Skip to main content
Endor Labs AI SAST uses large language model (LLM) agents to find security vulnerabilities and reduce false positives in your first-party code. The agents reason about code intent, data flow, and application context across your entire repository, not just one file at a time. Traditional rule-based SAST is fast and deterministic, but it generates a high number of false positives that drain developer time, and pattern-based rules cannot express every class of vulnerability. Endor Labs AI SAST agents address both limitations by combining full-repository code analysis with deployment-aware prioritization. They draw context from deployment files such as Dockerfiles, Kubernetes manifests, and CI configurations, so findings are ranked based on how the application is actually exposed. Each finding includes the vulnerable code location, a data flow trace from source to sink, an attack vector with a concrete exploit payload, and a CWE classification with severity based on the context of the application. Endor Labs offers two AI-powered SAST agents:
  • AI SAST triage agent: Classifies rule-based SAST findings as true positives or false positives so you can focus on real issues.
  • AI SAST detection agent: Finds vulnerabilities that rule-based scans miss, such as multi-step logic flaws and context-dependent authorization issues. New findings are tagged with AI.

AI SAST scans in CI/CD

You can run AI SAST scans as part of your CI/CD pipelines by adding the --ai-sast flag to your endorctl scan command in the following platforms:

AI SAST scans in SCM apps

The Endor Labs GitHub, GitLab, and Bitbucket apps can run AI SAST scans without any CI configuration. To configure AI SAST scans:
  1. Install the Endor Labs SCM app for your source provider:
  2. Create a scan profile and add ENDOR_SCAN_AI_SAST=true to the Environment Variables.
  3. Associate the scan profile with the project.