This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Getting started

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

This guide provides instructions to set up and configure Endor Labs to get started with your first project scan. See Endor Labs user interface for more information on the user interface and various elements available in the interface.

Tip
You need an Endor Labs account and a tenant to use Endor Labs.

  1. Visit https://app.endorlabs.com to access the login page.

  2. You can sign in to Endor Labs with the following options:

  3. Select Get Started on the left sidebar to explore the available options.

    • Select Start Tour to take a guided tour of the application and understand its main features.
    • Select Explore Demo Sandbox to view Endor Labs capabilities and explore its features in a read-only tenant.
    • Select SCAN WITH GitHub App to install the Endor Labs GitHub App.
    • Select SCAN VIA GitHub Actions to scan a demo repository from GitHub and view findings.
    • Select SCAN VIA CLI to set up your tenant and start scanning your repositories with the CLI.

    Scan with GitHub App landing page

Endor Labs provides a GitHub App that continuously monitors users’ projects for security and operational risk. You can use the GitHub App to selectively scan your repositories for SCA, secrets, RSPM, or GitHub Actions. GitHub App scans also establish baselines that are subsequently used during CI scans.

The GitHub App (Pro) facilitates PR remediation. See PR remediation for more information.

Warning
You can only install either the GitHub App or the GitHub App (Pro) in your environment.

Before installing and scanning projects with Endor Labs GitHub App, make sure you have:

  • A GitHub cloud account and organization. If you don’t have one, create one at GitHub.
  • Administrative permissions to your GitHub organization. Installing the Endor Labs GitHub App in your organization requires approval or permissions from your GitHub organizational administrator.
  • Endor Labs GitHub App requires read permissions to Dependabot alerts, actions, administration, checks, code, commit statuses, issues, metadata, packages, pull requests, repository hooks, and security events. It does not need write access to any resources.

To set up Endor Labs GitHub App:

  1. Sign in to Endor Labs and select Get Started from the left sidebar.

  2. Select SCAN WITH GitHub App and click Install GitHub App Pro.

    Deselect Enable Automated Pull Requests to disable automatic PR remediation and to install the GitHub App.

  3. See Deploy Endor Labs GitHub App (Pro) for detailed installation steps and configuration options.

  4. After installation, Endor Labs scans your repositories to generate findings and re-scans your repository every 24 hours. See Findings for more information on the findings generated by the scans.

  5. See Review the results of your project for details on findings and analysis.

Use endorctl to perform comprehensive security analysis across your codebase, including software composition analysis, dependency management, secret detection, and evaluation of GitHub configuration against best practices, and send results to your Endor Labs tenant.

To set up endorctl:

  1. Sign in to Endor Labs and select Get Started from the left sidebar.
  2. Select SCAN VIA CLI to configure your tenant and start scanning with the CLI.

See Install and configure endorctl and Scan using endorctl for more information on setup and running scans.

To inspect your project results and understand scan outcomes:

  1. Select Projects from the left sidebar.

  2. Select your project to open its overview.

  3. In the Findings section, review the severity summary for that project:

    • C: Critical
    • H: High
    • M: Medium
    • L: Low

  4. Under Packages, select the icon next to the count to view the following information:

    • Project metadata: Includes the project UUID, repository details, dependencies, and repository versions.
    • Findings breakdown: Shows how issues are distributed across dependencies, packages, repositories, secrets, and CI workflows.

  5. Select View details to explore findings and review detailed analysis across dependencies, code, and secrets. See Findings for more information.

Locally Scanned Project