Pull requests remediation in GitHub

Learn how to configure Pull Request (PR) remediation in a GitHub environment to address issues in your code repository.
Beta

You can set up PR remediation in your GitHub environment if you use the Endor Labs GitHub App (Pro). When PR remediation is set up, Endor Labs creates a PR to update the manifest files with dependency version upgrades, based on a remediation policy, to address vulnerability findings.

Your tenant must have upgrades and remediation feature for PR remediation to function.

If Endor Labs identifies any fixes that address vulnerability findings according to the remediation policy in the next scan, it creates a pull request in GitHub with the details of the patch. You can merge the PR after review to fix the vulnerability findings.

Endor Labs updates the PR if there is a recommendation change in upgrade impact analysis. If there are any changes in the vulnerability findings, Endor Labs updates the PR description. If there is new patch version available, Endor Labs closes the existing PR with comments and opens a new PR. If you resolve the notification in Endor Labs, the PR is closed with a comment.

Endor Labs does not further update the PR in the following scenarios, if you:

  • Add a commit to the PR
  • Close the PR
  • Delete the PR branch
  • Dismiss the notification in Endor Labs

Complete the following tasks to set up automated PR.

  1. Install or migrate to GitHub App (Pro) and enable SCA scanner.

  2. Create a GitHub PR for remediations notification integration.

  3. Create a remediation policy with the notification integration that you created in the previous step.

    The following image shows an example of a remediation policy that targets projects with the tag java and automatically raises a PR when remediation is found for reachable dependencies that resolve critical and high issues with low upgrade risk.

    Remediation Policy 1

PR remediation is supported for Java (with Gradle or Maven), Go (version 1.18 and higher), Python, .NET, and JavaScript.

Ecosystem Package manager Build files Automated PR remediation
Python pip pyproject.toml, requirements.txt
pip setup.py, setup.cfg
Poetry pyproject.toml, poetry.lock
PDM pyproject.toml, pdm.lock
Java Maven / Gradle pom.xml, build.gradle, build.gradle.kts
Go Go modules go.mod, go.sum
JavaScript npm / yarn / pnpm package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
.NET NuGet *.csproj, packages.lock.json

Currently, PR remediation has the following limitations:

  • Maven projects that use dependencyManagement tags and rely solely on dependency information in the parent pom file are not supported.
  • Gradle projects with convention files (Groovy files with .gradle extension with any name) are not supported.
  • Gradle projects with resource catalogues (version defined in .toml files) are not supported.
  • Go projects that use the replace directive in go.mod are not supported. replace directives are commonly used for local development, debugging, or patching dependencies.
  • JavaScript projects using npm and Yarn workspaces are not supported.
  • .NET projects using Directory.Packages.props (central dependency management) or packages.config, are not supported.
  • Dependency names are case sensitive.
  • Updates to .NET dependencies with wildcard characters in their names are not supported.

Remediation notification integration allows Endor Labs to get a notification from GitHub regarding pull requests. The notification alerts the GitHub App to perform PR remediation.

  1. Sign in to Endor Labs and select Integrations from the left sidebar.

  2. Under Notifications, click Add for GitHub PR for Remediations.

  3. Click Add Notification Integration.

    Add GitHub PR for Remediation

  4. Enter a name and description for this integration.

  5. Select Enable GitHub PR Notification Integration for Remediations.

  6. Optionally, select Propagate this notification target to all child namespaces so that the notification integration applies to all child namespaces.

  7. Click Add Notification Integration.