- AI SAST triage agent: Classifies rule-based SAST findings as true positives or false positives so you can focus on real issues.
- AI SAST detection agent: Finds vulnerabilities that rule-based scans miss, such as multi-step logic flaws and context-dependent authorization issues. New findings are tagged with
AI.
AI SAST scans in CI/CD
You can run AI SAST scans as part of your CI/CD pipelines by adding the--ai-sast flag to your endorctl scan command in the following platforms:
- GitHub Actions
- GitLab
- Jenkins
- Google Cloud Build
- Azure DevOps
- Bitbucket Pipelines
- Buildkite
- CircleCI
AI SAST scans in SCM apps
The Endor Labs GitHub, GitLab, and Bitbucket apps can run AI SAST scans without any CI configuration. To configure AI SAST scans:- Install the Endor Labs SCM app for your source provider:
- Create a scan profile and add
ENDOR_SCAN_AI_SAST=trueto the Environment Variables. - Associate the scan profile with the project.
AI SAST PR scans
You can run AI SAST incrementally on pull requests to surface only the new findings introduced by the change, rather than rescanning the whole repository on every PR. AI SAST PR scans require an established baseline scan on the target branch, deduplicate findings against that baseline, and merge accepted findings back into the baseline after the pull request lands. See AI SAST PR scans for prerequisites, supported integrations, and setup steps. You can configure AI SAST PR scans through:- endorctl
- CI pipelines:
- SCM apps:
AI SAST diff scans
A local diff scan runs the AI SAST detection agent against the diff in your working tree without using a baseline. It is intended for ad-hoc review during development. AI SAST diff scans are aimed at developers so they do not have to wait until a pull request is raised and scanned to identify issues or vulnerabilities in their code. Run them from your terminal to get fast feedback while you are still writing the change. Diff scans use Git locally and do not need an Endor Labs baseline. Diff scans are not deduplicated against any prior scan, so findings may overlap with issues that already exist on the target branch. Use diff scans for early exploration on a feature branch, and use AI SAST PR scans for the official review signal on a pull request. A diff scan supports two modes through the--diff-scope flag:
--diff-scope=local: Scan the files you have edited, added, or staged in your working tree but not yet committed. Use this for a pre-commit review.--diff-scope=baseline: Scan the files that differ between your current checkout and the repository’s default branch. Use this to review all changes on your feature branch before you open a PR.
--diff-scope. AI SAST PR scans analyze only the changed code by default.
When you run a security review through the Endor Labs MCP server, the MCP tools set
--diff-scope automatically based on the review type, so you do not need to set it yourself. See MCP Server.--diff-scope with --dry-run. The scan passes if it completes without warnings or errors and generates at least one AI SAST finding.