Common questions about the Endor Labs integration

Get answers to common questions about the Endor Labs integration.

How do I configure Endor Labs?

Endor Labs can be deployed in various methods across your repositories and pipelines depending on your Source Code Management environment. We recommend you start with monitoring scans to gain the initial visibility and then advance to CI scans to achieve comprehensive and actionable results.

How do I configure Endor Labs for GitHub environments?

Endor Labs offers continuous monitoring for GitHub via the Endor GitHub App. This app provides extensive visibility into your GitHub organizations by cloning and scanning all repositories every 24 hours.

Note

Repositories are temporarily cloned and retained only during the scan. You can refer to Endor Lab's documentation for assistance with setting up continuous monitoring for GitHub.

How do I configure Endor Labs for GitHub Workflows?

Customers can integrate with GitHub Workflows using the Endor Labs Action. Workflow scans help teams focus on the most actionable results, optimizing their time. These scans can be triggered from automated GitHub Workflows to identify new vulnerabilities compared to the baseline of the target branch. Refer to Endor Lab's documentation for assistance with setting up the Endor Labs Action.

How do I configure Endor Labs for Azure DevOps environments?

Endor Labs can be implemented in Azure Pipelines to scan during build time for vulnerabilities. The results from these scans can also be sent to Advanced Security for developer visibility. Refer to Endor Labs documentation for assistance with setting up the Azure Pipelines integration.

How do I configure Endor Labs for GitLab environments?

Endor Labs can scan during GitLab CI pipeline runs after code is built to check for vulnerabilities. Refer to Endor Labs documentation for assistance with setting up the GitLab CI Pipelines integration

How do I view results from Endor Labs scans?

Reachability analysis findings from Endor Labs are natively integrated with existing Defender Cloud Security Posture Management (CSPM) experiences, including Cloud Security Explorer and Attack Path analysis.

Which programming languages does Endor Labs support?

Endor Labs supports a wide range of languages for reachability analysis, including Java, Python, and C#. Refer to Endor Labs documentation for the most up-to-date list of supported languages. Findings from Endor Labs will only be shown if the corresponding repository is also connected to Defender for Cloud.

What do the different levels of reachability mean?

Defender for Cloud ingests finding attributes from Endor Labs that relate to the reachability of vulnerabilities at the function level and the dependency level. Function level reachability analysis is the most accurate way to determine exploitability in the context of an organization's application, which is critical for determining which risks should be remediated. The different function reachability labels include:

• Reachable Function: Endor Labs established that there's a path from the code written by the developer to a vulnerable function, meaning the finding is exploitable in the customer's environment. This is demonstrated with a "call graph" that shows each step between the source code and vulnerable library.
• Unreachable Function: Endor Labs determined that there's no risk of exploitation because there's no path between the source code and the vulnerable function. Finding accompany a "call graph" demonstrating the lack of a path. Unreachable findings can be considered a false positive and aren't required to be remediated under compliance standards such as FedRAMP.
• Potentially Reachable Function: Endor Labs is unable to determine whether a finding is reachable or unreachable, typically because "call graph" analysis is unsupported for a given language or package manager. Endor Labs also checks if imported packages are used in the application, but it doesn't show if vulnerable packages are called by the source code. The different labels for this are:
• Reachable Dependency: Endor Labs established that an imported package is being used somewhere in the application.
• Unreachable Dependency: Endor Labs determined that the imported dependency isn't being used. The customer can use this information to remove the dependency, which is helpful for technical debt reduction initiatives.
• Potentially Reachable Dependency: Endor Labs can't definitively determine whether a dependency is or isn't in use, generally because a given language or package manager isn't supported.

Note

"Reachability analysis" can mean many different things. Learn more about the Five Types of Reachability Analysis (and Which is Right for You).

How is Endor Labs licensed?

Endor Labs is licensed on a per contributing developer basis. Check out Endor Labs pricing options. There are two applicable plans for reachability analysis in Defender for Cloud include:

• Endor Supply Chain: A single platform for open-source dependency management, CI/CD security, and compliance.
• Endor Open Source - Core Edition: Advanced software composition analysis (SCA) and SBOM capabilities including SCA with reachability, Endor Score factors, AI-assisted OSS selection, DroidGPT, SBOM / VEX generation.

Customers that need extra remediation capabilities can upgrade to the Pro Edition, which includes upgrade affect analysis, container scanning, and artifact signing.

Is Endor Labs available on the Azure commercial marketplace?

