While scanning projects using the GitHub App, you can configure a scan profile and assign it to your projects directly from the Endor Labs user interface.
Create a new scan profile
Create and customize a new scan profile to define scan parameters, toolchains, and projects.
- Sign in to Endor Labs and click Settings under Manage in the left sidebar.
- Select SCAN PROFILES and click New Scan Profile.
- Enter a name for the scan profile and click Create Scan Profile.
- Configure various settings like automated scan parameters and paths. See Configure General scan profile settings for more information.
- Select TOOLCHAINS and configure the toolchains. See Configure toolchains for more information.
- Select PROJECTS to associate the scan profile with projects. See Associate projects with a scan profile.
Configure general scan profile settings
Configure the necessary scan settings to tailor scans for your projects.
-
Select the features that you want to enable for the scan profile.
- Enable pull request comments
- Enable remediation action
The selected features are automatically used when you run a scan on a project that uses the scan profile.
-
Select the languages to scan and the languages for which you need to generate call graphs. If you don’t select any language, all the languages detected in the repository will automatically be selected for the scan.
-
Enter the paths to include or exclude in the scan.
-
Enter any additional environment variables, if required. Only the environment variables starting with
ENDOR_
are passed to the scan, all others are ignored. -
Configure Bazel settings, if required.
-
Click Save Scan Profile to save the toolchain configuration.
Configure toolchains
Create and save a scan profile.
-
Select the operating system for the scan profile.
-
Select the architecture.
-
Select the toolchain available for the operating system-architecture combination.
-
Select the tool associated with the toolchain. For package managers like Python (pip), JavaScript (npm), and Android, you can configure a list of packages to install before the scan.
-
Select the version of the tool (or enter the package name if you chose a package in the previous step) and click Add to Profile.
You can only assign one version of the tool for a scan profile for a particular operating system-architecture combination.
You can also click Custom and define the custom version of the tool. See Configure custom versions for more information.
The following image shows the creation of a scan profile for Go and JavaScript scans.
-
Click Save Scan Profile to save the toolchain configuration.
Configure a custom version for a tool
When you assign a version of the tool, you can choose to apply a custom version that is not provided by Endor Labs.
You must provide the following information.
- Version name
- The URL to download the archive package
- SHA256 checksum of the package
- The relative toolchain path, if required. The toolchain is extracted to the specified relative toolchain path if provided.
The following image shows a custom configuration for the Golang toolchain with Go 1.22.7 instead of the bundled 1.22.6.
Associate projects with a scan profile
Assign projects to your scan profile.
-
Select Actions > Add Projects.
-
Search the project and click Add to Scan Profile. You can associate multiple projects with a scan profile, but you cannot apply multiple scan profiles to a single project.