Skip to main content
Endor Labs GitHub Cloud App Pro is an enhanced version of the Endor Labs GitHub App that supports PR remediation to fix vulnerabilities. See PR remediation for more information.
You cannot have both GitHub App and GitHub Cloud App Pro simultaneously in your environment. When migrating from one app to the other, ensure you select the same set of repositories as before to preserve your currently scanned projects and findings after the migration.
You can also make the findings generated by Endor Labs available to GitHub Advanced Security so that you can view the findings in the GitHub Advanced Security. Endor Labs exports the findings in the SARIF format and uploads them to GitHub. You can view the findings under Security > Vulnerability Alerts > Code Scanning in GitHub. See Export findings to GitHub Advanced Security for more information.

Default branch detection

When Endor Labs scans a repository for the first time, it detects the default branch of the repository. The findings that are created in the scan are associated with the default branch.

Changing the default branch

When you change the default branch in your source control system (for example, from main to dev):
  • Endor Labs automatically detects the new default branch and sets that as the default reference
  • The previous default branch becomes a reference branch
  • Scans continue on the new default branch and the reference branch
The findings associated with the previous default branch are no longer associated with the default context reference. You can view them in the reference context.

Renaming the default branch

When you rename the default branch in your source control system:
  • Endor Labs automatically switches to the renamed branch
  • Scans continue without disruption

Adding repository versions

When you add a new repository version (for example, a dev branch), both the default branch and the new version are scanned by the Endor Labs App.

Control default branch detection

You can control the default branch detection by setting the ENDOR_SCAN_TRACK_DEFAULT_BRANCH environment variable in a scan profile. You need to configure the project to use the scan profile. See Configure scan profiles for more information. By default, the environment variable is set to true. When set to true, the default branch detection is enabled, and the first branch you scan is automatically considered as the default branch.

Prerequisites for GitHub Cloud App Pro

Before installing and scanning projects with Endor Labs GitHub Cloud App Pro, make sure you have:
  • Administrative permissions to your GitHub organization. Installing the Endor Labs GitHub Cloud App Pro in your organization requires approval or permissions from your GitHub organizational administrator. If you don’t have the permissions, use the command line utility, endorctl, while you wait for the approval.
  • Endor Labs GitHub Cloud App Pro requires the following permissions:
    • Read access to Dependabot alerts, actions, administration, checks, code, commit statuses, issues, metadata, packages, pull requests, repository hooks, and security events.
    • Read and write access to checks, contents, and pull requests.
    • Write access to code scanning alerts to upload findings to GitHub Advanced Security as SARIF files.

Install GitHub Cloud App Pro

To automatically scan repositories using the GitHub App and create automatic PRs to fix vulnerabilities:
  1. Select Projects from the left sidebar
  2. Click Add Project.
  3. From GitHub, choose GitHub Cloud App Pro
  4. Select Enable Automated Pull Requests. Endor Labs GitHub Cloud App Pro
  5. Click Install GitHub Pro App. You will be redirected to GitHub to install the Endor Labs App (Pro).
  6. Click Install.
  7. Select a user to authorize the app.
  8. Select the organization in which you want to install the app.
  9. You can select to install and authorize Endor Labs to scan either all repositories or a selected subset. If you choose All repositories, Endor Labs immediately scans newly created repositories, without waiting for the next scheduled monitoring run.
  10. Review the permissions required for Endor Labs and click Install and Authorize.
If the button to install says Install and Request instead of Install and Authorize, you don’t have permission to install the GitHub App. Use the endorctl command line interface or select Install and Request to notify your organizational administrator of your request to install. If you select Install and Request your installation will not be active unless your organizational administrator approves the request to install GitHub App.
  1. Based on your license, select and enable the scanners. The following scanners are available:
    • SCA: Perform software composition analysis and discover AI models used in your repository.
    • RSPM: Scan the repository for misconfigurations. RSPM scans run every week on Sundays.
    • Secret: Scan the repository for exposed secrets.
    • GitHub Actions: Scan the repository and identify all the GitHub Actions workflows used in the repository.
    • SAST: Scan your source code for weakness and generate SAST findings.
    Choose namespace
  2. Optionally, you can continue to Configure GitHub App Pro PR scans to scan your pull requests. You can also enable PR scans later by editing the GitHub App Pro integration.
  3. Select Include Archived Repositories to scan your archived repositories. By default, the GitHub archived repositories aren’t scanned.
  4. Click Start Scanning Repositories.
Endor Labs GitHub Cloud App Pro scans your repositories every 24 hours and reports any new findings or changes to release versions of your code. It can also raise a PR with a fix based on your remediation policy. Ensure that you configure automated PR scans in your environment. See Automated PR scans for more information.

Configure PR scans during GitHub App Pro installation

After you complete the initial installation of the GitHub App Pro in Endor Labs, you can configure PR scans. At this point, the GitHub App Pro will be operational. You can also choose to apply PR scans to specific projects rather than all the projects in the organization through a scan profile. See Scan profiles for PR scans for more information.
  1. Select Pull Request Settings and toggle on Enable Pull Request scans to enable automatic scanning of PRs submitted by users. Pull request configurations in GitHub App Pro
  2. Optionally, toggle on Post comments on Pull Requests to allow Endor Labs to comment on PRs for policy violations. When you enable PR comments, Endor Labs will post a comment on the pull request if any issues are detected during the PR scan. You need to set up PR comments in Endor Labs to receive the comments. See PR comments for more information.
  3. By default, PR scans skip reachability analysis for faster results. Under Advanced Options, toggle on Enable Full scan with reachability when you want reachability analysis and call graph generation for supported languages.
  4. Select Save PR Settings to save the configuration.

Configure PR scans for existing GitHub App Pro integrations

You can configure PR scans for an existing GitHub App Pro integration, or enable them after installation, from the integration settings.
  1. Select Integrations from the left sidebar.
  2. Click Manage next to GitHub under Source Control Managers.
  3. Click the vertical three dots next to the GitHub App integration that you want to update.
  4. Select Edit Integration.
  5. Select Pull Request Settings. Edit Github App Pro PR settings
  6. Toggle on Enable Pull Request Scans to enable PR scans.
  7. Optionally, toggle on Post comments on Pull Requests to allow Endor Labs to comment on PRs for policy violations.
  8. Optionally toggle on Enable Full scan with reachability when you want reachability analysis and call graph generation for supported languages.
  9. Click Save PR Settings to save the changes. The changes are applied from the next scanning cycle.
    Click Rescan Org after editing the integration to apply changes immediately instead of waiting for the next scheduled scan.

Set up package repositories

You can improve your experience with the GitHub App by setting up package repositories. This will help you create a complete bill of materials and perform static analysis. Without setting package repositories, you may not be able to get an accurate bill of materials. See Set up package manager integration for more information.

Technical limitations of the GitHub Cloud App Pro

The Endor Labs GitHub Cloud App Pro has the same limitations as the GitHub App. See Limitations for more information.