> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Scan using endorctl
> Scan for open source risk, SAST findings, leaked secrets, and GitHub misconfigurations using endorctl.
export const SupportedLanguagesList = () => {
return c,c#,go,java,javascript,kotlin,php,python,ruby,rust,scala,swift,typescript,swifturl;
};
Use endorctl to perform comprehensive security analysis across your codebase, enabling you to detect dependency vulnerabilities, identify insecure code patterns, uncover exposed secrets, and evaluate GitHub configuration against best practices.
To run your first scan with Endor Labs, complete the following steps:
1. [Install Endor Labs on your local system](/setup-deployment/cli#download-and-install-endorctl)
2. [Authenticate to Endor Labs](/setup-deployment/cli#authenticate-to-endor-labs)
3. [Clone your repository](/setup-deployment/cli#clone-your-repository)
4. [Scan your first project](#run-your-first-scan)
## Run your first scan
Endor Labs supports four distinct scan types to identify open source risk, code issues, leaked secrets, and configuration gaps.
* [Scan for OSS risk](#scan-for-oss-risk)
* [Scan for SAST](#scan-for-sast)
* [Scan for leaked secrets](#scanning-for-leaked-secrets)
* [Scan for GitHub misconfigurations](#scan-for-github-misconfigurations)
**Default namespace and access**
When you run a scan, you can specify a [namespace](/developers-api/cli/environment-variables#global-flags-and-variables). If you leave it unspecified, projects are created in the root namespace of the tenant. That matters when your account or token only has access to specific namespaces. See [Namespaces in Endor Labs](/platform-administration/namespaces) for details.
### Scan for OSS risk
To scan and monitor all packages in a given repository from the root of the repository, run the following command:
```bash theme={null}
endorctl scan
```
If your project contains multiple programming languages, you can specify them as a comma-separated list using the `--languages` flag:
```bash theme={null}
endorctl scan --languages=
```
Where `` should be provided as a comma-separated list from the supported languages: .
#### Scan projects with private Git dependencies
If your project depends on private Git repositories, Endor Labs reuses credentials from existing SCM integrations in your namespace to resolve them. Dependency resolution may fail when the scan environment cannot access a repository. To resolve this, provide host URLs and access tokens for those repositories before you run the CLI scan.
You can configure credentials for multiple repositories across the same or different SCM platforms. Ensure that your access tokens have the required permissions. See [Supported SCM platforms and access tokens](/integrations/package-managers/git-based-dependencies#supported-scm-platforms-and-access-tokens) to learn more.
1. Configure Git credentials for your SCM platform with the org, group, or repository URL that hosts your private dependencies and an access token.
```bash theme={null}
git config --global url."https://oauth2:@/".insteadOf "https:///"
```
Replace:
* `` with your access token.
* `` with your GitHub Enterprise Server hostname.
* `` with your GitHub organization or repository path segment.
```bash theme={null}
git config --global url."https://oauth2:@/".insteadOf "https:///"
```
Replace:
* `` with your personal access token.
* `` with `gitlab.com` or your self-managed hostname.
* `` with your GitLab group or subgroup path.
```bash theme={null}
git config --global url."https://x-token-auth:@/".insteadOf "https:///"
```
Replace:
* `` with your Bitbucket access token.
* `` with your Bitbucket hostname.
* `` with your Bitbucket workspace name.
* If your project uses Go, set `GOPRIVATE` to a comma-separated list of private Git host and organization patterns, in the same format as your `git config` URLs.
For example, if your GitHub org is `abccorp` and your GitLab group is `widgetco`, set:
```bash theme={null}
export GOPRIVATE="github.com/abccorp/*,gitlab.com/widgetco/*"
```
2. Scan the repository.
```bash theme={null}
endorctl scan
```
### Scan an example repository
To scan the example repository `https://github.com/OWASP-Benchmark/BenchmarkJava.git`, follow these steps after you [authenticate to Endor Labs](/setup-deployment/cli#authenticate-to-endor-labs):
1. Clone the repository `https://github.com/OWASP-Benchmark/BenchmarkJava.git`
```bash theme={null}
git clone https://github.com/OWASP-Benchmark/BenchmarkJava.git
```
2. Navigate to the repository on your local system
```bash theme={null}
cd BenchmarkJava
```
3. Build the repository’s package with Maven:
```bash theme={null}
mvn clean install
```
4. Scan the repository
```bash theme={null}
endorctl scan
```
### Scan for SAST
To run a SAST scan from the project root to identify potential security weaknesses in your source code, run the following command:
```bash theme={null}
endorctl scan --sast
```
To scan a different working directory, set `--path`:
```bash theme={null}
endorctl scan --sast --path=/path/to/code
```
To enable AI triage of SAST findings (Code Pro license required), add `--ai-sast-analysis=agent-fallback`. For prerequisites, flags, and AI analysis behavior, see [Run a SAST scan](/scan/sast/run-a-sast-scan).
**AI-assisted SAST triage**
You can enable AI-assisted triage using `--ai-sast-analysis=agent-fallback`. See [Run a SAST scan](/scan/sast/run-a-sast-scan) for details.
### Scanning for leaked secrets
To scan for all potentially leaked secrets in the checked out branch of your repository, run the following command:
```bash theme={null}
endorctl scan --secrets
```
Secrets can leak outside the context of your repositories main branch and be present in older branches or those that are under active development. To identify these, Endor Labs inspects the Git logs of the repository.
To scan for all potentially leaked secrets in all branches of your repository, run the following command:
```bash theme={null}
endorctl scan --secrets --git-logs
```
See [Scan for leaked secrets](/scan/secrets/scan-secrets) for additional configuration options and workflow details.
### Scan for GitHub misconfigurations
Endor Labs allows teams to scan their repository for configuration best practices in alignment with organizational policy.
#### Prerequisites
To scan the GitHub repository, you must have:
* The GitHub repository HTTPS clone URL
* A personal access token with access administrative access to the repository. For help creating a personal access token see [GitHub documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens).
If you are on a self-hosted GitHub Enterprise Server, you should also have:
* The GitHub API URL (This is typically the FQDN of the GitHub server)
* A local copy of the CA Certificate if the certificate is self-signed or from a private CA
#### Run a misconfiguration scan
To scan a GitHub repository for misconfigurations:
1. Export your personal access token as an environment variable:
```bash theme={null}
export GITHUB_TOKEN=
```
2. Scan the repository to retrieve configuration information and analyze the configuration against organizational policy or configuration best practices:
```bash theme={null}
endorctl scan --repository-http-clone-url=https://github.com//.git --github
```
For source control systems on the GitHub Enterprise Server, you must set the `--github-api-url` flag to your GitHub Enterprise server domain name:
```bash theme={null}
endorctl scan --github-api-url=https:// --repository-http-clone-url=https:////.git --github
```