This topic provides information about troubleshooting issues that you may encounter in the application.
This is the multi-page printable view of this section. Click here to print.
Troubleshoot errors
- 1: endorctl CLI exit codes
- 2: Firewall & Proxy Rules
- 3: Troubleshoot errors with DroidGPT
- 4: Scanning podman built container images
1 - endorctl CLI exit codes
The endorctl exit codes provide the result of the program’s execution, indicating whether it was completed successfully or encountered an error. This page documents the possible endorctl exit code values and the recommended next steps. When contacting support, provide the error code and the error message to help us debug the issue.
To get the exit code, run echo $?
on the command line prompt.
Value | Exit Code Name | Description |
---|---|---|
2 | ENDORCTL_RC_ERROR | The exact reason for the error could not be determined. |
3 | ENDORCTL_RC_INVALID_ARGS | An invalid argument was provided. This may occur due to an invalid parameter value, or an incorrect package format. |
4 | ENDORCTL_RC_ENDOR_AUTH_FAILURE | The user does not have the correct permissions to perform the given operation. Check the Endor Labs token or API keys to make sure they are valid and include the necessary permissions. These are provided using the --token flag or through the environment variables ENDOR_TOKEN , or ENDOR_API_CREDENTIALS_KEY/SECRET . Note that the environment variables are mutually exclusive, that is you cannot have both a token and API keys set at the same time. |
6 | ENDORCTL_RC_GITHUB_AUTH_FAILURE | The user has provided an empty or invalid GitHub token. This token is provided using the --github-token flag or through the environment variable GITHUB_TOKEN . You can skip the GitHub scan by not setting the --github flag. |
7 | ENDORCTL_RC_ANALYTICS_ERROR | There was an error analyzing the dependencies. |
8 | ENDORCTL_RC_FINDINGS_ERROR | There was an error generating findings based on the analytics output. |
9 | ENDORCTL_RC_NOTIFICATIONS_ERROR | There was an error processing a notification triggered by a notification policy. See the error log for details and verify that the corresponding notification target is set up correctly. |
10 | ENDORCTL_RC_GITHUB_API_ERROR | An error was returned by the GitHub API. This can occur due to GitHub rate-limiting or context deadline exceeded. Check the log message to see what object is causing the issue. |
11 | ENDORCTL_RC_GITHUB_PERMISSIONS_ERROR | This error typically occurs when the user is authenticated with GitHub, but does not have the necessary permissions to perform the requested operation. It indicates that the user is forbidden from accessing the requested resource due to insufficient permissions. Check the GitHub token permissions, as well as the permissions and user accounts associated with the repository and/or organization and try again. |
12 | ENDORCTL_RC_GIT_ERROR | A Git operation has failed. Examples of Git operations are: cloning, opening, finding the root, finding the HEAD, finding the default branch, and more. Ensure you are scanning the correct Git repository and that it is properly set up for the scan. |
13 | ENDORCTL_RC_DEPENDENCY_RESOLUTION_ERROR | There was an error resolving the dependencies. |
14 | ENDORCTL_RC_DEPENDENCY_SCANNING_ERROR | There was an error processing the resolved dependencies. |
15 | ENDORCTL_RC_CALL_GRAPH_ERROR | There was an error generating the call graph. |
16 | ENDORCTL_RC_LINTER_ERROR | There was an error while running the linters used to analyze the source code. This can affect secret and vulnerability detection. |
17 | ENDORCTL_RC_BAD_POLICY_TYPE | An invalid policy was detected. Note that this is not a fatal error, but the policy in question was not processed. See log for details. |
18 | ENDORCTL_RC_POLICY_ERROR | There was an error evaluating one or more policies. See log for details. |
20 | ENDORCTL_RC_INTERNAL_ERROR | There was an internal error within endorctl. See log for details. |
21 | ENDORCTL_RC_DEADLINE_EXCEEDED | The deadline expired before the operation could complete. |
22 | ENDORCTL_RC_NOT_FOUND | The requested resource was not found. |
23 | ENDORCTL_RC_ALREADY_EXISTS | An attempt to create an entity failed because a resource with the same key already exists. |
24 | ENDORCTL_RC_UNAUTHENTICATED | The request does not have valid authentication credentials for the operation. |
25 | ENDORCTL_RC_VULN_ERROR | There was an issue ingesting and processing vulnerability data. See log for details. |
26 | ENDORCTL_RC_INITIALIZATION_ERROR | There was an error initializing the project or the repository. This can happen if the project ingestion token is missing, the project URL is invalid, or authorization failed. See log for details. |
27 | ENDORCTL_RC_HOST_CHECK_FAILURE | The endorctl host-check failed. Host won’t be able to run endorctl scan successfully. See log for details. |
28 | ENDORCTL_RC_SBOM_IMPORT_ERROR | There was an error importing an SBOM. See log for details. |
29 | ENDORCTL_RC_PRE_COMMIT_CHECK_FAILURE | The pre-commit-checks command discovered one or more leaked secrets. See log for details. |
30 | ENDORCTL_RC_GH_ACTION_WORKFLOW_SCAN_FAILURE | There was an error scanning the GitHub action dependencies. See log for details. |
31 | ENDORCTL_RC_FILE_ANALYTICS_ERROR | There was an error reading files for analytics processing. See log for details. |
32 | ENDORCTL_RC_SIGNATURE_VERIFICATION_FAILURE | Signature verification failed. See log for details. |
33 | ENDORCTL_RC_LICENSE_ERROR | The requested operation requires additional licensing. See log for details. |
34 | ENDORCTL_RC_HUGGING_FACE_ERROR | There was an error running the HuggingFace scanner. |
35 | ENDORCTL_RC_SAST_ERROR | There was an error running the SAST scanner. |
36 | ENDORCTL_RC_ARTIFACT_OPERATION_FAILURE | An error occurred while performing an artifact operation. |
37 | ENDORCTL_RC_SEGMENTATION_ERROR | There was an error during file segmentation. |
38 | ENDORCTL_RC_TOOLCHAIN_ERROR | An error occurred during the process of generating toolchains. See log for details. |
39 | ENDORCTL_RC_SANDBOX_ERROR | An error occurred during endorctl sandbox execution, possibly due to setup or dependency issues. See log for details. |
128 | ENDORCTL_RC_POLICY_VIOLATION | One or more “blocking” admission policies were violated. See log for details. |
129 | ENDORCTL_RC_POLICY_WARNING | One or more “warning” admission policies were violated. This error code is only returned if the --exit-on-policy-warning flag is set. |
2 - Firewall & Proxy Rules
A web proxy bypass rule or firewall rule with the following information may be required in your environment to use Endor Labs successfully.
