Skip to main content
AI SAST PR scans run incremental security analysis on pull requests against an established baseline scan of the target branch. They analyze only the code changed by the pull request, deduplicate findings against the baseline, and surface only the net new findings that the pull request introduces. When the pull request is merged, the new findings are added to the baseline so that future PR scans compare against the latest mainline state. An average AI SAST PR scan completes within about five minutes. AI SAST PR scans run the detection agent on the pull request. AI SAST PR scans help you to:
  • Scan only the code changed by the pull request, with results in a few minutes.
  • Surface only net new, auto-triaged findings, and filter out false positives.
  • Review findings inline on the pull request through PR comments and in PR Runs.
  • Block risky merges or fail CI through action policies on the resulting findings.
You can run AI SAST PR scans in the following ways:

How AI SAST PR scans work

An AI SAST PR scan runs in three stages.
1

Build the baseline

AI SAST processes the full repository on the target branch and stores all detection-agent findings as the baseline. See Establish a baseline scan.
2

Scan the PR diff

A pull request triggers a PR scan that analyzes only the code changed by the pull request, using the full-repository context that the baseline established.
3

Surface net new findings

Findings are fingerprinted and matched against the baseline. Issues that already exist in the baseline are filtered out, and only net new findings appear in the PR result, so reviewers see exactly what the pull request introduces.

Establish a baseline scan

The baseline is the reference point every AI SAST PR scan compares against. It defines the known security state of the target branch. Therefore, the PR scan can isolate net new findings from issues that already exist. The baseline gives the AI SAST agents the full-repository context they need to reason about the changed code. Without a baseline, every AI SAST finding on the pull request would surface as new, including pre-existing issues, and the PR result would not be reviewable. We recommend that you run the first baseline scan from the command line so the baseline is in place before the first PR scan is requested. Replace /path/to/code with the path to your repository and <namespace> with your Endor Labs namespace. 
endorctl scan --ai-sast --path=/path/to/code -n <namespace>
When a pull request is merged, the net new findings from the PR scan are automatically added to the baseline. This keeps PR scans and baseline scans consistent for the next round of pull requests.

Run AI SAST PR scans from the CLI

You can run AI SAST PR scans using endorctl for GitHub and GitLab. The --ai-sast --pr --pr-baseline=<target-branch> combination runs the AI SAST detection agent on the changed code, deduplicates findings against the baseline, and records the results as a PR Run that does not affect main-branch monitoring scans and reports. Endor Labs stores PR and MR scan findings in PR Runs for three weeks, after which they are removed to accommodate new PR scans. Run the following command after you commit to a pull request or merge request. Ensure that you install and configure endorctl before running scans from the command line. 
endorctl scan --ai-sast --pr --pr-baseline=<target-branch> --path=/path/to/code -n <namespace>
Replace <target-branch> with the pull request’s target branch, such as main. For the full list of pull request flags, see Pull request (CI) flags to learn more.

Run AI SAST PR scans from CI

AI SAST PR scans can be run from a continuous integration pipeline by invoking endorctl scan with the --ai-sast, --pr, and --pr-baseline flags in jobs triggered by pull request or merge request events. This approach provides control over when scans run, supports posting findings as PR or MR comments, and allows policies to be enforced, such as failing builds or blocking merges. The scan profile assigned to the project determines the toolchains and environment used for the scan. For platform-specific YAML and command syntax, see: A baseline AI SAST scan must exist on the target branch before any PR scan can produce findings. See Establish a baseline scan.

Run AI SAST PR scans through SCM apps

The Endor Labs GitHub and GitLab apps can run AI SAST PR scans automatically on every pull request, without CI pipeline configuration. PR comments post the net new findings introduced by a pull request as a PR comment in GitHub and as an MR comment in GitLab, so developers see results in the SCM UI without leaving their review flow. Configure Action policies to post PR comments. See Pull request comments to learn more. To configure AI SAST PR scans:
  1. Install the Endor Labs GitHub app, Endor Labs GitLab app, Bitbucket Cloud app, or Bitbucket Data Center app.
  2. Enable PR scans and PR comments during installation: GitHub App Pro, GitLab App, Bitbucket Cloud app, or Bitbucket Data Center app.
  3. Create a scan profile and add ENDOR_SCAN_AI_SAST=true to the Environment Variables.
  4. Associate the scan profile with the project.
  5. Open or update a pull request on the configured repository to trigger an AI SAST PR scan.
If the project does not yet have a baseline AI SAST scan, the platform automatically triggers one when the first PR scan is requested. The PR scan does not produce results or post PR comments until the baseline completes. The first baseline scan takes longer than subsequent scans because it must process the full repository.