Release notes

Endor Labs helps you select, secure, and maintain dependencies, so development moves fast and supply chain risk remains low. The following release notes highlight the most recent major capabilities and any major bug fixes published by Endor Labs.

October 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

CI/CD tool scanning has been discontinued and is no longer available. This change does not affect the scanning of GitHub Action dependencies.

Endor Labs now includes Endor AI Chat, an AI-powered assistant designed to help you understand vulnerabilities and take quicker, more informed action. You can ask natural language questions about security findings, scan results, package versions, and vulnerabilities. See Endor AI chat.

You can now search for authorization policies using rule criteria, creator email addresses, and namespace assignments.

For more information, see Search authorization policies.

September 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

CI/CD tool scanning functionality is being deprecated and will be discontinued by the end of September 2025. This change does not affect the scanning of GitHub Action dependencies.

You can now use the dedicated command endorctl container scan for container scanning. This replaces the older endorctl scan --container command. Migrate to endorctl container scan to ensure continued compatibility. For more information, see Use new container scan commands.

Endor Labs now uses Opengrep to scan your code for SAST and AI model findings instead of Semgrep. Opengrep is an open-source, static analysis tool that finds bugs and vulnerabilities in the source code using pattern matching. Endor Labs automatically downloads Opengrep for you when you run a scan that needs it.

You can continue using Semgrep with Endor Labs if you prefer. See Use Semgrep with Endor Labs for more information.

Endor Labs now supports Scan Workflow, which lets you define scan profiles as sequential steps within a single project scan. This gives you fine grained control over how scans run, allowing you to target different parts of your codebase more precisely.

You can configure a scan workflow and assign it to your project either using the Endor Labs API or through the Endor Labs user interface.

For more information see Configure Scan Workflow in Endor Labs.

Endor Labs now supports Upgrade Impact Analysis (UIA) for JavaScript and TypeScript projects. UIA helps you understand the potential impact of upgrading dependencies by identifying breaking changes and dependency conflicts that may occur during upgrades.

For more information, see Upgrade impact analysis and JavaScript/TypeScript scanning.

Endor Labs now offers policies that reduce supply chain risks by detecting newly released open source dependencies within a configurable cooldown period and optionally blocking their adoption to prevent issues from unverified packages and malware.

  • Recently Released Dependencies finding policy: Enable this finding policy to identify and raises findings for dependency versions that have been published within the defined cooldown period. Default cooldown period is 48 hours.

  • Recently Released Dependencies (Cooldown) action policy: Create an action policy from the template to define how to handle these findings.

For more information, see OSS finding policy, and Recently released dependencies action policy.

With the use of Opengrep instead of Semgrep for SAST scan, you can now run SAST scans on Windows. For more information, see SAST scan with Endor Labs.

Endor Labs now supports scanning Swift projects that use the Swift Package Manager (SwiftPM) by resolving dependencies from the Package.swift file.

For more information, see Scan Swift projects.

Endor Labs now supports filtering findings exported to GitHub Advanced Security through action policies. Findings are exported only from projects covered by configured action policies.

For more information, see Export findings to GitHub Advanced Security.

The First Party Code dashboard now features a stacked bar chart that displays the top 10 secret rules along with their corresponding findings. This enables you to identify high impact rules and prioritize remediation by severity.

For more information, see First-party code.

Endor Labs now includes vulnerability aliases in SARIF output for SCA findings. Aliases such as CVE IDs, GHSA IDs, and other OSV identifiers help you track multiple identifiers for the same vulnerability and improve integration with security tools and workflows.

You can now use the search bar to filter projects by name and tags to focus the OSS overview on specific projects. This helps organizations prioritize the most critical and exploitable vulnerabilities, enabling more targeted security efforts.

For more information, see First-party code.

Endor Labs now supports Gradle package manager integration. You can configure private package manager repositories for Gradle through the user interface to scan dependencies from custom repositories and enhance dependency resolution.

For more information, see Gradle private package manager.

You can now filter findings by project name and tags, allowing you to target the findings of a specific project, focus on them, and eliminate noise from other projects.

For more information, see Search for findings using basic filters.

You can now clone scan profiles in your namespace. The cloned profile retains all parameters and custom settings, helping you set up new profiles faster and maintain consistent configurations across scans.

For more information, see Clone scan profile.

August 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

CI/CD tool scanning functionality is being deprecated and will be discontinued by September 15, 2025. This change does not affect the scanning of GitHub Action dependencies.

AI security review provides automated code review capabilities using artificial intelligence to identify potential security issues in your code base. You can set up AI security review to review pull requests and raise findings for security issues.

For more information, see AI security review.

The first-party code dashboard provides a comprehensive view of the vulnerabilities in your codebase from a SAST and secrets perspective.

For more information, see First-party code dashboard.

You can now enable the End of Life Container Dependencies finding policy to raise findings for OS-level packages and components in container images that have reached end of life.

For more information, see Container finding policies.

Endor Labs now offers improved malware detection with detailed malware reasoning, broader coverage, and timely warnings before malicious packages disappear from registries. You can use the following new malware focused policies:

  • Malware finding policy: Enable OSS finding policy to identify known malicious code or suspicious patterns in dependencies and raise findings for them.
  • Malware action policy: Create an action policy from the malware template to define how to handle malware findings.
  • Malware exception policy: Create an exception policy to apply exceptions to malware findings under defined conditions and exclude them from action policies.

