Skip to main content
Endor Labs AI SAST uses large language model (LLM) agents to find security vulnerabilities and reduce false positives in your first-party code. The agents reason about code intent, data flow, and application context across your entire repository, not just one file at a time. Traditional rule-based SAST is fast and deterministic, but it generates a high number of false positives that drain developer time, and pattern-based rules cannot express every class of vulnerability. Endor Labs AI SAST agents address both limitations by combining full-repository code analysis with deployment-aware prioritization. They draw context from deployment files such as Dockerfiles, Kubernetes manifests, and CI configurations, so findings are ranked based on how the application is actually exposed. Each finding includes the vulnerable code location, a data flow trace from source to sink, an attack vector with a concrete exploit payload, and a CWE classification with severity based on the context of the application. Endor Labs offers two AI-powered SAST agents:
  • AI SAST triage agent: Classifies rule-based SAST findings as true positives or false positives so you can focus on real issues.
  • AI SAST detection agent: Finds vulnerabilities that rule-based scans miss, such as multi-step logic flaws and context-dependent authorization issues. New findings are tagged with AI.

AI SAST scans in CI/CD

You can run AI SAST scans as part of your CI/CD pipelines by adding the --ai-sast flag to your endorctl scan command in the following platforms:

AI SAST scans in SCM apps

The Endor Labs GitHub, GitLab, and Bitbucket apps can run AI SAST scans without any CI configuration. To configure AI SAST scans:
  1. Install the Endor Labs SCM app for your source provider:
  2. Create a scan profile and add ENDOR_SCAN_AI_SAST=true to the Environment Variables.
  3. Associate the scan profile with the project.

AI SAST PR scans

You can run AI SAST incrementally on pull requests to surface only the new findings introduced by the change, rather than rescanning the whole repository on every PR. AI SAST PR scans require an established baseline scan on the target branch, deduplicate findings against that baseline, and merge accepted findings back into the baseline after the pull request lands. See AI SAST PR scans for prerequisites, supported integrations, and setup steps. You can configure AI SAST PR scans through:

AI SAST diff scans

A local diff scan runs the AI SAST detection agent against the diff in your working tree without using a baseline. It is intended for ad-hoc review during development. AI SAST diff scans are aimed at developers so they do not have to wait until a pull request is raised and scanned to identify issues or vulnerabilities in their code. Run them from your terminal to get fast feedback while you are still writing the change. Diff scans use Git locally and do not need an Endor Labs baseline. Diff scans are not deduplicated against any prior scan, so findings may overlap with issues that already exist on the target branch. Use diff scans for early exploration on a feature branch, and use AI SAST PR scans for the official review signal on a pull request. A diff scan supports two modes through the --diff-scope flag:
  • --diff-scope=local: Scan the files you have edited, added, or staged in your working tree but not yet committed. Use this for a pre-commit review.
  • --diff-scope=baseline: Scan the files that differ between your current checkout and the repository’s default branch. Use this to review all changes on your feature branch before you open a PR.
Diff scans are for local development. In CI pull request pipelines, do not set --diff-scope. AI SAST PR scans analyze only the changed code by default.
When you run a security review through the Endor Labs MCP server, the MCP tools set --diff-scope automatically based on the review type, so you do not need to set it yourself. See MCP Server.
Diff scans print findings in your terminal. To run a test scan without uploading results, combine --diff-scope with --dry-run. The scan passes if it completes without warnings or errors and generates at least one AI SAST finding.
endorctl scan --ai-sast --diff-scope=local --dry-run --path .