CtrlK
BlogDocsLog inGet started
Tessl Logo

endor-scan-full

Comprehensive security scan with full reachability analysis. Builds call graphs to determine which vulnerabilities are actually exploitable in your code. Use when the user says "full scan", "deep scan", "reachability scan", "which vulns are actually reachable", "endor scan full", or before a release. Takes 2-5 minutes. Do NOT use for quick daily scans (/endor-scan) or checking individual packages (/endor-check).

94

Quality

92%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Endor Labs Full Reachability Scan

Comprehensive security scan with full call graph analysis to identify exploitable vulnerabilities.

Quick Scan vs Full Scan

FeatureQuick ScanFull Scan
SpeedSecondsMinutes
ReachabilityNoFull call graph
Call PathsNoYes
PrioritizationSeverity onlySeverity + reachability
Use CaseDaily devPre-release, security reviews

CRITICAL: Scan Once, Cache Always

Cache file: .endor/scan-full-results.json (relative to repo root)

Rules:

  1. Before scanning, check if cache exists. If yes, use cached results. Do not re-scan unless user explicitly requests it ("scan again", "re-scan", "run a new scan").
  2. After successful scan, save complete raw results to cache immediately. Create .endor/ if needed.
  3. On scan failure, do not write cache. Report error.
  4. For follow-up questions about findings, read cache instead of re-scanning. If a finding UUID is missing from finding_details, fetch via get_resource and update cache.
  5. Add .endor/ to .gitignore if not already present.

Cache Format

{
  "scan_timestamp": "ISO-8601",
  "scan_path": "/absolute/path",
  "scan_types": ["vulnerabilities", "dependencies", "secrets", "sast"],
  "scan_options": { "quick_scan": false },
  "raw_results": { ... },
  "finding_details": { "uuid-1": { ... }, "uuid-2": { ... } }
}

Workflow

Step 1: Check Cache

  • Cache exists: Show timestamp, ask user to use cached or fresh scan. If cached, skip to Step 5.
  • No cache: Proceed with scan.

Step 2: Detect Repository Context

Detect languages and manifest files (same as /endor-scan).

Step 3: Warn About Duration

Full reachability analysis builds a call graph of your entire codebase. This typically takes 2-5 minutes depending on project size.

Step 4: Run Full Scan

Use scan MCP tool:

  • path: absolute path to repository root
  • scan_types: ["vulnerabilities", "dependencies", "secrets", "sast"]
  • scan_options: { "quick_scan": false }

CLI fallback (only if MCP genuinely unavailable):

npx -y endorctl scan --path <ABSOLUTE_PATH> --dependencies --sast --secrets --output-type json 2>/dev/null > /tmp/endor-full.json

On error, report exact error. Do not write cache on failure.

After successful scan: save to cache, add .endor/ to .gitignore, then fetch details for each finding UUID via get_resource (resource_type: Finding) and append to finding_details in cache.

Step 5: Interpret Reachability and Present Results

For reachability tag interpretation, read references/reachability-tags.md.

Priority Classification

PriorityDependency TagFunction TagAction
P0 - Fix NowREACHABLE_DEPENDENCYREACHABLE_FUNCTIONActively exploitable
P1 - InvestigateREACHABLE_DEPENDENCYPOTENTIALLY_REACHABLE_FUNCTIONLikely exploitable, verify
P2 - Plan FixREACHABLE_DEPENDENCYUNREACHABLE_FUNCTIONDep used, vuln func not called
P3 - TrackUNREACHABLE_DEPENDENCYUNREACHABLE_FUNCTIONNot used, lowest risk
P4 - Ignore(PHANTOM)AnyNot installed

When dep tag present but no function tag, classify on dep tag alone (function reachability unknown).

Present: scanned path, languages, "Full Reachability Analysis", timestamp, reachability summary table with counts per category, key insight ("X of Y vulns have confirmed reachable call path"), then P0-P3 finding tables (Package, Advisory, Severity, Description).

Next Steps

  1. /endor-fix {top-advisory} - fix reachable critical
  2. /endor-explain {advisory} - explain a finding
  3. /endor-findings reachable - view all findings
  4. /endor-upgrade-impact {package} - upgrade with impact analysis

For data source policy, read references/data-sources.md.

Error Handling

Show exact error messages — do not guess at causes.

ErrorAction
Auth errorComplete browser login, retry. If persistent, /endor-setup
Build failsFix build errors first, or use /endor-scan (no build required)
TimeoutScan specific subdirectory
MCP unavailable/endor-setup. CLI fallback only if user confirms
Unknown errorShow exact error, suggest /endor-troubleshoot
Repository
endorlabs/skills-ideas
Commit

344e7ff

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill