Skip to main content
Use the scan command to perform scans against a repository.

Usage

To perform a full scan including reachability analysis for the open source software of the packages you build in a repository and monitor the checked out version of your code run the command. 
endorctl scan
If your project contains multiple programming languages, you can specify them as a comma-separated list using the --languages flag: 
endorctl scan --languages=<languages-list>
Where <languages-list> should be provided as a comma-separated list from the supported languages: . To scan leaked secrets and monitor all results in the checked out version of your repository. 
endorctl scan --secrets
Run the following command to perform a regular scan for leaked secrets including the dependencies. 
endorctl scan --secrets --dependencies
Run the following can to scan for leaked secrets in all branches of your repository. 
endorctl scan --secrets --git-logs
The above command performs a scan of the repository’s Git logs using the following logic:
  • If it is the first time the repository’s Git log history is scanned, it performs a full scan
  • A full rescan is also performed if a change has been detected to any of the rules in the namespace
  • In all other cases, the scan is incremental based on the last time a scan was performed.
If the system invalidates any detected secrets, and you want to run the validators again so that the findings page properly reflects the secret state, you can force a full rescan by using the following command. To scan for misconfigurations in a GitHub repository like https://github.com/endorlabs/app-java-demo. 
export ENDOR_SCAN_SCM_TOKEN=<insert-your-scm-token>
endorctl scan --github --repository-http-clone-url=https://github.com/endorlabs/app-java-demo
To run a scan as a test in a pull request without monitoring the version of your code over time run the command. 
endorctl scan --pr
To scan and discover GitHub action workflows in your CI/CD pipeline run the command. 
endorctl scan --ghactions
Along with performing the regular dependency analysis on your repository, it discovers the GitHub Actions configured in your CI/CD pipeline and maps them as GitHub action dependencies in your package. To scan binaries and artifacts run the following command. 
endorctl scan --package --path --project-name
You must provide the path of your file using --path and specify a name for your project using --project-name. To scan and discover AI/LLM models in your repository, run the following command 
endorctl scan --ai-models --dependencies
To run a scan in dry run mode with local scanning and read-only access, run the following command. Dry run mode does not store scan results for monitoring and is best when used by developers running local scans. 
endorctl scan --dependencies --dry-run
You can also use --dry-run with --secrets or --sast flags. The --dry-run flag cannot be used with container scanning.

Options

The command endorctl scan uses the following flags and environment variables:

Bazel flags

Pull request (CI) flags

GitHub configuration flags

Call graph flags

Policy flags

Secrets scan flags

SAST scan flags

Sandbox flags

Miscellaneous flags