> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# endorctl changelog

> Version-by-version changes to the endorctl CLI.

<Update label="v1.7.1024" description="June 24, 2026">
  The following changes were introduced in endorctl:

  * Bug fixes and miscellaneous improvements.
</Update>

<Update label="v1.7.1021" description="June 23, 2026">
  The following changes were introduced in endorctl:

  * Maven package scans now surface the underlying error when a POM fails to parse.
  * Maven dependency resolution now loads the maven-bundle-plugin extension for OSGi POMs.
  * Ruby scans now import bundler to parse gemspec files.
</Update>

<Update label="v1.7.1013" description="June 18, 2026">
  The following changes were introduced in endorctl:

  * Fixed Azure DevOps PR scans that failed due to a false staleness check.
  * SBOM export by name now returns a clear error when the package version is not found.
  * Secret scans now perform a full rescan when an explicit rescan is requested.
</Update>

<Update label="v1.7.1007" description="June 16, 2026">
  The following changes were introduced in endorctl:

  * Fixed PR identification for GitLab and Bitbucket, resolving spurious 401 errors during PR scans.
  * Added the `--secret-rules-file` flag to `endorctl scan` for supplying custom secret detection rules.
  * Improved language detection for Rust projects.
  * Python call graph generation now batches large projects by lines of code and available memory.
  * Fixed pnpm scan failures where a package referencing workspace `catalog:` dependencies could not build its lock file when scanned in isolation.
</Update>

<Update label="v1.7.1002" description="June 10, 2026">
  The following changes were introduced in endorctl:

  * Superseded PR scans are now cancelled automatically, with a dedicated return code.
  * Deleted package versions are now tracked in scan results and scan history.
</Update>

<Update label="v1.7.1001">
  The following changes were introduced in endorctl:

  * Bug fixes and miscellaneous improvements.
</Update>

<Update label="v1.7.1000" description="June 9, 2026">
  The following changes were introduced in endorctl:

  * Fixed PR scans on shallow or partial clones, where the merge base could be unreachable and the diff silently fell back to an incorrect comparison. endorctl now deepens the clone to reach the merge base, and reports a clear error if the two branches share no history.
</Update>

<Update label="v1.7.998" description="June 8, 2026">
  The following changes were introduced in endorctl:

  * Added the `--include-test-dependencies` flag to `endorctl sbom export`.
  * Pre-commit secret scans now flag only added lines.
  * Expanded secret validation coverage.
  * JavaScript scans now resolve call graphs for private transitive dependencies.
  * Improved Ruby dependency resolution in scans.
</Update>

<Update label="v1.7.994" description="June 4, 2026">
  The following changes were introduced in endorctl:

  * JavaScript scans can now fetch call graphs for private packages.
  * Improved error handling and return codes for local scans.
  * Added a return code for when the baseline is not found.
  * Secret scanning now applies the global allowlist during file walking for faster scans.
  * Fixed incomplete call graphs on large Go projects, where build metadata could exceed an internal scan buffer and silently drop required build settings.
</Update>

<Update label="v1.7.990" description="June 2, 2026">
  The following changes were introduced in endorctl:

  * Added the `--dry-run` flag to `endorctl container registry scan`.
  * Fixed the declared license field for compound SPDX expressions.
</Update>

<Update label="v1.7.988" description="June 1, 2026">
  The following changes were introduced in endorctl:

  * Added the `--os-reachability` flag to `endorctl container registry scan`.
  * Added Harbor as a container registry type option.
  * JavaScript scans now support a custom lock file location.
  * Fixed a JavaScript call graph failure that could cause findings to be deleted.
  * Private SCM dependency resolution across organizations is now enabled by default.
  * Added secret detection rules for Azure AD client secrets (canonical Q\~ format) and Azure Storage Account Keys, including a validator.
  * Fixed authentication gaps in `.npmrc` file handling.
  * GitHub SARIF writes now retry transient 401 errors, with clearer GitHub authentication error classification.
  * SBOM export now skips malformed packages instead of failing the entire export.
</Update>

<Update label="v1.7.980" description="May 26, 2026">
  The following changes were introduced in endorctl:

