Skip to main content
Use endorctl to perform comprehensive security analysis across your codebase, enabling you to detect dependency vulnerabilities, identify insecure code patterns, uncover exposed secrets, and evaluate GitHub configuration against best practices. To run your first scan with Endor Labs, complete the following steps:
  1. Install Endor Labs on your local system
  2. Authenticate to Endor Labs
  3. Clone your repository
  4. Scan your first project

Run your first scan

Endor Labs supports four distinct scan types to identify open source risk, code issues, leaked secrets, and configuration gaps.
Default namespace and accessWhen you run a scan, you can specify a namespace. If you leave it unspecified, projects are created in the root namespace of the tenant. That matters when your account or token only has access to specific namespaces. See Namespaces in Endor Labs for details.

Scan for OSS risk

To scan and monitor all packages in a given repository from the root of the repository, run the following command: 
endorctl scan
If your project contains multiple programming languages, you can specify them as a comma-separated list using the --languages flag: 
endorctl scan --languages=<languages-list>
Where <languages-list> should be provided as a comma-separated list from the supported languages: .

Scan an example repository

To scan the example repository https://github.com/OWASP-Benchmark/BenchmarkJava.git, follow these steps after you authenticate to Endor Labs:
  1. Clone the repository https://github.com/OWASP-Benchmark/BenchmarkJava.git 
    git clone https://github.com/OWASP-Benchmark/BenchmarkJava.git
  2. Navigate to the repository on your local system 
    cd BenchmarkJava
  3. Build the repository’s package with Maven: 
    mvn clean install
  4. Scan the repository 
    endorctl scan

Scan for SAST

To run a SAST scan from the project root to identify potential security weaknesses in your source code, run the following command: 
endorctl scan --sast
To scan a different working directory, set --path: 
endorctl scan --sast --path=/path/to/code
To enable AI triage of SAST findings (Code Pro license required), add --ai-sast-analysis=agent-fallback. For prerequisites, flags, and AI analysis behavior, see Run a SAST scan.
AI-assisted SAST triageYou can enable AI-assisted triage using --ai-sast-analysis=agent-fallback. See Run a SAST scan for details.

Scanning for leaked secrets

To scan for all potentially leaked secrets in the checked out branch of your repository, run the following command: 
endorctl scan --secrets
Often, secrets are leaked outside the context of your repositories main branch and can be found in older branches or those that are under active development. To identify these, Endor Labs inspects the Git logs of the repository. To scan for all potentially leaked secrets in all branches of your repository, run the following command: 
endorctl scan --secrets --git-logs
See Scan for leaked secrets for additional configuration options and workflow details.

Scan for GitHub misconfigurations

Endor Labs allows teams to scan their repository for configuration best practices in alignment with organizational policy.

Prerequisites

To scan the GitHub repository, you must have:
  • The GitHub repository HTTPS clone URL
  • A personal access token with access administrative access to the repository. For help creating a personal access token see GitHub documentation.
If you are on a self-hosted GitHub Enterprise Server, you should also have:
  • The GitHub API URL (This is typically the FQDN of the GitHub server)
  • A local copy of the CA Certificate if the certificate is self-signed or from a private CA

Run a misconfiguration scan

To scan a GitHub repository for misconfigurations:
  1. Export your personal access token as an environment variable: 
    export GITHUB_TOKEN=<personal_access_token>
  2. Scan the repository to retrieve configuration information and analyze the configuration against organizational policy or configuration best practices: 
    endorctl scan --repository-http-clone-url=https://github.com/<organization>/<repository>.git --github
For source control systems on the GitHub Enterprise Server, you must set the --github-api-url flag to your GitHub Enterprise server domain name: 
endorctl scan --github-api-url=https://<fully_qualified_domain_name_to_GitHub_Enterprise_Server> --repository-http-clone-url=https://<fully_qualified_domain_name_to_GitHub_Enterprise_Server>/<organization>/<repository>.git --github