Action policy templates

Learn about the predefined action policy templates and how to customize them.

Endor Labs provides the following action policy templates that you can use to quickly create action policies. Each policy template provides parameters to help you customize the conditions under which a policy action takes place.

Note: All action policy templates automatically only match new findings for PR scans. If the finding already exists in the baseline, then it is not considered to be a match. The assumption is that there is a baseline to compare against (see the --pr-baseline and/or --enable-pr-comments options).

Container vulnerabilities

Matches container findings for vulnerabilities that meet specific parameters. The following parameters are supported:

Parameter Description
Vulnerability ID Full vulnerability identifier, for example, CVE-2024-3727 or GHSA-qh2h-chj9-jffq (case insensitive).
Severity Only match findings with this severity.
Fix Availability Select ‘Fix Available’ to only match findings if a patch is available to fix the issue in the dependency.
Relationship Select ‘Direct Dependency’ to only match findings for direct dependencies, or ‘Transitive Dependency’ to only match findings for transitive dependencies.
EPSS Percentile Threshold Only match findings with an EPSS percentile threshold equal to or higher than this threshold (0.00-100.00). The EPSS percentile threshold represents the percentile ranking among all vulnerabilities that a vulnerability will be exploited.
EPSS Probability Threshold Only match findings with an EPSS probability score equal to or higher than this threshold (0.00-1.00). The EPSS probability score represents the probability [0-1] of exploitation in the wild in the next 30 days following score publication.
Source Code Ecosystem Match finding ecosystem.
Exclude if Dependency Name Contains Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy.
Exclude if Package Name Contains Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency.
Exclude findings for transitive dependencies via other projects? Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed.

Custom finding attributes

Allows you to define a custom action policy based on the attributes of the finding. The following parameters are supported:

Parameter Description
Finding Name Contains Match full or partial finding name.
Finding Category Match finding category.
Finding Type Match finding type.
Severity Match finding severity.
Fix Availability Select ‘Fix Available’ to only match findings if a patch is available to fix the issue in the dependency.
Relationship Select ‘Direct Dependency’ to only match findings for direct dependencies, or ‘Transitive Dependency’ to only match findings for transitive dependencies.
Dependency Reachability Select ‘Reachable Dependency’ and ‘Potentially Reachable Dependency’ to only match findings where the vulnerable dependency is reachable.
Function Reachability Select ‘Reachable Function’ and ‘Potentially Reachable Function’ to only match findings where the vulnerable function is reachable.
Exclude Test Select ‘Yes’ to exclude test dependencies.
Source Code Ecosystem Match finding ecosystem.
Finding Meta Tag Only match findings that have this meta tag (set by the policy that created the finding). Note that these are different and separate from the system-defined finding tags.
Exclude if Dependency Name Contains Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy.
Exclude if Package Name Contains Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency.
Exclude findings for transitive dependencies Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed.
Include CI/CD dependency findings Select ‘Yes’ to include findings related to CI/CD dependencies. Note that CI/CD dependency findings are different from CI/CD tool findings. CI/CD dependency findings are for vulnerabilities in CI/CD dependency versions, while CI/CD tool findings are for the usage of a given tool. Findings related to CI/CD tools are included by default.

Finding types

Findings are classified into the following types when the packages scanned include:

Finding Type Description
Custom Custom findings defined in custom policies.
Dependency With Low Activity Score Low Endor activity score.
Dependency With Low Popularity Score Low Endor popularity score.
Dependency With Low Quality Score Low Endor quality score.
Dependency With Multiple Low Scores More than one Low Endor Score.
Dependency With Very Low Activity Scores Very low Endor activity score.
Dependency With Very Low Popularity Score Very low Endor popularity score.
Dependency With Very Low Quality Score Very low Endor quality score.
License Risk Missing, unknown, restricted, or problematic licenses.
Malware Dependency Known malicious dependencies reported by Open Source Vulnerabilities (OSV).
Malware OSS Review Potentially suspicious code that needs review.
Missing Source Code Associated source code is not auditable.
Outdated Dependency Outdated code with older versions of the released dependencies.
Typosquatted Dependency Dependencies with intentionally similar names to popular packages.
Unmaintained Dependency Unmaintained dependencies introducing vulnerabilities.
Unpinned Dependency Variable version specifications of dependencies.
Unused Dependency Unused dependencies in the code.

Detected secrets

Allows you to define the action taken when a leaked secret is detected based on the validation status of the secret.

Parameter Description
Validation Status Select secret validation status: Valid, Invalid, or Unable to Validate.

Outdated releases

Matches findings based on older versions of software or dependencies and are not actively updated. The following parameters are supported:

Parameter Description
Relationship Select ‘Direct Dependency’ to only match findings for direct dependencies, or ‘Transitive Dependency’ to only match findings for transitive dependencies.
Dependency Reachability Select ‘Reachable Dependency’ and ‘Potentially Reachable Dependency’ to only match findings where the vulnerable dependency is reachable.
Exclude Test Exclude test dependencies from this policy.
Source Code Ecosystem Match finding ecosystem.
Exclude if Dependency Name Contains Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy.
Exclude if Package Name Contains Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency.
Exclude findings for transitive dependencies via other projects? Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed.

Unmaintained dependencies

Matches findings based on dependencies that are no longer maintained or may have reached end-of-life. The following parameters are supported:

Parameter Description
Relationship Select ‘Direct Dependency’ to only match findings for direct dependencies, or ‘Transitive Dependency’ to only match findings for transitive dependencies.
Dependency Reachability Select ‘Reachable Dependency’ and ‘Potentially Reachable Dependency’ to only match findings where the vulnerable dependency is reachable.
Exclude Test Exclude test dependencies from this policy.
Source Code Ecosystem Match finding ecosystem.
Exclude if Dependency Name Contains Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy.
Exclude if Package Name Contains Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency.
Exclude findings for transitive dependencies via other projects? Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed.

Unpinned direct dependencies

Matches findings based on direct dependencies that do not have a version or a range of versions specified. Supported configuration parameters for this action policy template are:

Parameter Description
Exclude Test Exclude test dependencies from this policy.
Source Code Ecosystem Match finding ecosystem.
Exclude if Dependency Name Contains Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy.
Exclude if Package Name Contains Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency.
Exclude findings for transitive dependencies via other projects? Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed.

Unreachable direct dependencies

Matches findings based on dependencies that are not directly used or called within a project. Supported configuration parameters for this action policy template are:

Parameter Description
Exclude Test Exclude test dependencies from this policy.
Source Code Ecosystem Match finding ecosystem.
Exclude if Dependency Name Contains Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy.
Exclude if Package Name Contains Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency.
Exclude findings for transitive dependencies via other projects? Exclude findings for transitive dependencies that can only be reached through other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed.

Vulnerabilities

Matches findings that are vulnerabilities that meet specific parameters. The following parameters are supported:

Parameter Description
Vulnerability ID Full vulnerability identifier, for example, CVE-2024-3727 or GHSA-qh2h-chj9-jffq (case insensitive).
Severity Only match findings with this severity.
Fix Availability Select ‘Fix Available’ to only match findings if a patch is available to fix the issue in the dependency.
Relationship Select ‘Direct Dependency’ to only match findings for direct dependencies, or ‘Transitive Dependency’ to only match findings for transitive dependencies.
Dependency Reachability Select ‘Reachable Dependency’ and ‘Potentially Reachable Dependency’ to only match findings where the vulnerable dependency is reachable.
Function Reachability Select ‘Reachable Function’ and ‘Potentially Reachable Function’ to only match findings where the vulnerable function is reachable.
Exclude Test Select ‘Yes’ to exclude test dependencies from this policy.
EPSS Percentile Threshold Only match findings with an EPSS percentile threshold equal to or higher than this threshold (0.00-100.00). The EPSS percentile threshold represents the percentile ranking among all vulnerabilities that a vulnerability will be exploited.
EPSS Probability Threshold Only match findings with an EPSS probability score equal to or higher than this threshold (0.00-1.00). The EPSS probability score represents the probability [0-1] of exploitation in the wild in the next 30 days following score publication.
Source Code Ecosystem Match finding ecosystem.
Exclude if Dependency Name Contains Allows you to define full or partial dependency names for which an action policy should exclude. For example, you want to exclude a specific dependency from this policy.
Exclude if Package Name Contains Allows you to define full or partial package names for which an action policy should exclude. This is the resource that the finding is raised against. For example, the package indirectly or directly includes an unmaintained dependency.
Exclude findings for transitive dependencies via other projects? Exclude findings for transitive dependencies that can only be reached via other projects. This helps your team to not act when they do not have control of findings introduced by libraries your team developed.
Include CI/CD dependency findings Select ‘Yes’ to include findings related to CI/CD dependencies. Note that CI/CD dependency findings are different from CI/CD tool findings. CI/CD dependency findings are for vulnerabilities in CI/CD dependency versions, while CI/CD tool findings are for the usage of a given tool. Findings related to CI/CD tools are included by default.