Patch transparency

Build trust in your Endor patches.

In security, trust is crucial. Therefore, the patch details of an Endor patch are fully transparent. You can audit the exact code changes, builds, build steps, and logs. The builds are reproducible and hermetic.

Review patch transparency information

To review patches, build, test and deploy proccess used to create an Endor patch, use the AssuredPackageVersion API.

The commands and logs used to test, deploy and build this package are stored for each version of a package as an attestation.

Review security attestations

To see the exact changes used for a given security patch, Endor Labs provides a security attestation which shows:

  1. Fixed vulnerabilities
  2. Exact code changes for each package
  3. Exact commits used and if they are upstream commits or commits applied by Endor Labs directly

To see a security attestation use the following command with the name of the package version you’d like to inspect. For this example we’ll use com.fasterxml.jackson.core:jackson-databind@2.9.10.3:

endorctl api list -r AssuredPackageVersion -n oss --filter="meta.name==mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3" | jq '.list.objects[].spec.security_attestation'

Review attestations

To see all information about the patch, build, test and deploy proccess for this Endor patch use the command:

endorctl api list -r AssuredPackageVersion -n oss --filter="meta.name==mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3"

Review build attestations

To see the build steps and build logs for an Endor patch, you can see that patch build attestation.

To see a build attestation use the following command with the name of the package version you’d like to inspect. For this example we’ll use com.fasterxml.jackson.core:jackson-databind@2.9.10.3

endorctl api list -r AssuredPackageVersion -n oss --filter="meta.name==mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3" | jq '.list.objects[].spec.build_attestation'

Reviewing Test Attestations

To see the test steps and test logs for an Endor patch, you can see that patch test attestation.

To see a deployment attestation use the following command with the name of the package version you’d like to inspect. For this example we’ll use com.fasterxml.jackson.core:jackson-databind@2.9.10.3

endorctl api list -r AssuredPackageVersion -n oss --filter="meta.name==mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3" | jq '.list.objects[].spec.test_attestation'

Review deploy attestations

To review the deployment steps and logs for an Endor patch, check the patch deployment attestation.

To see a deployment attestation, use the following command with the name of the package version you’d like to inspect. For this example, we’ll use com.fasterxml.jackson.core:jackson-databind@2.9.10.3.

endorctl api list -r AssuredPackageVersion -n oss --filter="meta.name==mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3" | jq '.list.objects[].spec.deploy_attestation'