Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt

Use this file to discover all available pages before exploring further.

To enable Keyless Authentication for GitHub Actions, you’ll need to perform the following steps:
  1. Ensure you are using the Endor Labs GitHub Action in your GitHub workflow.
  2. Edit your GitHub Action workflow to add permission settings for the GitHub id-token and contents.
  3. Create an authorization policy for GitHub Action OIDC.
  4. Test that you can successfully scan a project using GitHub Action OIDC.

Add a GitHub Action OIDC authorization policy

To ensure that the GitHub Action OIDC identity can successfully login to Endor Labs, create an authorization policy in Endor Labs. To create an authorization policy:
  1. Select User menu > Settings from the left sidebar.
  2. Select Access Control > Auth Policy.
  3. Click Add Auth Policy.
  4. Select GitHub Action OIDC as your identity provider.
  5. Select the permission for the GitHub Action. This permission should be Code Scanner.
  6. For the claim use the key user and put in a matching value that maps to the organization of your GitHub repository.

Configure your GitHub Action workflow

To configure your GitHub Action workflow with GitHub Action OIDC you can use the following example as a baseline. The important items in this workflow are:
  1. The Usage of the Endor Labs GitHub Action.
  2. Setting Job level permissions to allow writing to the GitHub id-token and reading repository contents.
The examples pin the Endor Labs GitHub Action to release v1.1.12. To use a newer release, copy the Use in your workflow reference from Latest GitHub Action Release in Secure GitHub Actions with immutable commit SHA.
name: Example Scan of OWASP Java
on: workflow_dispatch
jobs:
  create_project_owasp:
    permissions:
      id-token: write # This is required for requesting the JWT
      contents: read # This is required to checkout and read your repository code
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v3
        with:
          repository: OWASP-Benchmark/BenchmarkJava
      - name: Setup Java
        uses: actions/setup-java@v3
        with:
          distribution: 'microsoft'
          java-version: '17'
      - name: Compile Package
        run: mvn clean install
      - name: Scan with Endor Labs
        uses: endorlabs/github-action@b8992820cc4d9c9e7ded5022adf6cabe2dc11946 # v1.1.12
        with:
          namespace: 'demo'
          scan_summary_output_type: 'json'
          pr: false
          scan_secrets: true
          scan_dependencies: true
Now that you’ve successfully configured your GitHub Action workflow file you can use this workflow file or one of your own designs to run a test scan using Keyless authentication for GitHub Actions.