Yes, Endor Labs is available for purchase on the Microsoft commercial marketplace. The prices listed on the marketplace don't reflect the cost that your organization pays. If you enroll through the marketplace, Endor Labs representatives work with your organization to generate a custom quote. Purchases of Endor Labs made through the Azure commercial marketplace count towards your Minimum Azure Consumption Commitments (MACC).

Next steps

• Connect Endor Labs

Get answers to common questions about the Endor Labs integration.

Endor Labs can be deployed in various methods across your repositories and pipelines depending on your Source Code Management environment. We recommend you start with monitoring scans to gain the initial visibility and then advance to CI scans to achieve comprehensive and actionable results.

Endor Labs offers continuous monitoring for GitHub via the Endor GitHub App. This app provides extensive visibility into your GitHub organizations by cloning and scanning all repositories every 24 hours.

Note

Repositories are temporarily cloned and retained only during the scan. You can refer to Endor Lab's documentation for assistance with setting up continuous monitoring for GitHub.

Customers can integrate with GitHub Workflows using the Endor Labs Action. Workflow scans help teams focus on the most actionable results, optimizing their time. These scans can be triggered from automated GitHub Workflows to identify new vulnerabilities compared to the baseline of the target branch. Refer to Endor Lab's documentation for assistance with setting up the Endor Labs Action.

Endor Labs can be implemented in Azure Pipelines to scan during build time for vulnerabilities. The results from these scans can also be sent to Advanced Security for developer visibility. Refer to Endor Labs documentation for assistance with setting up the Azure Pipelines integration.

Endor Labs can scan during GitLab CI pipeline runs after code is built to check for vulnerabilities. Refer to Endor Labs documentation for assistance with setting up the GitLab CI Pipelines integration

Reachability analysis findings from Endor Labs are natively integrated with existing Defender Cloud Security Posture Management (CSPM) experiences, including Cloud Security Explorer and Attack Path analysis.

Endor Labs supports a wide range of languages for reachability analysis, including Java, Python, and C#. Refer to Endor Labs documentation for the most up-to-date list of supported languages. Findings from Endor Labs will only be shown if the corresponding repository is also connected to Defender for Cloud.

Defender for Cloud ingests finding attributes from Endor Labs that relate to the reachability of vulnerabilities at the function level and the dependency level. Function level reachability analysis is the most accurate way to determine exploitability in the context of an organization's application, which is critical for determining which risks should be remediated. The different function reachability labels include:

• Reachable Function: Endor Labs established that there's a path from the code written by the developer to a vulnerable function, meaning the finding is exploitable in the customer's environment. This is demonstrated with a "call graph" that shows each step between the source code and vulnerable library.
• Unreachable Function: Endor Labs determined that there's no risk of exploitation because there's no path between the source code and the vulnerable function. Finding accompany a "call graph" demonstrating the lack of a path. Unreachable findings can be considered a false positive and aren't required to be remediated under compliance standards such as FedRAMP.
• Potentially Reachable Function: Endor Labs is unable to determine whether a finding is reachable or unreachable, typically because "call graph" analysis is unsupported for a given language or package manager. Endor Labs also checks if imported packages are used in the application, but it doesn't show if vulnerable packages are called by the source code. The different labels for this are:
• Reachable Dependency: Endor Labs established that an imported package is being used somewhere in the application.
• Unreachable Dependency: Endor Labs determined that the imported dependency isn't being used. The customer can use this information to remove the dependency, which is helpful for technical debt reduction initiatives.
• Potentially Reachable Dependency: Endor Labs can't definitively determine whether a dependency is or isn't in use, generally because a given language or package manager isn't supported.

Note

"Reachability analysis" can mean many different things. Learn more about the Five Types of Reachability Analysis (and Which is Right for You).

Endor Labs is licensed on a per contributing developer basis. Check out Endor Labs pricing options. There are two applicable plans for reachability analysis in Defender for Cloud include:

• Endor Supply Chain: A single platform for open-source dependency management, CI/CD security, and compliance.
• Endor Open Source - Core Edition: Advanced software composition analysis (SCA) and SBOM capabilities including SCA with reachability, Endor Score factors, AI-assisted OSS selection, DroidGPT, SBOM / VEX generation.

Customers that need extra remediation capabilities can upgrade to the Pro Edition, which includes upgrade affect analysis, container scanning, and artifact signing.

Yes, Endor Labs is available for purchase on the Microsoft commercial marketplace. The prices listed on the marketplace don't reflect the cost that your organization pays. If you enroll through the marketplace, Endor Labs representatives work with your organization to generate a custom quote. Purchases of Endor Labs made through the Azure commercial marketplace count towards your Minimum Azure Consumption Commitments (MACC).

Next steps

• Connect Endor Labs