The following changes were introduced in endorctl:
- Bug fixes and miscellaneous improvements.
The following changes were introduced in endorctl:
- Maven package scans now surface the underlying error when a POM fails to parse.
- Maven dependency resolution now loads the maven-bundle-plugin extension for OSGi POMs.
- Ruby scans now import bundler to parse gemspec files.
The following changes were introduced in endorctl:
- Fixed Azure DevOps PR scans that failed due to a false staleness check.
- SBOM export by name now returns a clear error when the package version is not found.
- Secret scans now perform a full rescan when an explicit rescan is requested.
The following changes were introduced in endorctl:
- Fixed PR identification for GitLab and Bitbucket, resolving spurious 401 errors during PR scans.
- Added the
--secret-rules-fileflag toendorctl scanfor supplying custom secret detection rules. - Improved language detection for Rust projects.
- Python call graph generation now batches large projects by lines of code and available memory.
- Fixed pnpm scan failures where a package referencing workspace
catalog:dependencies could not build its lock file when scanned in isolation.
The following changes were introduced in endorctl:
- Superseded PR scans are now cancelled automatically, with a dedicated return code.
- Deleted package versions are now tracked in scan results and scan history.
v1.7.1001
The following changes were introduced in endorctl:
- Bug fixes and miscellaneous improvements.
The following changes were introduced in endorctl:
- Fixed PR scans on shallow or partial clones, where the merge base could be unreachable and the diff silently fell back to an incorrect comparison. endorctl now deepens the clone to reach the merge base, and reports a clear error if the two branches share no history.
The following changes were introduced in endorctl:
- Added the
--include-test-dependenciesflag toendorctl sbom export. - Pre-commit secret scans now flag only added lines.
- Expanded secret validation coverage.
- JavaScript scans now resolve call graphs for private transitive dependencies.
- Improved Ruby dependency resolution in scans.
The following changes were introduced in endorctl:
- JavaScript scans can now fetch call graphs for private packages.
- Improved error handling and return codes for local scans.
- Added a return code for when the baseline is not found.
- Secret scanning now applies the global allowlist during file walking for faster scans.
- Fixed incomplete call graphs on large Go projects, where build metadata could exceed an internal scan buffer and silently drop required build settings.
The following changes were introduced in endorctl:
- Added the
--dry-runflag toendorctl container registry scan. - Fixed the declared license field for compound SPDX expressions.
The following changes were introduced in endorctl:
- Added the
--os-reachabilityflag toendorctl container registry scan. - Added Harbor as a container registry type option.
- JavaScript scans now support a custom lock file location.
- Fixed a JavaScript call graph failure that could cause findings to be deleted.
- Private SCM dependency resolution across organizations is now enabled by default.
- Added secret detection rules for Azure AD client secrets (canonical Q~ format) and Azure Storage Account Keys, including a validator.
- Fixed authentication gaps in
.npmrcfile handling. - GitHub SARIF writes now retry transient 401 errors, with clearer GitHub authentication error classification.
- SBOM export now skips malformed packages instead of failing the entire export.
The following changes were introduced in endorctl:
- Fixed a Gradle issue where dependencies that failed manifest discovery were silently dropped, which inflated reported success rates. The resolver now synthesizes a path-derived package name so these scan failures are reported accurately.
- Fixed SBOM imports where SPDX documents with multiple root packages would silently abort and return zero findings. Multi-root SPDX documents are now normalized to a single root before CycloneDX conversion, so imports succeed and vulnerability matching runs.
The following changes were introduced in endorctl:
- Added environment variable support for the
scanned-onlyandexclude-scannedflags incontainer registry list, with validation that enforces mutual exclusivity between the flags and their environment variables. - Added environment variable support (
ENDOR_CONTAINER_COLLECT_*) for thekubeconfig-context,kubeconfig-path, andruntime-typeflags incontainer collect, with early validation of the kubeconfig context and runtime type.
The following changes were introduced in endorctl:
- Dependencies whose license category cannot be determined now report a category of
Unknowninstead of an empty value, so they filter consistently by license category.
The following changes were introduced in endorctl:
- Dependency metadata now includes declared and discovered SPDX license identifiers.
- Added Google Artifact Registry (GAR) support for container registry scanning, including authentication and
garas a--typeoption onendorctl container registry. - The
--imageand--image-tarflags now apply only to thecontainer scan,instrument, andcollectcommands. Thecontainer registrysubcommands no longer accept them. - Added a warning message when the default branch is switched during a scan.
- Fixed call graph generation for Java and Scala to use the JDK at
JAVA_HOMEbefore falling back toPATH, so the call graph uses your configured JDK. - Bazel targets are now resolved at the start of a scan, improving accuracy of the Bazel package include filter.
- Fixed C# PR segment-matching to handle workspaces with multiple package versions and non-root baseline versions.
- Fixed
container scanargument validation to check both CLI flags andENDOR_CONTAINER_SCAN_*environment variables, so env-only configuration is no longer ignored.
The following changes were introduced in endorctl:
- NuGet dependency scans now extract license information from a package’s LicenseUrl when it is not otherwise declared, improving license coverage for NuGet projects.
The following changes were introduced in endorctl:
- Added the
--insecureflag (env varENDOR_CONTAINER_REGISTRY_INSECURE) toendorctl container registrycommands, which skips TLS verification when connecting to self-signed container registries. - Renamed the environment variable for
--registry-namespacefromENDOR_CONTAINER_REGISTRY_REGISTRY_NAMESPACEtoENDOR_CONTAINER_REGISTRY_NAMESPACE.
The following changes were introduced in endorctl:
- Fixed pnpm workspace detection failing when pnpm emitted WARN lines for unresolvable variables in
.npmrcfiles. - Fixed secret policies not matching when a custom secret rule’s name differed from its description. The result name is now sourced from the rule name.
- Added
ocias a supported registry type for container scanning, enabling OCI-compliant registry support. - Fixed a race condition that could delete the old default branch when a new default branch was set.
- Fixed PR-incremental scans over-resolving dependencies on Gradle composite-build repositories. The Gradle resolver now honors the narrowed manifest set.
- Fixed
ENDOR_SCAN_LANGUAGES=typescriptnot running the JavaScript plugin. - Fixed PURL qualification for OS packages found through ELF binary cataloging in distroless images, which prevented false-positive vulnerability matches.
- Fixed PR-incremental scans to source baseline context from the baseline repository version instead of querying all packages.
- Deprecated the
--registryflag onendorctl container registry. It is now replaced by--host. - Fixed PR-incremental Java scans triggering full Gradle resolution when no Gradle manifest survived the PR filter.
- Fixed include-path validation to reject directory paths without
/*or/**when set through environment variables, matching the behavior of the CLI flags and preventing accidental package deletions. - Reordered path validation so include and exclude paths are validated before
.gitignorepaths are applied. - Deprecated the
--registry-typeflag onendorctl container registry. It is now replaced by--type.