Summarize with AI
Code prompt library
40+ AI Prompts for Secure Vibe Coding
Find out More
What's next?
When you're ready to take the next step in securing your software supply chain, here are 3 ways Endor Labs can help:
Blog
Glossary
Customer Story
Video
eBook / Report
Solution Brief
Astronomer Modernizes AppSec with Endor Labs
Founded in 2018, Astronomer is the leading unified orchestration platform powered by Apache Airflow®. Astronomer uses Endor Labs for SCA, malware detection, and container scanning.
Founded in 2018, Astronomer is the leading unified orchestration platform powered by Apache Airflow®. Astronomer uses Endor Labs for SCA, malware detection, and container scanning.
Founded in 2018, Astronomer is the leading unified orchestration platform powered by Apache Airflow®. Astronomer uses Endor Labs for SCA, malware detection, and container scanning.
Written by
Jenn Gile
Published on
January 20, 2026
Updated on
January 20, 2026
Topics
Key Results with Endor Labs:
- Rebuilt engineering trust
- 99.1% fewer findings
- Reduced risk of breaking changes
- Supported global expansion and compliance rigor
Endor Labs is like noise canceling headphones for vulnerability management and AppSec. We're able to focus only on the signal and avoid the noise. Our engineering team stays focused on shipping great products, security focuses on mitigating risk, and the company is focused on being a profitable company.”
Founded in 2018, Astronomer is the leading unified orchestration platform powered by Apache Airflow®. Astronomer uses Endor Labs for SCA, malware detection, and container scanning.
Founded in 2018, Astronomer is the leading unified orchestration platform powered by Apache Airflow®. Astronomer uses Endor Labs for SCA, malware detection, and container scanning.
The Astronomer security team is on a mission to secure the company’s infrastructure while building product resilience and maintaining high production velocity. However, their software composition analysis (SCA) tool acted as a bottleneck that caused three interrelated problems:
- High Noise and Inaccurate Prioritization: SCA produced a high volume of alerts without the ability to tell which dependencies were actually in use, creating an endless tax on developers who were forced to investigate findings.
- Erosion of Trust: When the outputs of a tool can’t be trusted, but the findings are expected to drive action, understandably that leads to low levels of trust between teams. The security team lacked the technical evidence to prove which vulnerabilities presented real risk, causing a hit to their credibility.
- Resource-Intensive Customer Assurance: The security team maintained high levels of responsiveness to customer-identified vulnerabilities, though this required extensive manual research to validate risks and ensure customers remained satisfied with product security.
Compounding these technical hurdles was Astronomer's expansion into the European market, which introduced a complex landscape of new regulatory requirements. To maintain credibility with global customers, the team needed a mature AppSec program capable of supporting requirements for the Cyber Resilience Act (CRA), EU AI Act, and Digital Operational Resilience Act (DORA) in addition to table stakes regulations like SOC 2, HIPPA, and PCI DSS.
In searching for a new SCA tool, their primary goal was to find a solution that would fit into a proprietary vulnerability prioritization algorithm. Smooth integration into processes and workflows was also a non-negotiable component. Their technical requirements included:
- Evidence-based prioritization: For the algorithm to work, the SCA needed to provide reachability analysis and EPSS data to help them determine the actual likelihood of exploitation.
- Integrate into existing workflows: Findings had to appear directly within the GitHub ecosystem so that developers wouldn’t have to context switch. And because Astronomer heavily utilizes orchestration and data pipelines, the tool had to be API-native.
- Broad technical coverage: The solution had to offer robust support for Go and Python.
Why Endor Labs Won
Astronomer chose Endor Labs for SCA because it provided the technical depth and operational flexibility required to secure a high-velocity, open source-focused company. While other vendors offered traditional scanning, Endor Labs was the only solution that met all of Astronomer’s requirements.
The partnership has been so successful that Astronomer expanded usage of the Endor Labs application security platform to add Container Scanning and Upgrade Impact Analysis.
Since implementing Endor Labs, Astronomer successfully transitioned their open source dependency risk program from high-friction to high-result.
"Endor Labs is like noise counseling headphones for vulnerability management and AppSec. We're able to focus only on the signal and avoid the noise. Our engineering team stays focused on shipping great products, security focuses on mitigating risk, and the company is focused on being a profitable company.”
— Joshua Domagalski, CISO @ Astronomer
Rebuilt engineering trust with 99.1% fewer findings
The most immediate shift occurred in the relationship between the security and engineering teams. By utilizing Endor Labs’ call graphs and reachability analysis, the security team provides technical evidence when a vulnerable function is actually being imported and utilized, effectively ending the endless tax of investigating unreachable CVEs.
"Having something that was able to say, ‘We’re only focusing on things that are reachable, and we’re able to provide proof that it is reachable,’ was a huge win with the engineering team because they knew we were actually focused on solving real problems."
— Joshua Domagalski, CISO @ Astronomer
Reduced risk of breaking changes
Astronomer maintains a mature software development practice that prioritizes platform stability. They use Endor Labs’ reachability analysis to ensure that security only requests upgrades when absolutely necessary. Upgrade Impact Analysis tells them whether an upgrade will be a small or large lift before the work even begins, and helps them strategically schedule large lifts for a future sprint. And in cases where an upstream fix or patch is not yet available, call graphs show exactly where a vulnerable dependency is being imported so they can create targeted specific mitigation strategies, such as sanitizing inputs or implementing other various controls directly on the reachable path to neutralize the risk without needing to wait for an external update.
"One of the main reasons we increased investment in Endor Labs was the additional telemetry for fix requirements. It allows us to further prioritize work, for example we can schedule a larger fix with many breaking changes for a later sprint while getting the easier ones done quickly."
— Joshua Domagalski, CISO @ Astronomer
Supported global expansion and compliance rigor
Astronomer’s rapid expansion into the European market requires a sophisticated security posture capable of satisfying both internal risk standards and complex global regulations. They utilize Endor Labs as the technical foundation for data-driven evidence required by international customers. By focusing on high-fidelity findings, Astronomer efficiently navigates frameworks like DORA and the EU AI Act without sacrificing production velocity.
"Endor Labs greatly reduced our CVE backlog, which helps satisfy the near zero tolerance for vulnerabilities often seen in highly regulated markets."
— Joshua Domagalski, CISO @ Astronomer
Book a Demo
Book a Demo
Book a Demo
Welcome to the resistance
Oops! Something went wrong while submitting the form.
Book a Demo
Book a Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
.avif)
.avif)
