Skip to main content
The system can automatically detect toolchains required for your projects based on the manifest files present in your repository. Auto detection is supported for Java, Python, Go and .NET(C#) projects. Only the Long Term Support (LTS) versions of the toolchains are supported in auto detection. See the Toolchain support matrix for a complete list of supported toolchain versions for auto detection.

How auto detection works

Endor Labs begins auto detection by scanning your project repository to locate manifest files and identify the languages used in your project. Based on the results, it runs language specific detectors to extract version information. Each detector operates independently and follows a consistent process. It reviews the associated manifest or build configuration files to determine the toolchain version. If a file contains multiple version fields, the detector uses a fixed priority order to select the most appropriate one. After identifying a version, the detector sends the version details to the assigner. The assigner checks the Endor Labs toolchain support matrix to verify if the version is supported for the host operating system and architecture. If it doesn’t find an exact match, it selects the closest supported version based on the major version number. This version will be the toolchain used for your project scan. For example, when analyzing Java projects, the Java detector checks config files like pom.xml or build.gradle to find the Java version used in the project.

Config files scanned for version detection

The following table lists the config files Endor Labs scans to detect the language and version used in your project. The following examples illustrate how to define versions in each config file.
Config file: pom.xmlDefine the Java version using any one of the following options:
  • Using version fields 
    <properties>
  <maven.compiler.source>1.8</maven.compiler.source>
  <maven.compiler.target>1.8</maven.compiler.target>
  <maven.compiler.release>11</maven.compiler.release>
  <java.version>17</java.version>
</properties>
  • Using plugin configuration 
    <build>
  <plugins>
    <plugin>
      <artifactId>maven-compiler-plugin</artifactId>
      <version>3.8.1</version>
      <configuration>
      <source>11</source>
      <target>11</target>
      </configuration>
    </plugin>
  </plugins>
</build>
Config file: build.gradleDefine the Java version using sourceCompatibility and targetCompatibility.
sourceCompatibility='17'
targetCompatibility='17'
Ensure the Gradle wrapper version is defined in gradle/wrapper/gradle-wrapper.properties.
distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-all.zip
Specify the Python version in any of the following config files.
Use python_requires inside the setup() block.
setup(
    ...
    python_requires='>=3.8, <4'
)
Use requires-python to define the Python version range.
[project]
requires-python = ">=3.8, <4.0"

[tool.poetry.dependencies]
python = "3.12.1"
Specify the exact Python version.
3.12.1
Specify the NodeJS version in any of the following config files.
Use engines.node
"engines": {
  "node": ">=16.0.0 <19"
}
Specify the exact NodeJS version.
18.17.1
Specify the exact NodeJS version.
18.17.1
Specify the Yarn version in any of the following config files.
Use engines.yarn
"engines": {
  "yarn": ">=1.22.0 <2.0.0"
}
Use yarnPath
yarnPath: ".yarn/releases/yarn-3.2.1.cjs"
Use yarnPath
yarnPath: ".yarn/releases/yarn-3.2.1.cjs"
Config file: package.jsonSpecify the pnpm version using engines.pnpm
"engines": {
  "pnpm": ">=6.0.0"
}
Specify the .NET version using any of the following config files.
Use sdk.version
{
  "sdk": {
    "version": "7.0.203"
  }
}
Use TargetFramework or TargetFrameworks
<TargetFramework>net6.0</TargetFramework>
Use TargetFramework or TargetFrameworks in a PropertyGroup to define the .NET version for the directory and subdirectories.
<Project>
  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
  </PropertyGroup>
</Project>
Use TargetFramework or TargetFrameworks in a PropertyGroup to define the .NET version when using central package management.
<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
  </PropertyGroup>
</Project>
Config file: go.modUse the go directive.
module github.com/example/project

go 1.21
Auto detection is best-effort and works only if your project’s config files are correctly configured.

Enable auto detection for endorctl scans

To enable auto detection for endorctl scans, run: 
endorctl scan --install-build-tools --enable-build-tools-version-detection
Enabling these options downloads the necessary build toolchains during each scan. This works well for one-time scans but may cause scan failures in CI environments due to intermittent network issues.

Enable auto detection in GitHub App

When using the GitHub App, you can enable auto detection either by a project or enable it for all projects in a tenant.
  • To enable the auto detection by a project, update the project’s meta.annotations with "ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true". 
    meta:
  annotations: {"ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true"}

      endorctl api update -r Project --uuid=<project-uuid> -i
  • To enable auto detection across all projects in a tenant, update the system config’s meta.annotations with "ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true". 
    meta:
  annotations: {"ENDOR_SCAN_ENABLE_BUILD_TOOLS_VERSION_DETECTION":"true"}

    endorctl api update -r SystemConfig --uuid=<system-config-uuid> -i
The updates are applied during the next scheduled scan or whenever you perform a manual re-scan.