> ## Documentation Index > Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt > Use this file to discover all available pages before exploring further. ## Submitting Feedback If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback: POST https://docs.endorlabs.com/feedback ```json { "path": "/scan/bazel/index", "feedback": "Description of the issue" } ``` Only submit feedback when you have something specific and actionable to report. # Bazel > Learn how to implement Endor Labs in monorepos using Bazel export const YamlTable = ({children, data: propData, content}) => { const KV_RE = /^([A-Za-z][A-Za-z0-9_()/#\s-]+?):\s*(.+)$/; const INLINE_MD_RE = /(\[([^\]]+)\]\(([^)]+)\))|(`([^`]+)`)|(\*\*([^*]+)\*\*)|(\*([^*]+)\*)/g; const YES_RE = /^-yes-$/i; const NO_RE = /^-no-$/i; const LIMITED_RE = /^-(limited|partial)-$/i; const SIMPLE_TAG_RE = /()|()|(-note-)|(-warning-)/gi; const tryParseKV = trimmed => { const m = KV_RE.exec(trimmed); return m ? { key: m[1], value: m[2].trim() } : null; }; const registerKey = (key, seenKeys, orderedKeys) => { if (!seenKeys.has(key)) { orderedKeys.push(key); seenKeys.add(key); } }; const flushEntry = (currentEntry, entries) => { if (Object.keys(currentEntry).length > 0) entries.push(currentEntry); }; const parseDashPrefixed = (lines, entries, orderedKeys, seenKeys) => { let currentEntry = {}; let inEntry = false; for (const line of lines) { const trimmed = line.trim(); if (trimmed.startsWith('- ')) { if (inEntry) entries.push(currentEntry); currentEntry = {}; inEntry = true; const kv = tryParseKV(trimmed.substring(2).trim()); if (kv) { registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; } } else if (inEntry && trimmed !== '') { const kv = tryParseKV(trimmed); if (kv) { registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; } } } flushEntry(currentEntry, entries); }; const parseBlankSeparated = (lines, entries, orderedKeys, seenKeys) => { let currentEntry = {}; let inEntry = false; for (const line of lines) { const trimmed = line.trim(); if (trimmed === '') { if (inEntry) { flushEntry(currentEntry, entries); currentEntry = {}; inEntry = false; } continue; } const kv = tryParseKV(trimmed); if (!kv) continue; const isNewEntry = !line.startsWith(' ') && !line.startsWith('\t'); if (isNewEntry && inEntry && Object.keys(currentEntry).length > 0) { entries.push(currentEntry); currentEntry = {}; } registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; inEntry = true; } flushEntry(currentEntry, entries); }; const normalizeEntries = (entries, orderedKeys) => entries.map(entry => { const filled = {}; for (const key of orderedKeys) filled[key] = entry[key] || ''; return filled; }); const parseYamlTableContent = contentStr => { if (!contentStr) return []; const entries = []; const orderedKeys = []; const seenKeys = new Set(); const lines = contentStr.split('\n'); if (lines.some(line => line.trim().startsWith('- '))) { parseDashPrefixed(lines, entries, orderedKeys, seenKeys); } else { parseBlankSeparated(lines, entries, orderedKeys, seenKeys); } return normalizeEntries(entries, orderedKeys); }; const processText = text => { if (!text) return text; const parts = []; let keyIndex = 0; let lastIndex = 0; let match; while ((match = INLINE_MD_RE.exec(text)) !== null) { if (match.index > lastIndex) parts.push(text.slice(lastIndex, match.index)); if (match[1]) { parts.push({match[2]}); } else if (match[4]) { parts.push({match[5]}); } else if (match[6]) { parts.push({match[7]}); } else if (match[8]) { parts.push({match[9]}); } lastIndex = match.index + match[0].length; } if (lastIndex < text.length) parts.push(text.slice(lastIndex)); if (parts.length === 0) return text; const keyRef = { current: keyIndex }; return expandHtmlTags(parts, keyRef); }; const processBadges = text => { if (!text || typeof text !== 'string') return text; if (YES_RE.test(text)) return ; if (NO_RE.test(text)) return ; if (LIMITED_RE.test(text)) return ; return processText(text); }; const expandSimpleTags = (str, keyRef) => { const result = []; let last = 0; SIMPLE_TAG_RE.lastIndex = 0; let m; while ((m = SIMPLE_TAG_RE.exec(str)) !== null) { if (m.index > last) result.push(str.slice(last, m.index)); if (m[1]) { result.push(
); } else if (m[2]) { result.push(
,
