Skip to main content
Bazel is an open-source build and test tool commonly used in monorepos to quickly build software across multiple languages. You can use Endor Labs and Bazel to scan software for potential security issues and policy violations, prioritize vulnerabilities in the context of your applications, and understand relationships between software components. Endor Labs also supports Bazel aspects to augment the build dependency graphs with additional information and actions. If you use custom rules to build your software, you can create your own custom Bazel aspects and integrate them with Endor Labs. See Bazel Aspects for more information. Endor Labs supports Bzlmod (Bazel’s external dependency system). Bzlmod support requires Bazel aspects. Use the --use-bazel-aspects flag when scanning Bzlmod-based projects.

Prerequisites for scanning Bazel projects

Ensure that the following prerequisites are in place for a successful scan:
  • WORKSPACE file exists in your repository
  • bazel command installed and available
  • Bazel version 5.x.x, 6.x.x, or 7.x.x
  • Supported target types in your project

System specifications for deep scans of Bazel projects

Before you proceed to run a deep scan, ensure that your system meets the following specification.
Project SizeProcessorMemory
Small projects4-core processor16 GB
Mid-size projects8-core processor32 GB
Large projects16-core processor64 GB

Build process for Bazel projects

You can choose to build the targets before running the scan. Use the bazel build commands to do this by passing a comma-separated list of targets. For example, for targets //:test and //:test2, run bazel build //:test,//:test2. endorctl will automatically build targets if they are not already built. endorctl uses bazel build //:target and bazel query 'deps(//:target)' --output graph to build each target and analyze its dependency tree.

Supported Bazel rules and features

The following table lists the supported Bazel rules and Endor Labs features for each language.

Quick target discovery for Bazel projects

Use the following commands to find scannable targets in your repository. 
bazel query 'kind(java_binary, //...)'

Common query patterns for Bazel projects

Use these common query patterns to find targets. Run the following command to find all targets in a specific package. 
bazel query '//your-package:*'
Run the following command to find all binary targets across languages. 
bazel query 'kind(".*_binary", //...)'
Run the following command to find targets with specific attributes. 
bazel query 'attr(visibility, "//visibility:public", //...)'
Run the following command to find dependencies of a target. 
bazel query 'deps(//your-target:name)'
Run the following command to find reverse dependencies of a target. 
bazel query 'rdeps(//..., //your-target:name)'

Scan commands for Bazel projects

The following table lists the common flags and options to scan Bazel projects.

Target selection for Bazel scans

To scan with Endor Labs, you need to specify which targets to analyze using one of two approaches:
  • Specific target list: Provide a comma-separated list of exact targets using --bazel-include-targets.
  • Query-based selection: Use the Bazel query language to select all targets matching your criteria with --bazel-targets-query.

Quick scan for Bazel projects

Run a fast scan for software composition visibility without reachability analysis. 
endorctl scan --use-bazel --bazel-include-targets=//your-target-name --quick-scan

Deep scan for Bazel projects

Perform a full analysis with dependency resolution, reachability analysis, and call graphs. 
endorctl scan --use-bazel --bazel-include-targets=//your-target-name
Private Package Analysis
When a deep scan is performed, all private software dependencies are completely analyzed by default if they have not been previously scanned. This is a one-time operation and will slow down initial scans, but won’t impact subsequent scans.

Scan specific targets for Bazel projects

You can scan specific targets in your Bazel project using the --bazel-include-targets flag. Run the following command to scan a single target. 
endorctl scan --use-bazel --bazel-include-targets=//your-target-name
To scan multiple targets, provide a comma-separated list. 
endorctl scan --use-bazel --bazel-include-targets=//target1,//target2,//target3

Scan using queries for Bazel projects

Use these commands to scan targets based on queries. 
endorctl scan --use-bazel --bazel-targets-query='kind(java_binary, //...)'

Scan Bazel projects with non-root workspace

If your WORKSPACE file isn’t at the repository root. 
endorctl scan --use-bazel \
  --bazel-targets-query='kind(java_binary, //...)' \
  --bazel-workspace-path=./src/java

Scan Bazel projects with Go with Gazelle (Vendored Mode)

For Go projects using Bazel with Gazelle in vendored mode. 
endorctl scan --use-bazel \
  --bazel-include-targets=//your-go-target \
  --bazel-vendor-manifest-path=./go.mod

Scan Bazel projects with performance optimization

For large codebases, disable private package analysis. 
endorctl scan --use-bazel \
  --bazel-include-targets=//your-target-name \
  --disable-private-package-analysis

Language-specific information for Endor Labs scans

For detailed information about scanning specific languages:

Results of Bazel projects scans

You can save the findings of your scans to a local file or view the findings in the Endor Labs user interface.

Save findings locally

Run the following command to save the results of a quick scan to a local file. 
endorctl scan --use-bazel --bazel-include-targets=//your-target-name --quick-scan -o json | tee results.json
Run the following command to save the results of a deep scan to a local file. 
endorctl scan --use-bazel --bazel-include-targets=//your-target-name -o json | tee results.json

View findings in the Endor Labs user interface

To view your scan results in the Endor Labs user interface:
  1. Sign in to Endor Labs user interface and select Projects from the left sidebar.
  2. Select the project you want to view and click Findings to view your scan results.
For more information, see Viewing findings in the Endor Labs user interface.

Troubleshooting Bazel projects scans

Check the following common issues and solutions for Bazel projects scans.
Check your query syntax and target types.
Use --bazel-workspace-path flag.
Pre-build targets with bazel build.
Use --disable-private-package-analysis
Specify --bazel-vendor-manifest-path.