This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Troubleshoot errors

This topic provides information about troubleshooting issues that you may encounter in the application.

1 - endorctl CLI exit codes

Learn about the exit codes that you may encounter while using the endorctl CLI.

The endorctl exit codes provide the result of the program’s execution, indicating whether it was completed successfully or encountered an error. This page documents the possible endorctl exit code values and the recommended next steps. When contacting support, provide the error code and the error message to help us debug the issue.

To get the exit code, run echo $? on the command line prompt.

Value Exit Code Name Description
2 ENDORCTL_RC_ERROR The exact reason for the error could not be determined.
3 ENDORCTL_RC_INVALID_ARGS An invalid argument was provided. This may occur due to an invalid parameter value, or an incorrect package format.
4 ENDORCTL_RC_ENDOR_AUTH_FAILURE The user does not have the correct permissions to perform the given operation. Check the Endor Labs token or API keys to make sure they are valid and include the necessary permissions. These are provided using the --token flag or through the environment variables ENDOR_TOKEN, or ENDOR_API_CREDENTIALS_KEY/SECRET. Note that the environment variables are mutually exclusive, that is you cannot have both a token and API keys set at the same time.
6 ENDORCTL_RC_GITHUB_AUTH_FAILURE The user has provided an empty or invalid GitHub token. This token is provided using the --github-token flag or through the environment variable GITHUB_TOKEN. You can skip the GitHub scan by not setting the --github flag.
7 ENDORCTL_RC_ANALYTICS_ERROR There was an error analyzing the dependencies.
8 ENDORCTL_RC_FINDINGS_ERROR There was an error generating findings based on the analytics output.
9 ENDORCTL_RC_NOTIFICATIONS_ERROR There was an error processing a notification triggered by a notification policy. See the error log for details and verify that the corresponding notification target is set up correctly.
10 ENDORCTL_RC_GITHUB_API_ERROR An error was returned by the GitHub API. This can occur due to GitHub rate-limiting or context deadline exceeded. Check the log message to see what object is causing the issue.
11 ENDORCTL_RC_GITHUB_PERMISSIONS_ERROR This error typically occurs when the user is authenticated with GitHub, but does not have the necessary permissions to perform the requested operation. It indicates that the user is forbidden from accessing the requested resource due to insufficient permissions. Check the GitHub token permissions, as well as the permissions and user accounts associated with the repository and/or organization and try again.
12 ENDORCTL_RC_GIT_ERROR A Git operation has failed. Examples of Git operations are: cloning, opening, finding the root, finding the HEAD, finding the default branch, and more. Ensure you are scanning the correct Git repository and that it is properly set up for the scan.
13 ENDORCTL_RC_DEPENDENCY_RESOLUTION_ERROR There was an error resolving the dependencies.
14 ENDORCTL_RC_DEPENDENCY_SCANNING_ERROR There was an error processing the resolved dependencies.
15 ENDORCTL_RC_CALL_GRAPH_ERROR There was an error generating the call graph.
16 ENDORCTL_RC_LINTER_ERROR There was an error while running the linters used to analyze the source code. This can affect secret and vulnerability detection.
17 ENDORCTL_RC_BAD_POLICY_TYPE An invalid policy was detected. Note that this is not a fatal error, but the policy in question was not processed. See log for details.
18 ENDORCTL_RC_POLICY_ERROR There was an error evaluating one or more policies. See log for details.
20 ENDORCTL_RC_INTERNAL_ERROR There was an internal error within endorctl. See log for details.
21 ENDORCTL_RC_DEADLINE_EXCEEDED The deadline expired before the operation could complete.
22 ENDORCTL_RC_NOT_FOUND The requested resource was not found.
23 ENDORCTL_RC_ALREADY_EXISTS An attempt to create an entity failed because a resource with the same key already exists.
24 ENDORCTL_RC_UNAUTHENTICATED The request does not have valid authentication credentials for the operation.
25 ENDORCTL_RC_VULN_ERROR There was an issue ingesting and processing vulnerability data. See log for details.
26 ENDORCTL_RC_INITIALIZATION_ERROR There was an error initializing the project or the repository. This can happen if the project ingestion token is missing, the project URL is invalid, or authorization failed. See log for details.
27 ENDORCTL_RC_HOST_CHECK_FAILURE The endorctl host-check failed. Host won’t be able to run endorctl scan successfully. See log for details.
28 ENDORCTL_RC_SBOM_IMPORT_ERROR There was an error importing an SBOM. See log for details.
29 ENDORCTL_RC_PRE_COMMIT_CHECK_FAILURE The pre-commit-checks command discovered one or more leaked secrets. See log for details.
30 ENDORCTL_RC_GH_ACTION_WORKFLOW_SCAN_FAILURE There was an error scanning the GitHub action dependencies. See log for details.
31 ENDORCTL_RC_FILE_ANALYTICS_ERROR There was an error reading files for analytics processing. See log for details.
32 ENDORCTL_RC_SIGNATURE_VERIFICATION_FAILURE Signature verification failed. See log for details.
33 ENDORCTL_RC_LICENSE_ERROR The requested operation requires additional licensing. See log for details.
34 ENDORCTL_RC_HUGGING_FACE_ERROR There was an error running the HuggingFace scanner.
35 ENDORCTL_RC_SAST_ERROR There was an error running the SAST scanner.
36 ENDORCTL_RC_ARTIFACT_OPERATION_FAILURE An error occurred while performing an artifact operation.
37 ENDORCTL_RC_SEGMENTATION_ERROR There was an error during file segmentation.
38 ENDORCTL_RC_TOOLCHAIN_ERROR An error occurred during the process of generating toolchains. See log for details.
39 ENDORCTL_RC_SANDBOX_ERROR An error occurred during endorctl sandbox execution, possibly due to setup or dependency issues. See log for details.
128 ENDORCTL_RC_POLICY_VIOLATION One or more “blocking” admission policies were violated. See log for details.
129 ENDORCTL_RC_POLICY_WARNING One or more “warning” admission policies were violated. This error code is only returned if the --exit-on-policy-warning flag is set.