); } else if (m[3]) { result.push(Note: ); } else if (m[4]) { result.push(Warning: ); } last = m.index + m[0].length; } if (last < str.length) result.push(str.slice(last)); return result; }; const expandHtmlTags = (chunks, keyRef) => { const out = []; for (const chunk of chunks) { if (typeof chunk === 'string') { out.push(...expandSimpleTags(chunk, keyRef)); } else { out.push(chunk); } } return out; }; const extractText = node => { if (node === null || node === undefined) return ''; if (typeof node === 'string') return node; if (typeof node === 'number') return String(node); if (typeof node === 'boolean') return ''; if (Array.isArray(node)) return node.map(extractText).join(''); if (node && typeof node === 'object' && node.type) { const props = node.props || ({}); if (typeof props.children === 'string') return props.children; if (props.children) return extractText(props.children); return ''; } return String(node || ''); }; const [mounted, setMounted] = useState(false); useEffect(() => { setMounted(true); }, []); const data = useMemo(() => { if (propData) return propData; if (content && typeof content === 'string') return parseYamlTableContent(content); if (!children) return []; if (typeof children === 'string') return parseYamlTableContent(children); const childrenArray = Array.isArray(children) ? children : [children]; return parseYamlTableContent(childrenArray.map(extractText).join('').trim()); }, [children, propData, content]); const columns = useMemo(() => { if (!data || data.length === 0) return []; const firstRow = data[0]; if (!firstRow || typeof firstRow !== 'object') return []; return Object.keys(firstRow); }, [data]); if (!mounted) return null; if (!data || data.length === 0) return null; const rowKey = row => columns.map(c => row[c] || '').join('|'); return {columns.map(col => )} {data.map(row => {columns.map(col => )} )}
{col.replaceAll('_', ' ')}
{processBadges(row[col])}
; }; Bazel is an open-source build and test tool commonly used in monorepos to quickly build software across multiple languages. You can use Endor Labs and Bazel to scan software for potential security issues and policy violations, prioritize vulnerabilities in the context of your applications, and understand relationships between software components. Endor Labs also supports Bazel aspects to augment the build dependency graphs with additional information and actions. If you use custom rules to build your software, you can create your own custom Bazel aspects and integrate them with Endor Labs. See [Bazel Aspects](/scan/bazel/bazel-aspects) for more information. Endor Labs supports [Bzlmod](https://bazel.build/external/migration) (Bazel's external dependency system). Bzlmod support requires Bazel aspects. Use the `--use-bazel-aspects` flag when scanning Bzlmod-based projects. ## Prerequisites for scanning Bazel projects Ensure that the following prerequisites are in place for a successful scan: * `WORKSPACE` file exists in your repository * `bazel` command installed and available * Bazel version `5.x.x`, `6.x.x`, `7.x.x`, `8.x.x`, or `9.x.x` * Supported target types in your project ### System specifications for deep scans of Bazel projects Before you proceed to run a deep scan, ensure that your system meets the following specification. | Project Size | Processor | Memory | | ----------------- | ----------------- | ------ | | Small projects | 4-core processor | 16 GB | | Mid-size projects | 8-core processor | 32 GB | | Large projects | 16-core processor | 64 GB | ### Build process for Bazel projects You can choose to build the targets before running the scan. Use the `bazel build` commands to do this by passing a comma-separated list of targets. For example, for targets `//:test` and `//:test2`, run `bazel build //:test,//:test2`. endorctl will automatically build targets if they are not already built. endorctl uses `bazel build //:target` and `bazel query 'deps(//:target)' --output graph` to build each target and analyze its dependency tree. ## Supported Bazel rules and features The following table lists the supported Bazel rules and Endor Labs features for each language. {` - Language: [Java](https://github.com/bazelbuild/rules_jvm_external) Supported_Rules: [java_library](https://bazel.build/reference/be/java#java_library), [java_binary](https://bazel.build/reference/be/java#java_binary)

