Endor Labs Pros and Cons

Endor Labs is, in a good way, simplistic. The data we care about is quickly available to us. Our prior SCA tooling reachability analysis wasn't robust and we couldn't determine which vulnerabilities could truly threaten our business, so we couldn't manually research reachability or perform upgrades without knowing if they mattered. Our risk models were overly aggressive to compensate, which has now been dramatically improved by using Endor Labs. Review collected by and hosted on G2.com.

Endor Labs is a new entrant into the SCA space, and has only been around for a short period of time (2022). There is always a risk of engaging with a critical vendor that you depend on for Security and Compliance, when they are a relatively new business.

We are happy with all of their current features. Review collected by and hosted on G2.com.

Endor Labs is scrappy company that has left me with the impression that they will do what it takes to see their customers succeed. For software composition and reachabiity analysis, it was difficult to find a competing product in the current market that is as fully featured as their platform. They place a big emphasis on methodology (and have SMEs that write about this) and are also capable of performing reachability analysis on transitive dependencies, which was a big selling point for us.

Implementation and ease of integration were also a big selling point. All the basics are there - a CLI tool, an optional Github application, and a well-maintained github action with all the features of the CLI tool. Members of the team, outside of customer support, were ready and able to help whenever we ran into issues in one of our many Java / Maven repositories. Review collected by and hosted on G2.com.

UI/UX could use some fine tuning. For example, users authenticating via a custom IdP sometimes show up as have an "unknown provider" in the access control tab, despite it being clear that they are sourced from the IdP. It would also be nice to be able to set a default monitored branch from the console (this is currently only possible via a CLI flag). Review collected by and hosted on G2.com.

Endor Labs has revolutionized our approach to managing our OSS dependency & securitization of our software supply chain. SCA solution goes beyond traditional vulnerability scanning, offering deep reachbility that has dramatically reduced not only our risk exposure but developer productivity while addressing such issues.

Really loved how they do the same with all the verticals. They are expanding to including container scanning where they link vulnerability found in container level back to source code and OSS scan results.

In a few years we have used Endor we have found them to be rapid in reflecting our needs and continually syncing to deliver on our requests throughout the Journey. Customer sympathy is truly a factor to highlight when we think of Endor Labs as a partner. Review collected by and hosted on G2.com.

It would be great if Endor Labs continue to expand their vertical all the way to runtime analysis of containers to truly make it an end to end software lifecycle vulnerability/security platform. Review collected by and hosted on G2.com.

The way SCA is performed on projects is the best I've seen from all products I've tested. Function-level reachability for many languages/technologies differentiates it from most, if not all, competitors. The UI easily shows me the findings on all projects, with detailed information on location, call-stack, impact, CVEs...

It also lets us, from the UI, fine-tune policies on when to warn/block/ignore builds on findings. Review collected by and hosted on G2.com.

The only downside I've come across is setting up Endor Labs for a project could be easier. It's not hard, but some errors or problems could have a more explicit message on how to solve (e.g. some project's dependencies failed to be analysed), but given the large amount of supported technologies, it's understandable. Review collected by and hosted on G2.com.

Endor Labs has a very sophisticated engine for function reachability. I would say it is unparallel in the industry as of right now. Review collected by and hosted on G2.com.

The UI/UX experience needs some work. However, it has been getting better in the last two years. I have used this product. Also, it needs better Jira integration. Again, this is something they're actively working on. Review collected by and hosted on G2.com.