  * Fixed a Gradle issue where dependencies that failed manifest discovery were silently dropped, which inflated reported success rates. The resolver now synthesizes a path-derived package name so these scan failures are reported accurately.
  * Fixed SBOM imports where SPDX documents with multiple root packages would silently abort and return zero findings. Multi-root SPDX documents are now normalized to a single root before CycloneDX conversion, so imports succeed and vulnerability matching runs.
</Update>

<Update label="v1.7.978" description="May 22, 2026">
  The following changes were introduced in endorctl:

  * Added environment variable support for the `scanned-only` and `exclude-scanned` flags in `container registry list`, with validation that enforces mutual exclusivity between the flags and their environment variables.
  * Added environment variable support (`ENDOR_CONTAINER_COLLECT_*`) for the `kubeconfig-context`, `kubeconfig-path`, and `runtime-type` flags in `container collect`, with early validation of the kubeconfig context and runtime type.
</Update>

<Update label="v1.7.976" description="May 19, 2026">
  The following changes were introduced in endorctl:

  * Dependencies whose license category cannot be determined now report a category of `Unknown` instead of an empty value, so they filter consistently by license category.
</Update>

<Update label="v1.7.973" description="May 14, 2026">
  The following changes were introduced in endorctl:

  * Dependency metadata now includes declared and discovered SPDX license identifiers.
  * Added Google Artifact Registry (GAR) support for container registry scanning, including authentication and `gar` as a `--type` option on `endorctl container registry`.
  * The `--image` and `--image-tar` flags now apply only to the `container scan`, `instrument`, and `collect` commands. The `container registry` subcommands no longer accept them.
  * Added a warning message when the default branch is switched during a scan.
  * Fixed call graph generation for Java and Scala to use the JDK at `JAVA_HOME` before falling back to `PATH`, so the call graph uses your configured JDK.
  * Bazel targets are now resolved at the start of a scan, improving accuracy of the Bazel package include filter.
  * Fixed C# PR segment-matching to handle workspaces with multiple package versions and non-root baseline versions.
  * Fixed `container scan` argument validation to check both CLI flags and `ENDOR_CONTAINER_SCAN_*` environment variables, so env-only configuration is no longer ignored.
</Update>

<Update label="v1.7.968" description="May 11, 2026">
  The following changes were introduced in endorctl:

  * NuGet dependency scans now extract license information from a package's LicenseUrl when it is not otherwise declared, improving license coverage for NuGet projects.
</Update>

<Update label="v1.7.960" description="May 5, 2026">
  The following changes were introduced in endorctl:

  * Added the `--insecure` flag (env var `ENDOR_CONTAINER_REGISTRY_INSECURE`) to `endorctl container registry` commands, which skips TLS verification when connecting to self-signed container registries.
  * Renamed the environment variable for `--registry-namespace` from `ENDOR_CONTAINER_REGISTRY_REGISTRY_NAMESPACE` to `ENDOR_CONTAINER_REGISTRY_NAMESPACE`.
</Update>

<Update label="v1.7.957" description="May 4, 2026">
  The following changes were introduced in endorctl:

  * Fixed pnpm workspace detection failing when pnpm emitted WARN lines for unresolvable variables in `.npmrc` files.
  * Fixed secret policies not matching when a custom secret rule's name differed from its description. The result name is now sourced from the rule name.
  * Added `oci` as a supported registry type for container scanning, enabling OCI-compliant registry support.
  * Fixed a race condition that could delete the old default branch when a new default branch was set.
  * Fixed PR-incremental scans over-resolving dependencies on Gradle composite-build repositories. The Gradle resolver now honors the narrowed manifest set.
  * Fixed `ENDOR_SCAN_LANGUAGES=typescript` not running the JavaScript plugin.
  * Fixed PURL qualification for OS packages found through ELF binary cataloging in distroless images, which prevented false-positive vulnerability matches.
  * Fixed PR-incremental scans to source baseline context from the baseline repository version instead of querying all packages.
  * Deprecated the `--registry` flag on `endorctl container registry`. It is now replaced by `--host`.
  * Fixed PR-incremental Java scans triggering full Gradle resolution when no Gradle manifest survived the PR filter.
  * Fixed include-path validation to reject directory paths without `/*` or `/**` when set through environment variables, matching the behavior of the CLI flags and preventing accidental package deletions.
  * Reordered path validation so include and exclude paths are validated before `.gitignore` paths are applied.
  * Deprecated the `--registry-type` flag on `endorctl container registry`. It is now replaced by `--type`.
</Update>