While dependency scanning is supported for \`java_binary\` targets, call graph generation requires an uber jar containing all dependencies. The \`java_binary\` rule itself does not produce an uber jar, but its \`deploy.jar\` output provides the necessary consolidated dependencies for call graph analysis.

-note- Bzlmod is supported with Bazel aspects. Requires \`rules_java\` >= 5.0.0. Version_Requirements: 4.1+ - Language: [Python](https://github.com/bazelbuild/rules_python) Supported_Rules: [py_binary](https://bazel.build/reference/be/python#py_binary), [py_library](https://bazel.build/reference/be/python#py_library), [py_image](https://github.com/bazelbuild/rules_docker/blob/master/README.md#py3_image)

-warning- \`py_image\` only supports PY3 toolchain (\`py3_image\`)

For \`rules_python\` below 0.30.0, only the WORKSPACE model is supported (no Bzlmod). Bzlmod requires \`rules_python\` 0.30.0 or higher with Bazel aspects. Software composition analysis includes reachability analysis. Version_Requirements: 0.9.0+ - Language: [Go](https://github.com/bazelbuild/rules_go) Supported_Rules: [go_binary](https://github.com/bazelbuild/rules_go/blob/master/docs/go/core/rules.md#go_binary), [go_library](https://github.com/bazelbuild/rules_go/blob/master/docs/go/core/rules.md#go_library), [go_image](https://github.com/bazelbuild/rules_docker/blob/master/README.md#go_image) Version_Requirements: 0.40.1+ (Bazel 5.x-6.x), 0.42.0+ (Bazel 7.x)

For [Bazel with Gazelle in vendored mode](https://github.com/bazelbuild/bazel-gazelle?tab=readme-ov-file#bazel-rule), see [Go with Gazelle](#scan-bazel-projects-with-go-with-gazelle-vendored-mode).

Supports both WORKSPACE model and Bzlmod. Bzlmod requires Bazel Aspects. - Language: [Scala](https://github.com/bazelbuild/rules_scala) Supported_Rules: [scala_binary](https://github.com/bazelbuild/rules_scala/blob/master/docs/scala_binary.md), [scala_library](https://github.com/bazelbuild/rules_scala/blob/master/docs/scala_library.md)

Requires \`rules_scala\` >= 5.0.0. Supports both WORKSPACE model and Bzlmod. Version_Requirements: 5.0.0 - 6.6.0 - Language: [Rust](https://github.com/bazelbuild/rules_rust) (Beta) Supported_Rules: [rust_binary](https://bazelbuild.github.io/rules_rust/rust.html#rust_binary), [rust_library](https://bazelbuild.github.io/rules_rust/rust.html#rust_library)

Requires \`rules_rust\` >= 0.40.0. Requires Bazel Aspects. Supports both WORKSPACE model and Bzlmod. Version_Requirements: 0.40.0+ - Language: [Swift](https://github.com/bazelbuild/rules_swift) Supported_Rules: [swift_binary](https://github.com/bazelbuild/rules_swift/blob/main/doc/rules.md#swift_binary), [swift_library](https://github.com/bazelbuild/rules_swift/blob/main/doc/rules.md#swift_library), [swift_test](https://github.com/bazelbuild/rules_swift/blob/main/doc/rules.md#swift_test)

Requires \`rules_swift\` >= 2.0.0. Requires Bazel Aspects. Supports both WORKSPACE model and Bzlmod. Version_Requirements: 2.0.0+ - Language: [JavaScript](https://github.com/aspect-build/rules_js) Supported_Rules: [js_binary](https://docs.aspect.build/rulesets/aspect_rules_js/docs/js_binary), [js_library](https://docs.aspect.build/rulesets/aspect_rules_js/docs/js_library)

