scan
Use the scan command to perform endorctl scan.
Use the scan command to perform scans against a repository.
Usage
Run the following command to perform a full scan including reachability analysis for the open source packages you build in a repository.
endorctl scan
If your project contains multiple programming languages, you can specify them as a comma-separated list using the --languages flag:
endorctl scan --languages=<languages-list>
Provide <languages-list> as a comma-separated list using the supported languages: c,c#,go,java,javascript,kotlin,php,python,ruby,rust,scala,swift,typescript,swifturl.
To scan leaked secrets and monitor all results in the checked out version of your repository.
endorctl scan --secrets
Run the following command to perform a regular scan for leaked secrets including the dependencies.
endorctl scan --secrets --dependencies
Run the following command to scan for leaked secrets in all branches of your repository.
endorctl scan --secrets --git-logs
The above command performs a scan of the repository’s Git logs using the following logic:
- If endorctl scans the repository’s Git log history for the first time, it performs a full scan
- endorctl also performs a full rescan if you change any of the rules in the namespace
- In all other cases, endorctl runs an incremental scan based on the last scan time
If the system invalidates detected secrets and you want to re-validate them, force a full rescan with the following command.
To scan for misconfigurations in a GitHub repository like https://github.com/endorlabs/app-java-demo.
export ENDOR_SCAN_SCM_TOKEN=<insert-your-scm-token>
endorctl scan --github --repository-http-clone-url=https://github.com/endorlabs/app-java-demo
To run a scan as a test in a pull request without monitoring the version of your code over time run the command.
endorctl scan --pr
To scan and discover GitHub action workflows in your CI/CD pipeline run the command.
endorctl scan --ghactions
The command performs regular dependency analysis on your repository. It also discovers GitHub Actions workflows in your CI/CD pipeline and maps them as GitHub action dependencies in your package.
To scan binaries and artifacts run the following command.
endorctl scan --package --path --project-name
You must provide the path of your file using --path and specify a name for your project using --project-name.
To scan and discover AI/LLM models in your repository, run the following command
endorctl scan --ai-models --dependencies
To run a scan in dry run mode with local scanning and read-only access, run the following command. Dry run mode does not store scan results for monitoring and is best when used by developers running local scans.
endorctl scan --dependencies --dry-run
You can also use --dry-run with --secrets or --sast flags. Do not use --dry-run with container scanning.
Options
The command endorctl scan uses the following flags and environment variables:
Bazel flags
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
bazel-exclude-targets |
ENDOR_SCAN_BAZEL_EXCLUDE_TARGETS |
comma-separated string | Set this variable to exclude a list of Bazel targets included in a provided Bazel query. |
bazel-include-targets |
ENDOR_SCAN_BAZEL_INCLUDE_TARGETS |
comma-separated string | Set this variable to scan a list of targets using Bazel. endorctl scans only the specified list of targets. If you do not specify bazel-include-targets, you must identify targets using bazel-targets-query. If you specify targets, endorctl ignores the results from bazel-targets-query. |
bazel-show-internal-targets |
ENDOR_SCAN_BAZEL_SHOW_INTERNAL_TARGETS |
boolean | Show internal targets as py_library, java_library and go_library as dependencies. Use --use-bazel with this flag. |
bazel-targets-query |
ENDOR_SCAN_BAZEL_TARGETS_QUERY |
string | Set this variable to query for a list of Bazel targets to include in a scan. |
bazel-vendor-manifest-path |
ENDOR_SCAN_BAZEL_VENDOR_MANIFEST_PATH |
string | Set this variable to specify the path of the go.mod file if you use Bazel with Gazelle in vendored mode for Go projects. |
bazel-workspace-path |
ENDOR_SCAN_BAZEL_WORKSPACE_PATH |
string | Set this variable to specify the path of the Bazel workspace. |
use-bazel |
ENDOR_SCAN_USE_BAZEL |
boolean | Use Bazel to perform the endorctl scan. |
bazel-rc-path |
ENDOR_SCAN_BAZEL_RC_PATH |
string | Specify custom paths for Bazel configuration files. Specify comma-separated paths relative to the repository root. If you provide multiple .bazelrc files that contain conflicting configuration options, the configuration in the last file listed takes precedence. See Bazel documentation for details about .bazel.rc file locations. |
bazel-flags |
ENDOR_SCAN_BAZEL_FLAGS |
string | Specify additional command-line flags to pass to Bazel when running a scan. Specify comma-separated key-value pairs in the format key=value. endorctl applies these flags to bazel build. |
Pull request (CI) flags
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
enable-pr-comments |
ENDOR_SCAN_ENABLE_PR_COMMENTS |