2 - Firewall & Proxy Rules

Get information about the firewall and web proxy rules that may be required to use Endor Labs

A web proxy bypass rule or firewall rule with the following information may be required in your environment to use Endor Labs successfully.

Description DNS Direction / IP Address CIDR Port
User access to Endor Labs UI app.endorlabs.com Outbound (Egress): 32.133.71.122/32, 52.224.62.85/32 443
CI system and user access to Endor Labs API and CLI downloads api.endorlabs.com Outbound (Egress): 34.96.123.220/32, 52.234.140.241/32 443
User access to Endor Labs documentation docs.endorlabs.com Outbound (Egress): 34.123.199.118/32, 52.224.70.63/32 443
Inbound access from Endor Labs scanning clusters N/A Inbound (Ingress): 137.135.89.57/32 Variable

Configure inbound access from Endor Labs’ scanning clusters for services that have IP range restrictions such as GitLab or GitHub with the Ingress rule listed above.

If you have configured integrations with third-party applications like Jira, you may need to configure additional egress rules to complete that integration. Consult the documentation for those applications to add the required rules.

3 - Troubleshoot errors with DroidGPT

Use artificial intelligence to troubleshoot errors and fetch recommendations.

Endor Labs integrates with third-party Artificial Intelligence (AI) tools to help you troubleshoot errors while performing software composition analysis, dependency resolution, or generating call graphs during an endorctl scan.

In the event of an error, DroidGPT generates explanations and actionable advice for how to resolve the error on the given host system. These suggestions are displayed as part of the error log messages on the command line and can help you understand why build errors occurred during the scan process and how to resolve them.

Enable DroidGPT error logging

Use the ENDOR_SCAN_DROID_GPT environment variable or the --droid-gpt option to enable DroidGPT error logging on your system.

  • Enable error logging while performing a scan.
endorctl scan --droid-gpt
  • Enable error logging while checking the system specifications required for performing a scan.
endorctl host-check --droid-gpt

Example: Here is an example of the recommendations generated by DroidGPT while scanning a Ruby repository where the manifest file is not correctly configured.

*** NOTE: Use the following AI-generated advice at your own risk ***
DroidGPT suggests the following as a possible remediation:
1. The error message indicates that there is a problem parsing the Gemfile, which is preventing the dependency tree from being generated.
2. Specifically, the error message states that there are no gemspecs at the specified location, which is causing Bundler to fail.
3. To fix this issue, you should check that the Gemfile is correctly configured and that all necessary gemspecs are present.
4. Additionally, you may want to try running `bundle install` to ensure that all dependencies are properly installed.
5. Please note that this advice is generated by an AI and there may be additional factors at play that are not captured in the error message. As such, there is no guarantee that these steps will resolve the issue, and you should proceed with caution.

4 - Scanning podman built container images

Troubleshoot errors while scanning container images built using Podman

To successfully run endorctl scans on a container image built using Podman, use the following instructions:

  1. Build the image using the following command. This command builds a container image and tags it with the label test:latest.
     podman build -t test:latest
  1. After building the image, confirm the target registry by running the following command. Podman automatically adds localhost as the target registry for this image.
     podman image ls
  1. Before scanning the image with endorctl, sign in to the target registry where the image is stored.

  2. Check if there is a registry running at localhost.

  3. If a registry is not running at localhost, then you must re-tag the image to a reachable registry, using the following command. Replace <reachable-registry> with the actual URL of an accessible registry.

     podman tag test:latest <reachable-registry>/test:latest
  1. Sign in to the reachable registry using any container runtime. Now you can run the endorctl scan. Targeting a reachable registry lets you locate the image manifest and download all required layer blobs for vulnerability analysis.