Requires \`rules_js\` >= 2.0.0. Requires Bazel Aspects. Supports Bzlmod. Version_Requirements: 2.0.0+ `} ## Bazel aspects support Endor Labs supports Bazel aspects for enhanced dependency resolution. Use the `--use-bazel-aspects` flag to enable aspects. See [Bazel Aspects](/scan/bazel/bazel-aspects) for more information. The following table lists the languages and rulesets that support Bazel aspects. {` - Language: Go Ruleset: [rules_go](https://github.com/bazelbuild/rules_go) Minimum_Version: 0.42.0 - Language: Java Ruleset: [rules_java](https://github.com/bazelbuild/rules_java) Minimum_Version: 5.0.0 - Language: Python Ruleset: [rules_python](https://github.com/bazelbuild/rules_python) Minimum_Version: 0.9.0 - Language: Scala Ruleset: [rules_scala](https://github.com/bazelbuild/rules_scala) Minimum_Version: 5.0.0 - Language: Rust Ruleset: [rules_rust](https://github.com/bazelbuild/rules_rust) Minimum_Version: 0.40.0 - Language: JavaScript Ruleset: [rules_js](https://github.com/aspect-build/rules_js) Minimum_Version: 2.0.0 - Language: Swift Ruleset: [rules_swift](https://github.com/bazelbuild/rules_swift) Minimum_Version: 2.0.0 `} ## Bzlmod support Endor Labs supports [Bzlmod](https://bazel.build/external/migration), Bazel's external dependency system. Bzlmod requires Bazel aspects. Use the `--use-bazel-aspects` flag when scanning Bzlmod-based projects. The following table lists the languages and rulesets that support Bzlmod. {` - Language: Go Ruleset: [rules_go](https://github.com/bazelbuild/rules_go) Minimum_Version: 0.42.0 - Language: Java Ruleset: [rules_java](https://github.com/bazelbuild/rules_java) Minimum_Version: 5.0.0 - Language: Python Ruleset: [rules_python](https://github.com/bazelbuild/rules_python) Minimum_Version: 0.30.0 - Language: Scala Ruleset: [rules_scala](https://github.com/bazelbuild/rules_scala) Minimum_Version: 5.0.0 - Language: Rust Ruleset: [rules_rust](https://github.com/bazelbuild/rules_rust) Minimum_Version: 0.40.0 - Language: Swift Ruleset: [rules_swift](https://github.com/bazelbuild/rules_swift) Minimum_Version: 2.0.0 - Language: JavaScript Ruleset: [rules_js](https://github.com/aspect-build/rules_js) Minimum_Version: 2.0.0 `} **Python and rules\_python** For Python, the minimum version in this table applies to Bzlmod. With `rules_python` 0.9.0 up to (but not including) 0.30.0, only the WORKSPACE model is supported (no Bzlmod). ## Quick target discovery for Bazel projects Use the following commands to find scannable targets in your repository. ```bash theme={null} bazel query 'kind(java_binary, //...)' ``` ```bash theme={null} bazel query 'kind(py_binary, //...)' ``` ```bash theme={null} bazel query 'kind(go_binary, //...)' ``` ```bash theme={null} bazel query 'kind(scala_binary, //...)' ``` ```bash theme={null} bazel query 'kind(rust_binary, //...)' ``` ```bash theme={null} bazel query 'kind(swift_binary, //...)' ``` ```bash theme={null} bazel query 'kind(js_binary, //...)' ``` ```bash theme={null} bazel query 'kind(".*_binary", //...)' ``` ### Common query patterns for Bazel projects Use these common query patterns to find targets. Run the following command to find all targets in a specific package. ```bash theme={null} bazel query '//your-package:*' ``` Run the following command to find all binary targets across languages. ```bash theme={null} bazel query 'kind(".*_binary", //...)' ``` Run the following command to find targets with specific attributes. ```bash theme={null} bazel query 'attr(visibility, "//visibility:public", //...)' ``` Run the following command to find dependencies of a target. ```bash theme={null} bazel query 'deps(//your-target:name)' ``` Run the following command to find reverse dependencies of a target. ```bash theme={null} bazel query 'rdeps(//..., //your-target:name)' ``` ## Scan commands for Bazel projects The following table lists the common flags and options to scan Bazel projects. {` - Flag: \`--bazel-include-targets\` Purpose: Specify targets to scan Example: \`--bazel-include-targets=//app:main\` - Flag: \`--bazel-exclude-targets\` Purpose: Exclude specific targets Example: \`--bazel-exclude-targets=//test:*\` - Flag: \`--bazel-targets-query\` Purpose: Use Bazel query to select targets Example: \`--bazel-targets-query='kind(java_binary, //...)'\` - Flag: \`--bazel-workspace-path\` Purpose: Non-root workspace location Example: \`--bazel-workspace-path=./src/java\` - Flag: \`--bazel-vendor-manifest-path\` Purpose: Go vendored mode \`go.mod\` path Example: \`--bazel-vendor-manifest-path=./go.mod\` - Flag: \`--disable-private-package-analysis\` Purpose: Skip private package analysis Example: \`--disable-private-package-analysis\` - Flag: \`--quick-scan\` Purpose: Fast scan mode Example: \`--quick-scan\` - Flag: \`--bazel-rc-path\` Purpose: Specify custom paths for Bazel configuration files Example: \`--bazel-rc-path=.custom.bazelrc.user\` - Flag: \`—-bazel-flags\` Purpose: Specify additional command-line flags that should be passed to Bazel when running a scan Example: \`-—bazel-flags="config=ci, config=dev, remote_retries=5"\` - Flag: \`--use-bazel-aspects\` Purpose: Enable Bazel aspect framework for dependency resolution