Add Endor Labs vulnerability scanning infrastructure

.github/workflows/endor-vulnerability-scan.yml

@@ -0,0 +1,60 @@
+name: "Endor Labs Vulnerability Scan"
+
+on:
+  push:
+    branches:
+      - main
+      - master
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  endor-scan:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
+    environment: copilot
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'microsoft'
+          java-version: '17'
+
+      - name: Setup endorctl
+        run: |
+          curl https://api.staging.endorlabs.com/download/endorlabs/v1.7.688/binaries/endorctl_v1.7.688_linux_amd64 -o endorctl
+          echo "2dd5e32c21afc893d1229a1c6e9864ad82ce2d1bc2f8e6cbfe9f5acba7f461a9 endorctl" | sha256sum --check
+          chmod +x ./endorctl
+
+      - name: Run Endor Labs Vulnerability Scan
+        env:
+          ENDOR_API_KEY: ${{ secrets.ENDOR_API_KEY }}
+          ENDOR_API_SECRET: ${{ secrets.ENDOR_API_SECRET }}
+          ENDOR_NAMESPACE: ${{ secrets.ENDOR_NAMESPACE }}
+        run: |
+          ./endorctl scan \
+            --path=. \
+            --dependencies \
+            --secrets \
+            --languages=java \
+            --output-type=summary \
+            --sarif-file=endor-scan-results.sarif \
+            --namespace=${{ secrets.ENDOR_NAMESPACE }} \
+            --api-key=${{ secrets.ENDOR_API_KEY }} \
+            --api-secret=${{ secrets.ENDOR_API_SECRET }}
+
+      - name: Upload Scan Results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: endor-scan-results
+          path: endor-scan-results.sarif
+          retention-days: 30

.gitignore

@@ -0,0 +1,14 @@
+# Build artifacts
+target/
+*.class
+*.jar
+*.war
+
+# IDE files
+.idea/
+*.iml
+.vscode/
+.DS_Store
+
+# Endor Labs CLI
+endorctl

VULNERABILITY_SCANNING.md

@@ -0,0 +1,84 @@
+# Endor Labs Vulnerability Scanning
+
+This repository is configured to run vulnerability scans using Endor Labs.
+
+## Overview
+
+Endor Labs provides comprehensive security scanning for:
+- **Dependency vulnerabilities**: Scans all Maven dependencies for known security issues
+- **Secret scanning**: Detects exposed credentials and secrets in code
+- **Code vulnerabilities**: Identifies security issues in the codebase
+
+## Running Scans
+
+### Automated Scans via GitHub Actions
+
+The repository includes a GitHub Actions workflow that automatically runs vulnerability scans:
+
+- **Workflow**: `.github/workflows/endor-vulnerability-scan.yml`
+- **Triggers**: 
+  - On push to main/master branches
+  - On pull requests
+  - Manual trigger via workflow_dispatch
+
+### Manual Scans
+
+To run a scan manually on your local machine:
+
+1. Ensure you have the `endorctl` CLI tool installed
+2. Set up authentication:
+   ```bash
+   export ENDOR_API_KEY="your-api-key"
+   export ENDOR_API_SECRET="your-api-secret"
+   export ENDOR_NAMESPACE="your-namespace"
+   ```
+3. Run the scan script:
+   ```bash
+   ./scan-vulnerabilities.sh
+   ```
+
+Or run endorctl directly:
+```bash
+./endorctl scan \
+  --path=. \
+  --dependencies \
+  --secrets \
+  --languages=java \
+  --output-type=summary
+```
+
+## Scan Types
+
+The vulnerability scan includes:
+
+- **Dependencies**: Scans all Maven dependencies defined in `pom.xml`
+- **Secrets**: Scans for exposed credentials, API keys, and sensitive data
+- **Languages**: Focuses on Java code analysis
+
+## Configuration
+
+### Required Secrets
+
+For GitHub Actions to work, configure these secrets in your repository:
+- `ENDOR_API_KEY`: Your Endor Labs API key
+- `ENDOR_API_SECRET`: Your Endor Labs API secret
+- `ENDOR_NAMESPACE`: Your Endor Labs namespace
+
+### Files
+
+- `scan-vulnerabilities.sh`: Shell script for running scans
+- `.github/workflows/endor-vulnerability-scan.yml`: GitHub Actions workflow
+- `.gitignore`: Configured to exclude the endorctl binary
+
+## Viewing Results
+
+Scan results are available in multiple formats:
+- Summary output in the console
+- SARIF files for integration with GitHub Security tab
+- JSON format for programmatic access
+- Detailed reports in the Endor Labs web interface
+
+## Additional Resources
+
+- [Endor Labs Documentation](https://docs.endorlabs.com/)
+- [endorctl CLI Reference](https://docs.endorlabs.com/endorctl/)

scan-vulnerabilities.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# Endor Labs Vulnerability Scan Script
+# This script performs a comprehensive vulnerability scan using endorctl
+
+set -e
+
+echo "Starting Endor Labs vulnerability scan..."
+echo "Repository: app-java-demo"
+echo "Scan types: vulnerabilities, secrets, dependencies"
+echo ""
+
+# Check if namespace is set and validate it
+if [ -z "$ENDOR_NAMESPACE" ]; then
+  echo "Error: ENDOR_NAMESPACE environment variable is required"
+  echo "Please set it before running this script:"
+  echo "  export ENDOR_NAMESPACE=your-namespace"
+  exit 1
+fi
+
+# Validate namespace contains only safe characters (alphanumeric, dash, underscore)
+if ! [[ "$ENDOR_NAMESPACE" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+  echo "Error: ENDOR_NAMESPACE contains invalid characters"
+  echo "Only alphanumeric characters, dashes, and underscores are allowed"
+  exit 1
+fi
+
+# Run endorctl scan with multiple scan types
+./endorctl scan \
+  --path=. \
+  --dependencies \
+  --secrets \
+  --languages=java \
+  --output-type=summary \
+  --namespace="$ENDOR_NAMESPACE" \
+  ${ENDOR_API_KEY:+--api-key="$ENDOR_API_KEY"} \
+  ${ENDOR_API_SECRET:+--api-secret="$ENDOR_API_SECRET"}
+
+echo ""
+echo "Scan completed successfully!"