Skip to main content
PR comments are automated comments added to pull requests when Endor Labs detects policy violations or security issues during scans. When a PR is raised or updated, Endor Labs runs scans on the proposed changes and adds a comment if any violations are detected based on the configured action policies.

Types of PR comments

Endor Labs generates the following types of PR comments based on the nature of the findings in a scan:
  • PR comments for Secrets: For findings of type FINDING_CATEGORY_SECRETS, Endor Labs adds a comment directly on the specific line where the secret is detected, using the line number provided in the finding object. These comments remain visible even if the secret is removed in a later scan.
  • PR comments for SCA: For SCA findings, Endor Labs adds a single comment that applies to the entire PR. It summarizes all findings from the policy evaluation results. The comment is updated with each scan run to reflect only the latest findings.
  • PR comments for SAST: For findings of type FINDING_CATEGORY_SAST, Endor Labs adds a single comment that applies to the entire PR. It summarizes all SAST-related policy violations detected during the scan. The comment is updated with each run and reflects only the latest findings.

Enable PR comments

After enabling PR comments, you must Configure an action policy to allow comments to be posted on pull requests or merge requests.

GitHub PR comments

You can enable PR comments for GitHub through one of the following methods.

GitHub App

You can enable PR comments during the initial setup of the GitHub App or GitHub App (Pro), or by editing an existing integration. Once enabled, Endor Labs automatically adds comments to pull requests when policy violations are detected.

GitHub Actions

You can configure GitHub Actions to comment on PRs if there are any policy violations. Make sure that your GitHub Actions workflow includes the following configuration.
  • The workflow must have a with clause including: enable_pr_comments to true to publish new findings as review comments and github_token: ${{ secrets.GITHUB_TOKEN }}. This token is automatically provisioned by GitHub when using GitHub Actions. See GitHub configuration parameters for more information.
  • To grant Endor Labs the ability to comment on PRs you must include the permission pull-requests: write.
The following example configuration comments on PRs if a policy violation is detected. 
      - name: Endor Labs Scan PR to Default Branch
        if: github.event_name == 'pull_request'
        uses: endorlabs/github-action@v1 # Replace v1 with the commit SHA of the latest version of the GitHub Action for enhanced security
        with:
          namespace: 'example' # Update with your Endor Labs namespace
          scan_summary_output_type: 'table'
          scan_dependencies: true
          scan_secrets: true
          pr: true
          enable_pr_comments: true
          github_token: ${{ secrets.GITHUB_TOKEN }}
PR comments example
The main.yaml file in this sample repository contains the following configuration to enable PR comments. 
name: Build Release
on:
  pull_request:
    branches: [main]
  workflow_dispatch:
  push:
    branches: [main]
  schedule:
    - cron: "23 23 * * 0"
jobs:
  build:
    permissions:
      pull-requests: write
      security-events: write
      contents: read
      id-token: write
      actions: read
    runs-on: ubuntu-latest
    env:
      ENDOR_NAMESPACE: "endorlabs-hearts-github"
    steps:
      - name: Endor Labs Scan PR to Default Branch
        if: github.event_name == 'pull_request'
        uses: endorlabs/github-action@v1 # Replace v1 with the commit SHA of the latest version of the GitHub Action for enhanced security
        with:
          namespace: ${{ env.ENDOR_NAMESPACE }}
          pr: true
          enable_pr_comments: true
          github_token: ${{ secrets.GITHUB_TOKEN }}
The PR #10 introduced a reachable vulnerability. Since the workflow has enable_pr_comments set as true, a comment is added to the PR on the policy violation. You can expand the comment to view the following details:
  • Issue type: Describes the category of the security or policy violation
  • Severity: Indicates how critical the issue is.
  • Impacted files or dependencies: Specifies the files and packages affected by the issue.
  • Remediation steps: Specifies the required fix to resolve the detected issue.
PR Comment Details

GitHub PR comments with Endor Labs CLI

You can generate PR comments using the CLI by including the following flags in the endorctl scan command. 
endorctl scan \
  --pr \
  --enable-pr-comments \
  --scm-token <your-token> \
  --scm-pr-id <pull-request-id> \
  --namespace <your-namespace>
Ensure that you set the following parameters:
  • Set --enable-pr-comments to activate PR comment generation.
  • Use --scm-pr-id to specify the pull request to comment on.
  • Use --scm-token (or set the ENDOR_SCAN_SCM_TOKEN environment variable) and set the pull-requests permission to write for the token.
You can continue to use --github-pr-id flag, but it will be deprecated and removed in the future.

GitLab MR comments

You can enable MR comments for GitLab through one of the following methods.

GitLab App

You can enable MR comments during the initial setup of the GitLab App or by editing an existing integration. Once enabled, Endor Labs automatically adds comments to merge requests when policy violations are detected. See GitLab MR comments for more information.

GitLab CI pipelines

You can configure GitLab CI pipelines to comment on merge requests when policy violations are detected. Add --enable-pr-comments, --scm-pr-id=$CI_MERGE_REQUEST_IID, and --scm-token=$ENDOR_SCAN_SCM_TOKEN to your scan command. Configure a GitLab CI/CD variable ENDOR_SCAN_SCM_TOKEN with your GitLab personal access token with the api scope. See Enable MR comments for complete configuration examples.

GitLab MR comments with endorctl

You can generate MR comments with endorctl by including the following flags in the endorctl scan command. 
endorctl scan \
  --pr \
  --enable-pr-comments \
  --scm-token <your-token> \
  --scm-pr-id <merge-request-id> \
  --namespace <your-namespace>
Ensure that you set the following parameters:
  • Set --enable-pr-comments to activate MR comment generation.
  • Use --scm-pr-id to specify the merge request to comment on.
  • Use --scm-token. The token takes priority over installation PATs.
Security review comments for GitLab merge requests are not yet supported.

Configure Action policy for PR comments

You must create an Action policy to receive comments on your pull request after enabling PR comments.
  1. Create an Action policy.
  2. Set the Branch Type to Pull Request so the policy applies specifically to pull request scans.
  3. Under Action, select Enforce Policy, then choose:
    • Warn to post a comment without breaking the build.
    • Break the Build to fail the build and block the pull request.
  4. Define the scope of the policy using tags. Only projects that match the specified tags will receive PR comments.

Customize PR comments templates

Endor Labs provides a default template with standard information that will be included in your pull requests as comments. You can use the default template, or you can choose to edit and customize this template to fit your organization’s specific requirements. You can also create custom templates using Go Templates.
  1. Select Integrations from the left sidebar.
  2. Click Edit Template next to GitHub PR comments under Notifications.
  3. Make the required changes and click Save Template.

PR comments data model

To create custom templates for PR comments, you must understand the data supplied to the template. See the following protobuf specification for the GithubCommentData message that this template uses. See the following sections to understand the Finding and PackageVersion definitions that are used in this protobuf specification: See the following specification to understand the additional functions that are also available. You can access these functions by using their corresponding keys.