Example: \`--use-bazel-aspects\` - Flag: \`--bazel-aspect-package\` Purpose: Override base aspect package (defaults to @//.endorctl/aspects) Example: \`--bazel-aspect-package=@//endor_aspects\` - Flag: \`-o json\` Purpose: Output format Example: \`-o json \\| tee results.json\` `} ### Target selection for Bazel scans To scan with Endor Labs, you need to specify which targets to analyze using one of two approaches: * **Specific target list**: Provide a comma-separated list of exact targets using `--bazel-include-targets`. * **Query-based selection**: Use the Bazel query language to select all targets matching your criteria with `--bazel-targets-query`. ### Quick scan for Bazel projects Run a fast scan for software composition visibility without reachability analysis. ```bash theme={null} endorctl scan --use-bazel --bazel-include-targets=//your-target-name --quick-scan ``` ### Deep scan for Bazel projects Perform a full analysis with dependency resolution, reachability analysis, and call graphs. ```bash theme={null} endorctl scan --use-bazel --bazel-include-targets=//your-target-name ``` **Private Package Analysis** When a deep scan is performed, all private software dependencies are analyzed in full by default if they have not been previously scanned. This is a one-time operation and will slow down initial scans, but won't impact subsequent scans. ### Scan specific targets for Bazel projects You can scan specific targets in your Bazel project using the `--bazel-include-targets` flag. Run the following command to scan a single target. ```bash theme={null} endorctl scan --use-bazel --bazel-include-targets=//your-target-name ``` To scan multiple targets, provide a comma-separated list. ```bash theme={null} endorctl scan --use-bazel --bazel-include-targets=//target1,//target2,//target3 ``` ### Scan using queries for Bazel projects Use these commands to scan targets based on queries. ```bash theme={null} endorctl scan --use-bazel --bazel-targets-query='kind(java_binary, //...)' ``` ```bash theme={null} endorctl scan --use-bazel --bazel-targets-query='kind(py_binary, //...)' ``` ```bash theme={null} endorctl scan --use-bazel --bazel-targets-query='kind(go_binary, //...)' ``` ```bash theme={null} endorctl scan --use-bazel --bazel-targets-query='kind(scala_binary, //...)' ``` ```bash theme={null} endorctl scan --use-bazel --use-bazel-aspects --bazel-targets-query='kind(rust_binary, //...)' ``` ```bash theme={null} endorctl scan --use-bazel --use-bazel-aspects --bazel-targets-query='kind(swift_binary, //...)' ``` ```bash theme={null} endorctl scan --use-bazel --use-bazel-aspects --bazel-targets-query='kind(js_binary, //...)' ``` ```bash theme={null} endorctl scan --use-bazel --bazel-targets-query='attr(visibility, "//visibility:public", //...)' ``` ### Scan Bazel projects with non-root workspace If your `WORKSPACE` file isn't at the repository root. ```bash theme={null} endorctl scan --use-bazel \ --bazel-targets-query='kind(java_binary, //...)' \ --bazel-workspace-path=./src/java ``` ### Scan Bazel projects with Go with Gazelle (Vendored Mode) For Go projects using Bazel with Gazelle in vendored mode. ```bash theme={null} endorctl scan --use-bazel \ --bazel-include-targets=//your-go-target \ --bazel-vendor-manifest-path=./go.mod ``` ### Scan Bazel projects with performance optimization For large codebases, disable private package analysis. ```bash theme={null} endorctl scan --use-bazel \ --bazel-include-targets=//your-target-name \ --disable-private-package-analysis ``` ### Language-specific information for Endor Labs scans For detailed information about scanning specific languages: * [Java](/scan/sca/java) * [Python](/scan/sca/python) * [Go](/scan/sca/golang) * [Scala](/scan/sca/scala) * [Rust](/scan/sca/rust) * [JavaScript](/scan/sca/javascript) * [Swift/Objective-C](/scan/sca/swift-objective-c) ## Results of Bazel projects scans You can save the findings of your scans to a local file or view the findings in the Endor Labs user interface. ### Save findings locally Run the following command to save the results of a quick scan to a local file. ```bash theme={null} endorctl scan --use-bazel --bazel-include-targets=//your-target-name --quick-scan -o json | tee results.json ``` Run the following command to save the results of a deep scan to a local file. ```bash theme={null} endorctl scan --use-bazel --bazel-include-targets=//your-target-name -o json | tee results.json ``` ### View findings in the Endor Labs user interface To view your scan results in the Endor Labs user interface: 1. Sign in to [Endor Labs user interface](https://app.endorlabs.com) and select **Projects** from the left sidebar. 2. Select the project you want to view and select **Findings** to view your scan results. For more information, see [Viewing findings in the Endor Labs user interface](/inventory-insights/findings). ## Troubleshooting Bazel projects scans Check the following common issues and solutions for Bazel projects scans. Check your query syntax and target types. Use `--bazel-workspace-path` flag. Pre-build targets with `bazel build`. Use `--disable-private-package-analysis` Specify `--bazel-vendor-manifest-path`.