Patch transparency
In security, trust is crucial. Therefore, the patch details of an Endor patch are fully transparent. You can audit the exact code changes, builds, build steps, and logs. The builds are reproducible and hermetic.
Review patch transparency information
To review patches, build, test and deploy proccess used to create an Endor patch, use the AssuredPackageVersion
API.
The commands and logs used to test, deploy and build this package are stored for each version of a package as an attestation.
Review security attestations
To see the exact changes used for a given security patch, Endor Labs provides a security attestation which shows:
- Fixed vulnerabilities
- Exact code changes for each package
- Exact commits used and if they are upstream commits or commits applied by Endor Labs directly
To see a security attestation use the following command with the name of the package version you’d like to inspect. For this example we’ll use com.fasterxml.jackson.core:jackson-databind@2.9.10.3
:
endorctl api list -r AssuredPackageVersion -n oss --filter="meta.name==mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3" | jq '.list.objects[].spec.security_attestation'
Review attestations
To see all information about the patch, build, test and deploy proccess for this Endor patch use the command:
endorctl api list -r AssuredPackageVersion -n oss --filter="meta.name==mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3"
Review build attestations
To see the build steps and build logs for an Endor patch, you can see that patch build attestation.
To see a build attestation use the following command with the name of the package version you’d like to inspect. For this example we’ll use com.fasterxml.jackson.core:jackson-databind@2.9.10.3
endorctl api list -r AssuredPackageVersion -n oss --filter="meta.name==mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3" | jq '.list.objects[].spec.build_attestation'
Reviewing Test Attestations
To see the test steps and test logs for an Endor patch, you can see that patch test attestation.
To see a deployment attestation use the following command with the name of the package version you’d like to inspect. For this example we’ll use com.fasterxml.jackson.core:jackson-databind@2.9.10.3
endorctl api list -r AssuredPackageVersion -n oss --filter="meta.name==mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3" | jq '.list.objects[].spec.test_attestation'
Review deploy attestations
To review the deployment steps and logs for an Endor patch, check the patch deployment attestation.
To see a deployment attestation, use the following command with the name of the package version you’d like to inspect. For this example, we’ll use com.fasterxml.jackson.core:jackson-databind@2.9.10.3
.
endorctl api list -r AssuredPackageVersion -n oss --filter="meta.name==mvn://com.fasterxml.jackson.core:jackson-databind@2.9.10.3" | jq '.list.objects[].spec.deploy_attestation'
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.