> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pwnbook.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Endor Labs

> Import dependency findings and reachability analysis from Endor Labs to track supply chain risk in Pwnbook.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/pwnbook/logos/endorlabs.svg" alt="Endor Labs" style={{ height: "32px", marginBottom: "16px" }} />

## Overview

Endor Labs focuses on software supply chain security — specifically dependency lifecycle management and reachability analysis. Rather than surfacing every CVE in a dependency tree, Endor Labs identifies which vulnerabilities are actually reachable from your code's call paths. The Pwnbook integration imports these findings so teams can prioritize remediation based on real exploitability.

## Prerequisites

* An Endor Labs account with API access
* Admin or Owner access in Pwnbook

## Credentials required

| Field         | Description                                         |
| ------------- | --------------------------------------------------- |
| **API Key**   | API key from Endor Labs Settings → API Keys         |
| **Namespace** | Your Endor Labs namespace (organization identifier) |

## Setup

<Steps>
  <Step title="Create an Endor Labs API key">
    1. In Endor Labs, go to **Settings → API Keys**.
    2. Click **Create API Key**.
    3. Give it a name like "Pwnbook" and assign **Read** permissions.
    4. Copy the **API key** and note your **namespace**.
  </Step>

  <Step title="Configure in Pwnbook">
    1. Go to **Organization Settings → Marketplace → Endor Labs**.
    2. Enter your **API Key** and **Namespace**.
    3. Click **Save & Test**.
  </Step>
</Steps>

## What gets synced

| Data                           | Description                                                         |
| ------------------------------ | ------------------------------------------------------------------- |
| **Dependency vulnerabilities** | CVEs in your direct and transitive dependencies                     |
| **Reachability**               | Whether the vulnerable code path is reachable from your application |
| **Severity**                   | Critical, high, medium, low — adjusted by reachability              |
| **Dependency versions**        | Current version, fixed version, and upgrade path                    |
| **EPSS score**                 | Exploit Prediction Scoring System score for prioritization          |
| **Package ecosystem**          | npm, PyPI, Maven, Go modules, etc.                                  |

## Reachability analysis

Endor Labs's key differentiator is call-graph-based reachability analysis. Pwnbook surfaces this:

* Findings are tagged **Reachable**, **Unreachable**, or **Unknown**
* Reachable findings are sorted to the top of the findings list
* Unreachable findings can be filtered out to reduce noise

This lets you focus remediation effort on the vulnerabilities that pose real risk rather than working through every CVE in your dependency graph.

## Viewing findings in Pwnbook

Endor Labs findings appear under **Security Findings → Endor Labs**. You can:

* Filter by reachability status, severity, and package ecosystem
* View CVE details, CVSS scores, and EPSS scores
* See the dependency chain from your application to the vulnerable package
* Assign findings to tasks

## Disconnecting

1. Go to **Organization Settings → Marketplace → Endor Labs**.
2. Click **Disconnect**.
3. Confirm.
