Asynchronous scanning strategies
When scanning a large monorepo, a common approach taken by security teams is to run an asynchronous cron job outside a CI/CD-based environment. This is often the point of least friction but is prohibitive. With this approach, inline blocking of critical issues is not generally possible. This is a scanning strategy for monorepos, but it is not recommended beyond a step to get initial visibility into a large monorepo.Performance Enhancements for inline scanning strategies
Use the following performance enhancements with Endor Labs to enable the scanning of large monorepos:Incremental PR scans
For pull request scans, combine--pr-incremental with --quick-scan to resolve dependencies only for the languages and packages a pull request affects. See Skip unaffected packages during incremental PR scans for supported ecosystems and configuration.
Scoping scans based on changed files
For many CI/CD systems path filters are readily available. For example, with GitHub Actions, dorny path filters is a readily accessible way to establish a set of filters by a path. This is generally the most effective path to handle monorepo deployments but does require the highest level of human time investment. The human time investment is made up by the time saved by reducing the need to scan everything on each change. Based on the paths that change you can scope scans based on the files that have actually changed. For example, you can scan only the packages in a monorepo that are housed under theui/ directory. When this path has changed, run a scan such as endorctl scan --include-path=ui/**.
Using a path filtering approach each team working in a monorepo would need to be responsible for the packages that they maintain. Generally, each team is associated with one or more pre-defined directory paths.
Parallelizing scans for many packages
When scanning a large monorepo organizations can choose to regularly scan the whole monorepo based on the packages or directories they’d like to scan. Different jobs may be created that scan each directory simultaneously.Parallelizing with scoped scans
Using scoped scans for monorepos with multiple parallel include patterns is a common performance optimization for monorepos. The following example shows parallel GitHub action scan that you can use as a reference.ui/ and backend/ are both scanned simultaneously and the results are aggregated by Endor Labs. This approach can improve the overall scan performance across a monorepo where each directory can be scanned independently.
To include or exclude a package based on its directory.