Add Endor Labs vulnerability scanning infrastructure

.gitignore

@@ -0,0 +1,38 @@
+# Endor Labs binary (too large for GitHub, download separately)
+endorctl
+
+# Maven build artifacts
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+.mvn/wrapper/maven-wrapper.jar
+
+# IDE files
+.idea/
+*.iml
+.vscode/
+.DS_Store
+
+# Compiled class files
+*.class
+
+# Log files
+*.log
+
+# Package files
+*.jar
+*.war
+*.nar
+*.ear
+*.zip
+*.tar.gz
+*.rar
+
+# Security scan results
+*.sarif

README.md

@@ -0,0 +1,69 @@
+# Java Web Application Demo - Security Scanning
+
+This is a demo Java web application configured with Endor Labs security vulnerability scanning.
+
+## Quick Start - Security Scanning
+
+This repository is configured to run comprehensive security scans using Endor Labs. The scans identify:
+
+- 🔍 **Vulnerabilities in dependencies** (CVEs, security issues)
+- 🔐 **Leaked secrets** (API keys, passwords, tokens)
+- 📦 **Supply chain risks** (malicious packages, unmaintained dependencies)
+
+### Running a Scan
+
+1. **Set up your credentials:**
+   ```bash
+   export ENDOR_NAMESPACE="your-namespace"
+   export ENDOR_API_KEY="your-api-key"
+   export ENDOR_API_SECRET="your-api-secret"
+   ```
+
+2. **Run the scan:**
+   ```bash
+   ./run-endor-scan.sh
+   ```
+
+The script will automatically download the `endorctl` binary if needed and execute a comprehensive security scan.
+
+### Documentation
+
+For detailed information about vulnerability scanning, see [VULNERABILITY_SCAN.md](VULNERABILITY_SCAN.md)
+
+## Project Structure
+
+```
+.
+├── run-endor-scan.sh       # Script to run Endor Labs security scan
+├── VULNERABILITY_SCAN.md   # Detailed scanning documentation
+├── pom.xml                 # Maven project configuration
+├── src/                    # Source code
+└── .github/workflows/      # GitHub Actions workflows
+```
+
+## GitHub Actions Integration
+
+The repository includes a workflow that can run automated scans on pull requests and commits. See `.github/workflows/main.yml` for configuration.
+
+## Dependencies
+
+This Maven project includes several dependencies. Some may have known security vulnerabilities:
+
+- `org.apache.logging.log4j:log4j-core:2.3`
+- `mysql:mysql-connector-java:5.1.42`
+- `org.apache.commons:commons-text:1.9`
+- And others...
+
+**Run a security scan to get detailed vulnerability reports and remediation advice.**
+
+## Building the Project
+
+```bash
+mvn clean install
+```
+
+## More Information
+
+- 📚 [Vulnerability Scanning Guide](VULNERABILITY_SCAN.md)
+- 🔗 [Endor Labs Documentation](https://docs.endorlabs.com)
+- 🏢 [Endor Labs](https://endorlabs.com)