boolean | Publish new findings as review comments. Set together with --scm-pr-id, --pr, and either --github-token (for GitHub) or --scm-token (for GitLab). Do not use with --pr-baseline since endorctl determines the baseline from the merge target of the PR. Note: You can continue to use --github-pr-id flag, but Endor Labs will deprecate and remove this flag in the future. |
scm-pr-id |
ENDOR_SCAN_SCM_PR_ID |
string | Set the PR or MR ID corresponding to the scan. You need to use this flag with --pr and --scm-token. Also set --enable-pr-comments to publish new findings as review comments on the pull or merge request. |
pr |
ENDOR_SCAN_PR |
boolean | Set if this is a PR scan. PR scans are not used for reporting or monitoring. Treat them as point-in-time policy and finding tests. |
pr-baseline |
ENDOR_SCAN_PR_BASELINE |
string | Set to the Git reference that you are merging to, such as your default branch. Action policies will only flag issues that do not exist in the baseline so that developers are only alerted to issues on the current changes. For example, --pr-baseline=main. |
pr-incremental |
ENDOR_SCAN_PR_INCREMENTAL |
boolean | Only scan packages with dependencies that have changed compared to the baseline scan. Set together with --pr-baseline or --enable-pr-comments. |
scm-token |
ENDOR_SCAN_SCM_TOKEN |
string | Set the token used to authenticate with the SCM. The token takes priority over installation tokens. |
GitHub configuration flags
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
github |
ENDOR_SCAN_GITHUB |
boolean | Fetch information from GitHub and generate findings for any GitHub misconfigurations (see also RSPM policies). |
github-api-url |
GITHUB_API_URL |
string | Set the GitHub API URL used for API requests to GitHub Enterprise Cloud or GitHub Enterprise Server. Use this flag for self-hosted source control systems such as GitHub Enterprise Server. (default https://api.github.com/) |
github-ca-path |
GITHUB_CA_PATH |
string | Set the path to the CA certificate used by GitHub Enterprise Server if your system does not trust it. |
g, github-token |
GITHUB_TOKEN |
string | Set the GitHub token used to authenticate with GitHub. We deprecated this flag; use --scm-token for authentication instead. |
repository-http-clone-url |
ENDOR_SCAN_GITHUB_REPOSITORY_HTTP_CLONE_URL |
string | Set the GitHub repository HTTP clone URL for --github scans. |
Call graph flags
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
build |
ENDOR_SCAN_BUILD |
boolean | Enable the scan to build the project if needed. |
call-graph-languages |
ENDOR_SCAN_CALLGRAPH_LANGUAGES |
strings | Set programming languages for call graph generation. Supported languages are C#, Go, Java, JavaScript, Kotlin, Python, Rust, Scala, and TypeScript. By default, endorctl generates call graphs for all supported languages. |
disable-private-package-analysis |
ENDOR_SCAN_DISABLE_PRIVATE_PACKAGE_ANALYSIS |
boolean | Disable the call graph analysis of private dependencies that are not part of the repository. |
quick-scan |
ENDOR_SCAN_QUICK_SCAN |
boolean | Perform a quick scan without call graph generation. |
Policy flags
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
exit-on-policy-warning |
ENDOR_SCAN_EXIT_ON_POLICY_WARNING |
boolean | Return a non-zero exit code if there are policy violation warnings. |
Secrets scan flags
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
force-rescan |
ENDOR_SCAN_FORCE_RESCAN |
boolean | Force a full rescan of the historical Git logs for all branches in the repository. Use with --secrets. |
git-logs |
ENDOR_SCAN_GIT_LOGS |
boolean | Audit the historical Git logs of the repository for all branches in the repository. Use with --secrets. |
local |
ENDOR_SCAN_LOCAL |
boolean | Scan the local filesystem. Use with --secrets. |
start-commit |
ENDOR_SCAN_START_COMMIT |
string | The start commit of the Git logs of the repository to start scanning from. Use with --secrets and --end-commit. |
end-commit |
ENDOR_SCAN_END_COMMIT |
string | The end commit of the Git logs of the repository to end scanning at. Use with --secrets and --start-commit. |
pre-commit-checks |
ENDOR_SCAN_PRE_COMMIT_CHECKS |
boolean | Perform Git pre-commit checks on the changeset about to commit. Use with --secrets. |
secrets |
ENDOR_SCAN_SECRETS |
boolean | Scan source code repository and generate findings for leaked secrets. See also --git-logs and --pre-commit-checks. |
SAST scan flags
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
sast |
ENDOR_SCAN_SAST |
boolean | Scan for weaknesses in your source code based on the enabled rules and generate results based on the configured finding policies. See also --disable-code-snippet-storage. See SAST scan for more information. |
disable-code-snippet-storage |
ENDOR_SCAN_DISABLE_CODE_SNIPPET_STORAGE |
boolean | Do not store or display the source code related to a finding. |
| Not applicable | ENDOR_SCAN_SEMGREP_VERBOSE |
boolean | Enable verbose output for SAST scans to show detailed information about rule execution, file parsing status, and scan progress. |
| Not applicable | ENDOR_SCAN_SEMGREP_DEBUG |
boolean | Enable debug output for SAST scans, which includes all verbose information plus additional debugging details to help troubleshoot scan issues. |
