain_path: "openlogic-openjdk-8u412-b08-mac-x64/jdk1.8.0_412.jdk/Contents/Home"
                  sha256_sum: "a16d297418f6800dfc5abfd4dfd8a16c0504d7e1f3b6fc9051cf2460f14a955e"
                maven_version:
                  name: "3.9.4"
                  urls:
                    - "https://archive.apache.org/dist/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz"
                  relative_tool_chain_path: "apache-maven-3.9.4"
                  sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"

Associate the scan_profile_uuid to your project UUID project-uuid, using the following command.

endorctl api update -r Project --uuid=<project-uuid> -d '{"spec":{"scan_profile_uuid":"<scanprofile-uuid>"}}' --field-mask 'spec.scan_profile_uuid'

You have set up a toolchain with Java 8 and Maven 3.9.4 for Linux and macOS, including Bazel support.

3 - Configure scan profile through scanprofile.yaml

Learn how to configure scan profile through scanprofile.yaml file

You can create a build tool profile for your Endor Labs scans in each repository to specify the build tools to automatically download for each scan.

Create a new file .endorctl/scanprofile.yaml file in the root directory of your repository and specify the required versions of the tools. You can specify the Operating system, architecture, automated scan parameters, language, tool, and install information in the scanprofile.yaml file:

The following snippet shows the overall structure of a scanprofile.yaml file with automated scan parameters. See automated scan parameters to learn more.

kind: "AutomatedScanParameters"
spec:
    languages:
      - java
    call_graph_languages:
      - java
    additional_environment_variables:
      - ENDOR_LOG_VERBOSE=true
      - ENDOR_LOG_LEVEL=debug
    enable_automated_pr_scans: True
    enable_pr_comments: True
    enable_sast_scan: True
    disable_code_snippet_storage: True
    bazel_configuration:
      bazel_show_internal_targets: True
      bazel_workspace_path: "go-bazel-repo/"
      bazel_include_targets:
        - "//cmd:cmd"

The following example shows a scan profile to scan Java and Bazel projects in CI with Maven 3.9.4, custom environment variables, and support for both Linux and macOS toolchains.


kind: "AutomatedScanParameters"
spec:
    languages:
      - java
    additional_environment_variables:
      - ENDOR_LOG_VERBOSE=true
      - ENDOR_LOG_LEVEL=debug
    enable_automated_pr_scans: True
    enable_pr_comments: True
    enable_sast_scan: True
    disable_code_snippet_storage: True
    bazel_configuration:
      bazel_show_internal_targets: True
      bazel_workspace_path: "go-bazel-repo/"
      bazel_include_targets:
        - "//cmd:cmd"


---
kind: "ToolchainProfile"
spec:
  os:
    linux:
      arch:
        amd64:
          java_tool_chain:
            version:
              name: "1.8.412"
              urls:
                - "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/8u412-b08/openlogic-openjdk-8u412-b08-linux-x64.tar.gz"
              relative_tool_chain_path: "openlogic-openjdk-8u412-b08-linux-x64/"
              sha256_sum: "eb06c9d62e031e3290f499a828cae66d4fadbf62eb8f490c63c8406b1a80172e"
            maven_version:
              name: "3.9.4"
              urls:
                - "https://archive.apache.org/dist/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz"
              relative_tool_chain_path: "apache-maven-3.9.4"
              sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"
    darwin:
      arch:
        arm64:
          java_tool_chain:
            version:
              name: "1.8.412"
              urls:
                - "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/8u412-b08/openlogic-openjdk-8u412-b08-mac-x64.zip"
              relative_tool_chain_path: "openlogic-openjdk-8u412-b08-mac-x64/jdk1.8.0_412.jdk/Contents/Home"
              sha256_sum: "a16d297418f6800dfc5abfd4dfd8a16c0504d7e1f3b6fc9051cf2460f14a955e"
            maven_version:
              name: "3.9.4"
              urls:
                - "https://archive.apache.org/dist/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz"
              relative_tool_chain_path: "apache-maven-3.9.4"
              sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"

4 - Enable auto detection

Learn how to automatically detect toolchains used in your repository.

The system can automatically detect toolchains required for your projects based on the manifest files present in your repository. Auto detection is supported for Java, Python, Golang and .NET(C#) projects. Only the Long Term Support (LTS) versions of the toolchains are supported in auto detection. See the Toolchain support matrix for a complete list of supported toolchain versions for auto detection.

Enable auto detection in CLI

To enable auto detection from the CLI,

endorctl scan --install-build-tools --enable-build-tools-version-detection

Warning

Enabling these options downloads the necessary build toolchains during each scan. This works well for one-time scans but may cause scan failures in CI environments due to intermittent network issues.

Enable auto detection in GitHub App

When using the GitHub App, you can enable auto detection either by a project or enable it for all projects in a tenant.

To enable the auto detection by a project, update the project’s meta.annotations with "ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true".

meta:
  annotations: {"ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true"}

  endorctl api update -r Project --uuid=<project-uuid> -i

To enable auto detection across all projects in a tenant, update the system config’s meta.annotations with "ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true".

 meta:
   annotations: {"ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true"}

 endorctl api update -r SystemConfig --uuid=<system-config-uuid> -i

The updates are applied during the next scheduled scan or whenever you perform a manual re-scan.