VULNERABILITY_SCAN.md

@@ -0,0 +1,218 @@
+# Endor Labs Vulnerability Scan Guide
+
+This repository is configured to run security vulnerability scans using Endor Labs.
+
+## Overview
+
+The Endor Labs scanner (`endorctl`) performs comprehensive security analysis including:
+
+- **Dependency Scanning**: Identifies vulnerabilities in third-party dependencies
+- **Secret Detection**: Scans for leaked credentials, API keys, and sensitive information
+- **Supply Chain Analysis**: Analyzes the software supply chain for security risks
+
+## Prerequisites
+
+Before running a scan, you need:
+
+1. **Endor Labs Account**: Sign up at [https://endorlabs.com](https://endorlabs.com)
+2. **API Credentials**: Obtain your API key and secret from your Endor Labs account
+3. **Namespace**: Your Endor Labs namespace (organization identifier)
+4. **endorctl Binary**: The scan script will automatically download it if not present
+
+## Setup
+
+### API Endpoint Configuration
+
+This repository is configured to use the Endor Labs staging environment. To use the production environment, set the `ENDORCTL_API_ENDPOINT` environment variable:
+
+```bash
+export ENDORCTL_API_ENDPOINT="https://api.endorlabs.com"
+```
+
+### Download endorctl (if not already present)
+
+The `run-endor-scan.sh` script will automatically download endorctl if needed. Alternatively, you can download it manually:
+
+```bash
+# Download endorctl
+curl -L https://api.staging.endorlabs.com/download/endorlabs/v1.7.688/binaries/endorctl_v1.7.688_linux_amd64 -o endorctl
+
+# Verify checksum
+echo "2dd5e32c21afc893d1229a1c6e9864ad82ce2d1bc2f8e6cbfe9f5acba7f461a9 endorctl" | sha256sum --check
+
+# Make executable
+chmod +x ./endorctl
+```
+
+**Note**: The `endorctl` binary is not committed to this repository due to its size (271 MB). It will be downloaded on first use.
+
+**Note**: This repository is configured to use the Endor Labs staging API endpoint. For production deployments, update the download URL to use the production endpoint.
+
+## Running a Scan
+
+### Option 1: Using the Scan Script
+
+A convenience script is provided to run the scan with proper configuration:
+
+```bash
+# Set required environment variables
+export ENDOR_NAMESPACE="your-namespace"
+export ENDOR_API_KEY="your-api-key"
+export ENDOR_API_SECRET="your-api-secret"
+
+# Run the scan
+./run-endor-scan.sh
+```
+
+### Option 2: Using endorctl Directly
+
+You can also run the scanner directly:
+
+```bash
+./endorctl scan \
+    --path=. \
+    --namespace=your-namespace \
+    --api-key=your-api-key \
+    --api-secret=your-api-secret \
+    --dependencies \
+    --secrets \
+    --verbose
+```
+
+### Option 3: GitHub Actions Workflow
+
+The repository includes a GitHub Actions workflow (`.github/workflows/main.yml`) that runs scans automatically. The workflow uses GitHub secrets for credentials:
+
+- `ENDOR_API`: Endor Labs API URL
+- `ENDOR_API_KEY`: Your API key
+- `ENDOR_API_SECRET`: Your API secret
+
+## Scan Options
+
+### Common Flags
+
+- `--path`: Directory to scan (default: current directory)
+- `--namespace`: Your Endor Labs namespace (required)
+- `--dependencies`: Scan for vulnerable dependencies
+- `--secrets`: Scan for leaked secrets
+- `--verbose`: Enable detailed logging
+- `--dry-run`: Run scan without sending results to API (still requires authentication)
+
+### Output Formats
+
+Control the output format with `--output-type`:
+
+- `table`: Human-readable table format (default)
+- `json`: JSON format for programmatic processing
+- `yaml`: YAML format
+- `summary`: High-level summary
+- `sarif`: SARIF format for security tools integration
+
+Example:
+```bash
+./endorctl scan --dependencies --output-type=json --sarif-file=results.sarif
+```
+
+## Understanding Scan Results
+
+The scan will report findings in several categories:
+
+### 1. Dependency Vulnerabilities
+
+Identifies known CVEs and security issues in your dependencies. Key information includes:
+- Vulnerability severity (Critical, High, Medium, Low)
+- CVE identifiers
+- Affected dependency versions
+- Recommended fixes or updates
+
+### 2. Secret Leaks
+
+Detects exposed credentials or sensitive information:
+- API keys
+- Passwords
+- Private keys
+- Tokens and secrets
+
+### 3. Supply Chain Risks
+
+Analyzes broader supply chain security:
+- Malicious packages
+- Typosquatting attempts
+- Unmaintained dependencies
+- License compliance issues
+
+## Integration with CI/CD
+
+### GitHub Actions
+
+The scan can be integrated into your CI/CD pipeline. Example workflow:
+
+```yaml
+- name: Run Endor Labs Scan
+  uses: endorlab/github-action@main
+  with:
+    api: ${{ secrets.ENDOR_API }}
+    api_key: ${{ secrets.ENDOR_API_KEY }}
+    api_secret: ${{ secrets.ENDOR_API_SECRET }}
+    namespace: "your-namespace"
+    additional_args: "--dependencies --secrets"
+```
+
+### Local Development
+
+For local development scans, ensure you have the required credentials set:
+
+```bash
+export ENDOR_NAMESPACE="your-namespace"
+export ENDOR_API_KEY="your-api-key"
+export ENDOR_API_SECRET="your-api-secret"
+./run-endor-scan.sh
+```
+
+## Current Repository Dependencies
+
+This Java project uses Maven and includes the following key dependencies:
+
+- `javax.servlet:javax.servlet-api:3.1.0`
+- `org.apache.commons:commons-text:1.9`
+- `mysql:mysql-connector-java:5.1.42`
+- `org.apache.logging.log4j:log4j-core:2.3`
+- `org.jboss.weld:weld-core:1.1.33.Final`
+- And several other testing and utility libraries
+
+**Note**: Some of these dependencies may have known vulnerabilities. Run a scan to get detailed findings.
+
+## Troubleshooting
+
+### Authentication Errors
+
+If you see `511 Network Authentication Required`:
+- Verify your API key and secret are correct
+- Check that your namespace exists and you have access
+- Ensure network connectivity to `https://api.endorlabs.com`
+
+### Missing Dependencies
+
+If the scan fails to analyze dependencies:
+- Run `mvn install` first to resolve dependencies locally
+- Use `--use-local-repo-cache` flag with the scan command
+
+### Timeout Issues
+
+For large repositories:
+- Use `--exclude-path` to skip unnecessary directories
+- Consider running dependency and secret scans separately
+- Increase timeout values in CI/CD configurations
+
+## Additional Resources
+
+- [Endor Labs Documentation](https://docs.endorlabs.com)
+- [endorctl CLI Reference](https://docs.endorlabs.com/endorctl)
+- [GitHub Integration Guide](https://docs.endorlabs.com/integrations/github)
+
+## Support
+
+For issues or questions:
+- Email: [email protected]
+- Documentation: https://docs.endorlabs.com
+- GitHub Issues: Report issues specific to this repository

