Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt

Use this file to discover all available pages before exploring further.

The Endor Labs agent brings dependency and vulnerability intelligence into GitHub Copilot. Ask it about an open source package, and it answers with evidence from Endor Labs. GitHub handles authentication automatically, so you do not need an Endor Labs account or API key.

What you can do

The agent answers dependency and vulnerability questions from Endor Labs evidence. Give it a package or a vulnerability identifier, and it responds with results you can act on.
  • Check whether a specific dependency version has known vulnerabilities.
  • Assess open source package risk, including vulnerabilities and malware.
  • Look up the details behind a specific vulnerability.

Set up the Endor Labs agent

Install the Endor Labs Agentic app on your GitHub organization. Then choose the repositories where you want the agent to run.
You must enable the Copilot features in your organization and make sure that your users have access to the features. See GitHub Documentation for more information.
  1. Install the Endor Labs Agentic app on your organization.
  2. Select the repositories where you want the agent available.
  3. Open a repository, then assign or mention the agent on an issue or pull request to invoke it.
The agent works on one repository at a time.

Ask the agent

You can ask questions to the agent through the Agents tab in GitHub or in the PR comments. The following examples show some questions you can ask the agent:
  • Does npm lodash 4.17.19 have known vulnerabilities?
  • What is the open source risk for PyPI requests 2.31.0?
  • Show the details for CVE-2021-23337
A good answer names the affected package, the severity, the supporting evidence, the likely impact, and a concrete remediation. If Endor Labs finds no known issue, the agent says so without claiming the package is risk-free.

Use the agent from the Agents tab in GitHub

  1. Open your repository in GitHub.
  2. Select the Agents tab.
  3. Choose the branch that you want to query.
  4. Select endor-labs-github-agenthq as the agent. Selecting endor-labs-github-agenthq from the agent dropdown in the GitHub Agents tab
  5. Enter your question. The agent analyzes the question and displays the answer. The agent's answer displayed in the GitHub Agents tab

Use the agent in pull requests

You can invoke the agent in a pull request to get information about the proposed changes. In a new pull request comment, invoke the agent with @endor-labs-github-agenthq[agent]. For example: 
@endor-labs-github-agenthq[agent] tell me if this PR introduces any known vulnerabilities
The following image shows a GitHub PR comment with the query. Pull request comment invoking the agent with a query Click View Session to go to the Agents tab and view the answer. You can also ask the agent to answer the question as a GitHub PR comment. For example: 
@endor-labs-github-agenthq[agent] is this PR introducing any new vulnerability or malware? If you find anything, please comment in this thread with details.
The following image shows the PR comment created by the agent. Agent's reply posted as a pull request thread comment

What’s not included

The agent focuses on dependency and vulnerability checks. The following features are not available in Endor Labs GitHub AgentHQ:
  • Repository scanning and reachability analysis
  • Static application security testing (SAST)
  • Secrets detection
  • Project findings
For repository scanning, reachability analysis, SAST, and secrets detection in your IDE, see the Endor Labs MCP server.

Troubleshooting

Check the following tips if the agent isn’t responding as expected:
  • Agent not listed: Confirm the Endor Labs app is installed and the repository is selected.
  • Ambiguous package: Give the agent the exact ecosystem, package name, and version. The agent asks for these rather than reading repository files.