Endor Labs & Oligo: Closing the Loop Between Secure Code and Secure Runtime
Endor Labs and Oligo keep pipelines fast and secure with unified reachability, real-time threat blocking, and safe, automatic fixes.
Endor Labs and Oligo keep pipelines fast and secure with unified reachability, real-time threat blocking, and safe, automatic fixes.
Endor Labs and Oligo keep pipelines fast and secure with unified reachability, real-time threat blocking, and safe, automatic fixes.
Endor Labs and Oligo keep pipelines fast and secure with unified reachability, real-time threat blocking, and safe, automatic fixes.
Endor Labs and Oligo keep pipelines fast and secure with unified reachability, real-time threat blocking, and safe, automatic fixes.
Modern services move from commit to production in minutes. If security checks break that flow, teams turn the checks off. The Endor Labs + Oligo integration keeps the pipeline fast while giving security teams the context they need to act. Here’s how we work together using the Endor Labs AppSec platform, Oligo Runtime Protection, and Endor Patches.
1. Write Secure Code by Default with Endor Labs
Development starts in the IDE or in tools like Cursor. Endor Labs runs as an MCP server that feeds the assistant live vulnerability data. Unsafe patterns are flagged before the engineer even commits.
At build time the Endor Labs platform:
- Builds a complete call-graph of the code and its dependencies, like containers, AI models, and open source packages.
- Uses function-level reachability to prioritize risks that are reachable and fixable, reducing noise by 92% compared to incumbents.
- Signs the produced container image so every later event can be traced to this exact build.
The result is a repo that already meets most security policy requirements before CI starts.
2. Tie Dev-Time and Run-Time Reachability Context with Both Endor Labs and Oligo
During CI the pipeline Oligo produces a detailed SBOM based on what’s actually running. Endor Labs ingests SBOM for package IDs, licenses and known CVEs, and blends those results with its own static reachability graph.
After deployment the signed container runs under Oligo’s runtime sensor. Oligo records every loaded class and executed function. When a vulnerable path executes, the sensor sends two facts to Endor Labs:
- The signature of the affected image.
- The exact path that was executed at runtime.
Endor maps this event back to the repository, branch and call-tree inside its static analysis. Engineers can now see one finding that shows both static and runtime evidence instead of two disjointed alerts.
3. Instantly Block Threats with Oligo and Accelerate Fixes with Endor Patches
Runtime Prevention:
Using Deep Application Inspection, Oligo can detect when a vulnerable function is being exploited in real time. When it does Oligo can block malicious function calls immediately - stopping the exploit, and without impacting the application shielding the service until a fix can be implemented
Remediation:
- Based on the SBOM and runtime insights from Oligo, Endor Labs generates patches, providing secure versions of the vulnerable components
- These patches are uploaded into the organization’s Artifactory, where they become immediately available to the CI/CD system on the next build
- This ensures non-breaking, high-confidence remediation that requires minimal developer effort
Teams hit remediation SLAs while avoiding the regressions that often follow a full upgrade. Customers using this flow reduce remediation work by 70–80 % and close CVEs 6.2 × faster.
End-to-End Benefits
Wrapping Up…
Endor Labs secures what engineers create. Oligo secures what actually runs. Together they form one loop:
- Prevent most problems in the IDE.
- See the few remaining risks in production.
- Block exploits instantly and patch safely on the next build.
Security stays continuous, contextual and inside the developer workflow, without slowing the pipeline or filling Jira with noise.
