Skip to main content
Software composition analysis is the identification of the bill of materials for first-party software packages and the mapping of vulnerabilities to these software component versions. SCA helps teams to maintain compliance and get visibility into the risks of their software inventory.
Endor Labs does not scan the files and paths included in .gitignore files during SCA scans. If certain dependencies or paths are not appearing in your scan results, verify they are not excluded by your .gitignore configuration.
Endor Labs supports the following major capabilities to help teams reduce the risk and expense of software dependency management across the lifecycle of software reuse.
  • Endor Scores: Endor Labs provides a holistic risk score that includes the security, quality, popularity and activity of a package. Risk scores help in identifying leading indicators of risk in addition to if a software component is outdated, or unmaintained. Risk analysis helps teams to go beyond vulnerabilities and approach the risk of their software holistically.
  • Reachability Analysis: Reachability analysis is Endor Labs’ capability to perform static analysis on your software packages to give context to how each vulnerability may be reached in the context of your code. This includes mapping vulnerabilities back to vulnerable functions so that deep static analysis can target vulnerabilities with higher levels of granularity as well as the identification of unused software dependencies.
  • Upgrade Impact Analysis: Upgrade impact analysis allows security teams to set better expectations with their development teams by identifying breaking changes associated with an update of a direct dependency.
The resource requirements, both minimum and recommended, for build runners or workers executing scans using endorctl are listed here.
Large applications may require additional resources to complete or enhance the scan performance.

System specifications for local and CI/CD scan

Ensure that your local machine or CI/CD runner has the minimum and recommended resources to successfully scan your software.

Supported languages

For scanning monorepos or projects that use Bazel as the build tool (Java, Go, Python, Scala, Rust), see Bazel.

Complete support matrix

The following comprehensive matrix lists the supported languages, build tools, manifest files, and supported requirements. Define supported languages when running endorctl scan command as a comma-separated list: