Manage build tools (Beta)

Learn how to build repeatable patterns to manage build tools in your environment.

Endor Labs often requires pre-built or installed software to scan your application. Building software allows Endor Labs to ensure that your software bill of materials is accurate, especially in software languages such as Python, Java, or .NET where lock files are significantly less common.

Since software frequently relies on specific versions of a runtime or package manager, Endor Labs references the tools used in your software build process. This ensures that your software bill of materials and all associated risk information are accurate. For repeatable patterns used in CI or when build tools are not installed, Endor Labs provides ways to define the tools necessary for building your software.

Endor Labs will automatically install build tools in a sandbox to ensure you can run highly accurate scans. The build tools are not installed on your host but installed in an isolated sandbox. The feature is currently supported for Linux and macOS operating systems.

After installing and initializing endorctl CLI, you can specify the build toolchains using the following methods:

Using endorctl API
Using profile.yaml file
Falling back to system defaults

Configure toolchain profile through endorctl API

You can use the endorctl api command to configure the toolchains for your project.

Run the endorctl scan to create a project.

endorctl scan

Fetch the UUID of the project, for example, to fetch the UUID of the app-java-demo project, you can use:

UUID=$(endorctl api list -r Project --filter="meta.name matches https://github.com/endorlabs/app-java-demo" --field-mask=uuid | jq -r '.list.objects[].uuid')

Create a ToolChainProfile object using the following command. Set the environment variable using set EDITOR=vim before executing the following command.

endorctl api create -i -r ToolChainProfile

Here is an example that you can use to create a ToolChainProfile object for installing .NET 8.0.303. After executing this command, you can fetch the UUID of the ToolChainProfile object. See Reference toolchain specification for full description of supported toolchains.

spec:
  os:
    linux:
      arch:
        amd64:
          dotnet_tool_chain:
            version:
              name: "8.0.303"
              urls:
                - "https://download.visualstudio.microsoft.com/download/pr/60218cc4-13eb-41d5-aa0b-5fd5a3fb03b8/6c42bee7c3651b1317b709a27a741362/dotnet-sdk-8.0.303-linux-x64.tar.gz"
              sha256_sum: "214ee467f75c42f1512748fe7ca8dd82da2af29cdf54be614a8997f0466ef070"

Associate the toolchain_profile_uuid to your project UUID <project-uuid, using the following command.

endorctl api update -r Project --uuid=<project-uuid> -d '{"spec":{"toolchain_profile_uuid":"<toolchainprofile-uuid>"}}' --field-mask 'spec.toolchain_profile_uuid'

You have now created a toolchain for installing .NET 8.0.303.

Configure toolchain profile through profile.yaml file

You can create a build tool profile for your Endor Labs scans in each repository to specify the types of build tools to automatically download for each scan.

Create a new file .endorctl/toolchain/profile.yaml file in the root directory of your repository and specify the required versions of the tools. You can specify the Operating system, architecture, language, tool, and install information in the profile.yaml file:

A profile that downloads Python 3.10 and the corresponding PyPI packages to run in a CI environment can look like this:

spec:
  os:
    linux:
      arch:
        amd64:
          python_tool_chain:
            version:
              name: "3.10"
              urls:
                - "https://python310.tar.gz"
              sha256_sum: "python310shasum"
            pip_packages:
              wheel:
                name: "1.2.3"
                urls:
                  - "https://wheel123.tar.gz"
                  - "https://wheel123_backup.targz"
                sha256_sum: "wheelshasum"

System default toolchain versions

If you do not provide a tool profile, the following default tools are installed in the sandbox while performing the endorctl scan with the install-build-tools flag.

Software	Version
Java	17.0.11
Maven	3.9.4
Gradle	8.4
Python	3.10
Poetry	1.5.0
JavaScript	20.10.0
Yarn	1.22.19
Pnpm	8.10.2
Go	1.22.2
Scala	1.9.0
rustup	1.25.2
Rust	1.77.0
MIRAI	1.1.8
.NET	7.0.401

Configure build tools for Endor Labs GitHub App

Endor Labs GitHub App continuously monitors your projects for security and operational risks. The app continuously monitors all the projects included in your GitHub workspace. The scans run once every 24 hours. For performing scans, the GitHub App checks the toolchain specifications in the following order:

Toolchain configuration specified through endorctl API.
Toolchain configuration specified in profile.yaml file.
Uses the system defaults.

Configure build tools for repeatable CI patterns

After installing and initializing the endorctl CLI, run endorctl scan using the --install-build-tools command to dynamically download and install the required build tools.

endorctl scan --install-build-tools

Run the endorctl scan

Here is the recommended flow for performing the endorctl scan.

For the first time, run the endorctl scan to create a project with Endor Labs.

endorctl scan

To automatically download and install build tools as part of your scan, run the endorctl scan using the --install-build-tools command.

endorctl scan --install-build-tools

The system checks for the required toolchain specifications in the following order before installing them in the sandbox.

Reference toolchain specification

The following reference toolchain specification has examples for defining toolchains in linux | amd64 architecture.

spec:
  os:
    <linux|darwin>:
      arch:
        <amd64|arm64>:
          java_tool_chain:
            version:
              name: "17.0.11"
              urls:
                - "https://builds.openlogic.com/downloadJDK/openlogic-openjdk/17.0.11+9/openlogic-openjdk-17.0.11+9-linux-x64.tar.gz"
              sha256_sum: "7712c3a7df6d58c4654ed996047be208faa03f93fc1588906485721b68f72f81"
              relative_tool_chain_path: "openlogic-openjdk-17.0.11+9-linux-x64"
            maven_version:
              name: "3.9.4"
              urls:
                - "https://dlcdn.apache.org/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz"
              sha256_sum: "ff66b70c830a38d331d44f6c25a37b582471def9a161c93902bac7bea3098319"
              relative_tool_chain_path: "apache-maven-3.9.4"
            gradle_version:
              name: "8.4"
              urls:
                - "https://services.gradle.org/distributions/gradle-8.4-bin.zip"
              sha256_sum: "3e1af3ae886920c3ac87f7a91f816c0c7c436f276a6eefdb3da152100fef72ae"
              relative_tool_chain_path: "gradle-8.4"
          python_tool_chain:
            version:
              name: "3.10"
              urls:
                - "https://github.com/indygreg/python-build-standalone/releases/download/20240415/cpython-3.10.14+20240415-x86_64-unknown-linux-gnu-pgo+lto-full.tar.zst"
              sha256_sum: "add8cc6cbb4f2a3f8af2272e62b7604f7529a8c357c0af0f8a9f7d3dd444ef1e"
              relative_tool_chain_path: "python"
          javascript_tool_chain:
            nodejs_version:
              name: "20.10.0"
              urls:
                - "https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.gz"
              sha256_sum: "d3f0908a9d9190a8525c5b9a716ed91bb57e908555841b0c47f75b2a001ff91b"
              relative_tool_chain_path: "node-v20.10.0-linux-x64"
            yarn_version:
              name: "1.22.19"
              urls:
                - "https://github.com/yarnpkg/yarn/releases/download/v1.22.19/yarn-v1.22.19.tar.gz"
              sha256_sum: "732620bac8b1690d507274f025f3c6cfdc3627a84d9642e38a07452cc00e0f2e"
              relative_tool_chain_path: "yarn-v1.22.19"
            pnpm_version:
              name: "8.10.2"
              urls:
                - "https://github.com/pnpm/pnpm/releases/download/v8.10.2/pnpm-linux-x64"
              sha256_sum: "0ab0306430599bd5486af416addaeb8d9876ec304a2f9e4ac5fbe8e7ca71c740"
          dotnet_tool_chain:
            version:
              name: "7.0.401"
              urls:
                - "https://download.visualstudio.microsoft.com/download/pr/61f29db0-10a5-4816-8fd8-ca2f71beaea3/e15fb7288eb5bc0053b91ea7b0bfd580/dotnet-sdk-7.0.401-linux-x64.tar.gz"
              sha256_sum: "4634fa4da7ae4e3dadb83e320a87fb26f0cb12a7ca02bf9f10e6c3c1c91d645c"
          golang_tool_chain:
            version:
              name: "1.22.2"
              urls:
                - "https://go.dev/dl/go1.22.2.linux-amd64.tar.gz"
              sha256_sum: "5901c52b7a78002aeff14a21f93e0f064f74ce1360fce51c6ee68cd471216a17"
              relative_tool_chain_path: "go"
          scala_tool_chain:
            version:
              name: "1.9.0"
              urls:
                - "https://github.com/sbt/sbt/releases/download/v1.9.0/sbt-1.9.0.tgz"
              sha256_sum: "cc559348eaf9cfbe6ce22f689b1e440c8e05b4e49cd6bea398764777b37948c4"
              relative_tool_chain_path: "sbt"

Note

Installing build tools as part of endorctl scan is supported for Python, Java, Kotlin, Rust, Go, JavaScript, TypeScript, .NET, and Scala projects. It is not supported for Ruby, PHP, Android, Swift, and CocoaPods projects.

Feedback

Was this page helpful?

Thanks for the feedback. Write to us at support@endor.ai to tell us more.