Skip to main content
Endor Labs

Overview

Endor Labs focuses on software supply chain security — specifically dependency lifecycle management and reachability analysis. Rather than surfacing every CVE in a dependency tree, Endor Labs identifies which vulnerabilities are actually reachable from your code’s call paths. The Pwnbook integration imports these findings so teams can prioritize remediation based on real exploitability.

Prerequisites

  • An Endor Labs account with API access
  • Admin or Owner access in Pwnbook

Credentials required

FieldDescription
API KeyAPI key from Endor Labs Settings → API Keys
NamespaceYour Endor Labs namespace (organization identifier)

Setup

1

Create an Endor Labs API key

  1. In Endor Labs, go to Settings → API Keys.
  2. Click Create API Key.
  3. Give it a name like “Pwnbook” and assign Read permissions.
  4. Copy the API key and note your namespace.
2

Configure in Pwnbook

  1. Go to Organization Settings → Marketplace → Endor Labs.
  2. Enter your API Key and Namespace.
  3. Click Save & Test.

What gets synced

DataDescription
Dependency vulnerabilitiesCVEs in your direct and transitive dependencies
ReachabilityWhether the vulnerable code path is reachable from your application
SeverityCritical, high, medium, low — adjusted by reachability
Dependency versionsCurrent version, fixed version, and upgrade path
EPSS scoreExploit Prediction Scoring System score for prioritization
Package ecosystemnpm, PyPI, Maven, Go modules, etc.

Reachability analysis

Endor Labs’s key differentiator is call-graph-based reachability analysis. Pwnbook surfaces this:
  • Findings are tagged Reachable, Unreachable, or Unknown
  • Reachable findings are sorted to the top of the findings list
  • Unreachable findings can be filtered out to reduce noise
This lets you focus remediation effort on the vulnerabilities that pose real risk rather than working through every CVE in your dependency graph.

Viewing findings in Pwnbook

Endor Labs findings appear under Security Findings → Endor Labs. You can:
  • Filter by reachability status, severity, and package ecosystem
  • View CVE details, CVSS scores, and EPSS scores
  • See the dependency chain from your application to the vulnerable package
  • Assign findings to tasks

Disconnecting

  1. Go to Organization Settings → Marketplace → Endor Labs.
  2. Click Disconnect.
  3. Confirm.