Skip to main content
v1.7.1024
June 24, 2026
The following changes were introduced in endorctl:
  • Bug fixes and miscellaneous improvements.
v1.7.1021
June 23, 2026
The following changes were introduced in endorctl:
  • Maven package scans now surface the underlying error when a POM fails to parse.
  • Maven dependency resolution now loads the maven-bundle-plugin extension for OSGi POMs.
  • Ruby scans now import bundler to parse gemspec files.
v1.7.1013
June 18, 2026
The following changes were introduced in endorctl:
  • Fixed Azure DevOps PR scans that failed due to a false staleness check.
  • SBOM export by name now returns a clear error when the package version is not found.
  • Secret scans now perform a full rescan when an explicit rescan is requested.
v1.7.1007
June 16, 2026
The following changes were introduced in endorctl:
  • Fixed PR identification for GitLab and Bitbucket, resolving spurious 401 errors during PR scans.
  • Added the --secret-rules-file flag to endorctl scan for supplying custom secret detection rules.
  • Improved language detection for Rust projects.
  • Python call graph generation now batches large projects by lines of code and available memory.
  • Fixed pnpm scan failures where a package referencing workspace catalog: dependencies could not build its lock file when scanned in isolation.
v1.7.1002
June 10, 2026
The following changes were introduced in endorctl:
  • Superseded PR scans are now cancelled automatically, with a dedicated return code.
  • Deleted package versions are now tracked in scan results and scan history.
v1.7.1001
The following changes were introduced in endorctl:
  • Bug fixes and miscellaneous improvements.
v1.7.1000
June 9, 2026
The following changes were introduced in endorctl:
  • Fixed PR scans on shallow or partial clones, where the merge base could be unreachable and the diff silently fell back to an incorrect comparison. endorctl now deepens the clone to reach the merge base, and reports a clear error if the two branches share no history.
v1.7.998
June 8, 2026
The following changes were introduced in endorctl:
  • Added the --include-test-dependencies flag to endorctl sbom export.
  • Pre-commit secret scans now flag only added lines.
  • Expanded secret validation coverage.
  • JavaScript scans now resolve call graphs for private transitive dependencies.
  • Improved Ruby dependency resolution in scans.
v1.7.994
June 4, 2026
The following changes were introduced in endorctl:
  • JavaScript scans can now fetch call graphs for private packages.
  • Improved error handling and return codes for local scans.
  • Added a return code for when the baseline is not found.
  • Secret scanning now applies the global allowlist during file walking for faster scans.
  • Fixed incomplete call graphs on large Go projects, where build metadata could exceed an internal scan buffer and silently drop required build settings.
v1.7.990
June 2, 2026
The following changes were introduced in endorctl:
  • Added the --dry-run flag to endorctl container registry scan.
  • Fixed the declared license field for compound SPDX expressions.
v1.7.988
June 1, 2026
The following changes were introduced in endorctl:
  • Added the --os-reachability flag to endorctl container registry scan.
  • Added Harbor as a container registry type option.
  • JavaScript scans now support a custom lock file location.
  • Fixed a JavaScript call graph failure that could cause findings to be deleted.
  • Private SCM dependency resolution across organizations is now enabled by default.
  • Added secret detection rules for Azure AD client secrets (canonical Q~ format) and Azure Storage Account Keys, including a validator.
  • Fixed authentication gaps in .npmrc file handling.
  • GitHub SARIF writes now retry transient 401 errors, with clearer GitHub authentication error classification.
  • SBOM export now skips malformed packages instead of failing the entire export.
v1.7.980
May 26, 2026
The following changes were introduced in endorctl:
  • Fixed a Gradle issue where dependencies that failed manifest discovery were silently dropped, which inflated reported success rates. The resolver now synthesizes a path-derived package name so these scan failures are reported accurately.
  • Fixed SBOM imports where SPDX documents with multiple root packages would silently abort and return zero findings. Multi-root SPDX documents are now normalized to a single root before CycloneDX conversion, so imports succeed and vulnerability matching runs.
v1.7.978
May 22, 2026
The following changes were introduced in endorctl:
  • Added environment variable support for the scanned-only and exclude-scanned flags in container registry list, with validation that enforces mutual exclusivity between the flags and their environment variables.
  • Added environment variable support (ENDOR_CONTAINER_COLLECT_*) for the kubeconfig-context, kubeconfig-path, and runtime-type flags in container collect, with early validation of the kubeconfig context and runtime type.
v1.7.976
May 19, 2026
The following changes were introduced in endorctl:
  • Dependencies whose license category cannot be determined now report a category of Unknown instead of an empty value, so they filter consistently by license category.
v1.7.973
May 14, 2026
The following changes were introduced in endorctl:
  • Dependency metadata now includes declared and discovered SPDX license identifiers.
  • Added Google Artifact Registry (GAR) support for container registry scanning, including authentication and gar as a --type option on endorctl container registry.
  • The --image and --image-tar flags now apply only to the container scan, instrument, and collect commands. The container registry subcommands no longer accept them.
  • Added a warning message when the default branch is switched during a scan.
  • Fixed call graph generation for Java and Scala to use the JDK at JAVA_HOME before falling back to PATH, so the call graph uses your configured JDK.
  • Bazel targets are now resolved at the start of a scan, improving accuracy of the Bazel package include filter.
  • Fixed C# PR segment-matching to handle workspaces with multiple package versions and non-root baseline versions.
  • Fixed container scan argument validation to check both CLI flags and ENDOR_CONTAINER_SCAN_* environment variables, so env-only configuration is no longer ignored.
v1.7.968
May 11, 2026
The following changes were introduced in endorctl:
  • NuGet dependency scans now extract license information from a package’s LicenseUrl when it is not otherwise declared, improving license coverage for NuGet projects.
v1.7.960
May 5, 2026
The following changes were introduced in endorctl:
  • Added the --insecure flag (env var ENDOR_CONTAINER_REGISTRY_INSECURE) to endorctl container registry commands, which skips TLS verification when connecting to self-signed container registries.
  • Renamed the environment variable for --registry-namespace from ENDOR_CONTAINER_REGISTRY_REGISTRY_NAMESPACE to ENDOR_CONTAINER_REGISTRY_NAMESPACE.
v1.7.957
May 4, 2026
The following changes were introduced in endorctl:
  • Fixed pnpm workspace detection failing when pnpm emitted WARN lines for unresolvable variables in .npmrc files.
  • Fixed secret policies not matching when a custom secret rule’s name differed from its description. The result name is now sourced from the rule name.
  • Added oci as a supported registry type for container scanning, enabling OCI-compliant registry support.
  • Fixed a race condition that could delete the old default branch when a new default branch was set.
  • Fixed PR-incremental scans over-resolving dependencies on Gradle composite-build repositories. The Gradle resolver now honors the narrowed manifest set.
  • Fixed ENDOR_SCAN_LANGUAGES=typescript not running the JavaScript plugin.
  • Fixed PURL qualification for OS packages found through ELF binary cataloging in distroless images, which prevented false-positive vulnerability matches.
  • Fixed PR-incremental scans to source baseline context from the baseline repository version instead of querying all packages.
  • Deprecated the --registry flag on endorctl container registry. It is now replaced by --host.
  • Fixed PR-incremental Java scans triggering full Gradle resolution when no Gradle manifest survived the PR filter.
  • Fixed include-path validation to reject directory paths without /* or /** when set through environment variables, matching the behavior of the CLI flags and preventing accidental package deletions.
  • Reordered path validation so include and exclude paths are validated before .gitignore paths are applied.
  • Deprecated the --registry-type flag on endorctl container registry. It is now replaced by --type.