Sandbox flags
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
install-build-tools |
ENDOR_SCAN_INSTALL_BUILD_TOOLS |
boolean | Install build tools in a runtime sandbox. |
use-scan-profile |
ENDOR_SCAN_USE_SCAN_PROFILE |
boolean | Use a scan profile to run a scan in a self-contained sandbox. |
Miscellaneous flags
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
ai-models |
ENDOR_SCAN_AI_MODELS |
boolean | Scan source code repository and discover usage of OSS AI models. |
as-default-branch |
ENDOR_SCAN_AS_DEFAULT_BRANCH |
boolean | Set this as the default branch. |
container |
ENDOR_SCAN_CONTAINER |
string | Set this to the container image:tag to perform a scan on containers. |
container-as-ref |
ENDOR_SCAN_CONTAINER_AS_REF |
boolean | Scan container in a persistent context and keep the version. Use the --project-name argument to specify the name of the project and --path argument to specify its path. |
dependencies |
ENDOR_SCAN_DEPENDENCIES |
boolean | Scan Git commits and generate findings for all dependencies. |
dry-run |
ENDOR_SCAN_DRY_RUN |
boolean | Run the scan in dry run mode. When enabled, Endor Labs does not store scan results and needs only read-only access. Use this flag only with SCA (dependencies), SAST, or secrets scanning. Do not use it with container scanning. |
detached-ref-name |
ENDOR_SCAN_DETACHED_REF_NAME |
string | Set the name of the Git reference to a user-provided name. For example, --detached-ref-name="$CI_DEFAULT_BRANCH". Use with CI environments that checkout commits, such as GitLab. |
exclude-path |
ENDOR_SCAN_EXCLUDE_PATH |
string | Specify one or more file paths or directories to exclude from the scan using Glob style expressions. For example, --exclude-path="src/java/**" will exclude all files under src/java, including any subdirectories, while --exclude-path="src/java/*" will only exclude the files directly under src/java. Paths must be relative to the root of the repository. Use quotes to ensure that your shell does not expand wild cards. |
finding-tags |
ENDOR_SCAN_FINDING_TAGS |
string | Specify a list of user-defined tags to add to findings for objects in this scan scope. Use in combination with options such as --include-path or --exclude-path. Use finding tags to search and filter findings later. |
ghactions |
ENDOR_SCAN_GHACTIONS |
boolean | Scan and discover GitHub action workflows in your CI/CD pipeline. |
include-path |
ENDOR_SCAN_INCLUDE_PATH |
string | Limit the scan to the specified file paths or directories using Glob style expressions. For example, --include-path="src/java/**" will scan all the files under src/java, including any subdirectories, while --include-path="src/java/*" will only include the files directly under src/java. Paths must be relative to the root of the repository. Use quotes to ensure that your shell does not expand wild cards. |
l, languages |
ENDOR_SCAN_LANGUAGES |
string | Set programming languages to scan. Used to limit scanning to specific languages. If your project contains multiple programming languages, you can specify them as a comma-separated list as: |
o, output-type |
ENDOR_SCAN_SUMMARY_OUTPUT_TYPE |
string | Set output format to json, yaml, table, or summary. Summary only displays policy violations (default: table). |
package |
ENDOR_SCAN_PACKAGE |
boolean | Scan binaries and artifacts. You must provide the path of your file using --path and specify a name for your project using --project-name parameters. |
p, path |
ENDOR_SCAN_PATH |
string | Set path to local repository to scan. For example: --path=/Users/endorlabs/github/myrepo. |
project-name |
ENDOR_SCAN_PROJECT_NAME |
string | Give a name for the project while scanning binaries and artifacts. Use with the --package parameter. |
project-tags |
ENDOR_SCAN_PROJECT_TAGS |
string | Specify a list of user-defined tags to add to this project. |
registries |
ENDOR_SCAN_REGISTRIES |
string | Registries to use along with public or namespace registries. Format - \"user:password@ecosystem://registry#priority\". |
s, sarif-file |
ENDOR_SCAN_SUMMARY_SARIF_FILE |
string | Set the file path for saving scan results in SARIF format. SARIF output includes vulnerability aliases, such as CVE IDs, GHSA IDs, and other OSV identifiers, for SCA findings. |
tags |
ENDOR_SCAN_TAGS |
string | Specify a list of user-defined tags to add to this scan. Use tags to search and filter scans later. |
use-local-repo-cache |
ENDOR_SCAN_USE_LOCAL_CACHE |
boolean | Use the local cache for dependency resolution. Make sure that mvn install -U is successful and include mvn dependency and mvn help plugins in the local m2 cache. For Gradle complete gradle assemble --refresh-dependencies. |
uuid |
ENDOR_SCAN_UUID |
string | Scan the specified project UUID. |
| Not applicable | ENDOR_SCAN_EMBEDDINGS |
boolean | Controls the use of code segment embeddings during a scan. Set to false to turn off embeddings for a specific scan, or true to turn them on. This setting overrides the system-wide configuration. See Enable code segment embeddings for more information. |
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.