run-endor-scan.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# Endor Labs Vulnerability Scan Script
+# This script runs a comprehensive security scan using Endor Labs
+# Note: Currently configured for Endor Labs staging environment
+
+set -e
+
+# Configuration for endorctl download
+ENDORCTL_VERSION="${ENDORCTL_VERSION:-v1.7.688}"
+ENDORCTL_API_ENDPOINT="${ENDORCTL_API_ENDPOINT:-https://api.staging.endorlabs.com}"
+ENDORCTL_URL="${ENDORCTL_API_ENDPOINT}/download/endorlabs/${ENDORCTL_VERSION}/binaries/endorctl_${ENDORCTL_VERSION}_linux_amd64"
+ENDORCTL_SHA256="2dd5e32c21afc893d1229a1c6e9864ad82ce2d1bc2f8e6cbfe9f5acba7f461a9"
+
+# Check if endorctl is available, download if not
+if [ ! -f "./endorctl" ]; then
+    echo "endorctl not found. Downloading version ${ENDORCTL_VERSION}..."
+    curl -L "$ENDORCTL_URL" -o endorctl
+
+    # Verify checksum
+    echo "${ENDORCTL_SHA256} endorctl" | sha256sum --check
+
+    # Make executable
+    chmod +x ./endorctl
+    echo "endorctl downloaded and verified successfully"
+else
+    # Ensure endorctl is executable
+    chmod +x ./endorctl
+fi
+
+# Configuration
+SCAN_PATH="${SCAN_PATH:-.}"
+NAMESPACE="${ENDOR_NAMESPACE:-}"
+API_KEY="${ENDOR_API_KEY:-}"
+API_SECRET="${ENDOR_API_SECRET:-}"
+
+# Check for required credentials
+if [ -z "$NAMESPACE" ] || [ -z "$API_KEY" ] || [ -z "$API_SECRET" ]; then
+    echo "Error: Required environment variables not set"
+    echo "Please set the following environment variables:"
+    echo "  - ENDOR_NAMESPACE: Your Endor Labs namespace"
+    echo "  - ENDOR_API_KEY: Your Endor Labs API key"
+    echo "  - ENDOR_API_SECRET: Your Endor Labs API secret"
+    exit 1
+fi
+
+echo "Starting Endor Labs vulnerability scan..."
+echo "Scan path: $SCAN_PATH"
+echo "Namespace: $NAMESPACE"
+echo ""
+
+# Run the scan with multiple security checks
+# - dependencies: Scan for vulnerable dependencies
+# - secrets: Scan for leaked secrets
+./endorctl scan \
+    --path="$SCAN_PATH" \
+    --namespace="$NAMESPACE" \
+    --api-key="$API_KEY" \
+    --api-secret="$API_SECRET" \
+    --dependencies \
+    --secrets \
+    --verbose
+
+echo ""
+echo "Scan completed successfully!"