Description | DNS | Direction / IP Address CIDR | Port |
---|---|---|---|
User access to Endor Labs UI | app.endorlabs.com |
Outbound (Egress): 32.133.71.122/32 , 52.224.62.85/32 |
443 |
CI system and user access to Endor Labs API and CLI downloads | api.endorlabs.com |
Outbound (Egress): 34.96.123.220/32 , 52.234.140.241/32 |
443 |
User access to Endor Labs documentation | docs.endorlabs.com |
Outbound (Egress): 34.123.199.118/32 , 52.224.70.63/32 |
443 |
Inbound access from Endor Labs scanning clusters | N/A |
Inbound (Ingress): 137.135.89.57/32 |
Variable |
Configure inbound access from Endor Labs’ scanning clusters for services that have IP range restrictions such as GitLab or GitHub with the Ingress rule listed above.
If you have configured integrations with third-party applications like Jira, you may need to configure additional egress rules to complete that integration. Consult the documentation for those applications to add the required rules.
Note
For better performance, the Endor Labs client,endorctl
, may attempt to connect to dynamically managed Endor Labs cloud resources not listed above. Egress restrictions that prevent such connections will not limit Endor Labs’ functionality.
3 - Troubleshoot errors with DroidGPT
Endor Labs integrates with third-party Artificial Intelligence (AI) tools to help you troubleshoot errors while performing software composition analysis, dependency resolution, or generating call graphs during an endorctl scan.
In the event of an error, DroidGPT generates explanations and actionable advice for how to resolve the error on the given host system. These suggestions are displayed as part of the error log messages on the command line and can help you understand why build errors occurred during the scan process and how to resolve them.
Important
Recommendations generated are meant solely for informational purposes. Before implementing these suggestions, it is strongly advised to thoroughly verify and assess them to ensure their accuracy and suitability for your specific circumstances and work environments.Enable DroidGPT error logging
Use the ENDOR_SCAN_DROID_GPT
environment variable or the --droid-gpt
option to enable DroidGPT error logging on your system.
- Enable error logging while performing a scan.
endorctl scan --droid-gpt
- Enable error logging while checking the system specifications required for performing a scan.
endorctl host-check --droid-gpt
Example: Here is an example of the recommendations generated by DroidGPT while scanning a Ruby repository where the manifest file is not correctly configured.
*** NOTE: Use the following AI-generated advice at your own risk ***
DroidGPT suggests the following as a possible remediation:
1. The error message indicates that there is a problem parsing the Gemfile, which is preventing the dependency tree from being generated.
2. Specifically, the error message states that there are no gemspecs at the specified location, which is causing Bundler to fail.
3. To fix this issue, you should check that the Gemfile is correctly configured and that all necessary gemspecs are present.
4. Additionally, you may want to try running `bundle install` to ensure that all dependencies are properly installed.
5. Please note that this advice is generated by an AI and there may be additional factors at play that are not captured in the error message. As such, there is no guarantee that these steps will resolve the issue, and you should proceed with caution.
4 - Scanning podman built container images
To successfully run endorctl scans on a container image built using Podman, use the following instructions:
- Build the image using the following command. This command builds a container image and tags it with the label
test:latest
.
podman build -t test:latest
- After building the image, confirm the target registry by running the following command. Podman automatically adds
localhost
as the target registry for this image.
podman image ls
-
Before scanning the image with endorctl, sign in to the target registry where the image is stored.
-
Check if there is a registry running at
localhost
. -
If a registry is not running at
localhost
, then you must re-tag the image to a reachable registry, using the following command. Replace<reachable-registry>
with the actual URL of an accessible registry.
podman tag test:latest <reachable-registry>/test:latest
- Sign in to the reachable registry using any container runtime. Now you can run the
endorctl
scan. Targeting a reachable registry lets you locate the image manifest and download all required layer blobs for vulnerability analysis.