For more information, see OSS finding policy, Malware action policy, and Malware exception policy.

You can now export Software Bill of Materials in the industry standard SPDX format, with support for both json and tag-value output formats, making it easier to integrate SBOMs into existing compliance, auditing, and security workflows.

For more information see Export SBOM in Endor Labs.

The GHAS SARIF exporter now supports pull request scans for GitHub App (Pro). If you have enabled pull request scans in your GitHub App, the GHAS SARIF exporter exports the findings for each pull request. You can view the findings for the pull request in GitHub Advanced Security.

For more information, see Export findings to GitHub Advanced Security.

Endor Labs extends AI model detection to include Azure OpenAI, surfacing detected models as dependencies during scans. Azure OpenAI models are detected but not scored, as provider metadata is limited.

For more information, see AI model detection.

You can now scan container images saved as tarball files using endorctl. This helps you analyze dependencies, generate SBOM details, and review security findings for container images that are not directly accessible from a registry.

For more information, see Scan container image tarball.

You can now use the MAL identifier to search for known malware in the Endor Labs vulnerability database and quickly identify malicious packages alongside existing vulnerabilities.

For more information, see Endor Labs vulnerability database.

July 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

Endor Labs now supports CVSS v4.0, as an enhanced standard for vulnerability severity assessment.

CVSS v4.x scores, including full vector strings and metadata are available in Endor Lab’s reporting and data exports. Note that Vanta exports continue to support only CVSS v3.x.

By default, Endor Labs uses CVSS v3.x. You must explicitly configure the system to use CVSS v4.x.

For more information, see Configure CVSS score version

Endor Labs now includes a comprehensive vulnerability database to search and analyze known issues across software dependencies using CVE, GHSA, and PySEC identifiers. It maps vulnerable package versions to impacted projects and findings to support easier remediation.

For more information, see Endor Labs vulnerability database.

Endor Labs now supports exporting findings to GitHub Advanced Security as SARIF files. You can use GitHub Advanced Security to analyze and triage findings from Endor Labs.

For more information, see Export findings to GitHub Advanced Security.

Endor Labs extends AI model detection to include external providers, listing detected models as dependencies. Hugging Face models are scored, as they are open source and provide extensive public metadata. Models from other providers are detected but not scored due to limited data.

For more information, see AI model detection.

Effective Monday, July 21, 2025, Endor Labs is releasing new updates to the code segment analyzer and the underlying database of hashes and embeddings used in C/C++ Software Composition Analysis. If you use continuous integration workflows or perform local scans, you must update to the latest version of endorctl and re-run your scan with:

endorctl scan --languages=c

The first scan may take longer than usual, as it rebuilds the cache of code segments. You may also see differences in the results compared to previous scans. These changes improve the accuracy of dependency detection and matching.

June 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

Endor Labs MCP server is now available in alpha for Cursor and Visual Studio Code.

The Endor Labs MCP server integrates directly into your IDE to scan code in real-time, and catch security issues before they reach production. This workflow secures both human and AI-generated code from the moment it’s written. For more information, see Endor Labs MCP Server.

You can now grant the Endor Labs support team read-only access to your tenant for a limited time. This feature enables our support team to assist you more efficiently while ensuring your data remains secure and private.

For more information, see Grant support access.

You can now configure two new finding policies and manage the use of AI models more effectively in your organization.

  • Restricted AI models: Raise a finding when a repository uses an AI model that your organization has marked as restricted or allowed only in specific contexts.

  • Restricted AI model providers: Raise a finding when a repository uses an AI model from a provider that is restricted based on your organization’s policy.

For more information, see Detect AI models.

You can now upgrade a finding policy when a new version is available. Policy upgrades may include changes such as updated Rego code, new fields, parameters, or tags. After upgrading, you cannot revert the policy to its previous version.

For more information, see Upgrade a finding policy.

endorctl now evaluates MSBuild properties from files like Directory.Build.props, enabling resolution of package names and versions defined using variables.

For more information, see Resolving package names from props files.

Findings in the SCA, Vulnerability, and Container categories are now grouped by Dependency by default, making it easier to review your scans.

For more information, see View findings.

Endor Labs now automatically detects AI models during SCA scans when using the GitHub App, Bitbucket App, Azure DevOps App, and GitLab App. You can view AI models from the AI Inventory.

For more information, see View AI model findings using Endor Labs GitHub App.

You can now configure the Jira integration in Endor Labs to automatically populate the Components field in Jira tickets for both company-managed and team-managed Jira projects.

For more information, see Integrate Jira with Endor Labs.

By default, the Endor Labs dashboard includes data from all child namespaces. Use the All child namespaces excluded toggle to exclude child namespaces and view data and metrics for only the selected namespace.

For more information, see Namespaces in Endor Labs.

May 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

Outpost is a new on-premise scheduler for monitoring scans that you can run in your own Kubernetes cluster. When you install and configure Outpost, monitoring scans on your source code repositories are scheduled and run on your own Kubernetes cluster inside your firewall. For more information, see Outpost.

You can now use Personal Access Token (PAT) to authenticate your Jira Data Center to Endor Labs.

For more information, see Configure Jira integration.

Endor Labs now offers support for scanning Python projects that use Pipenv as their package manager by resolving dependencies from Pipfile and Pipfile.lock. For more information, see Scan Python projects.

You can now view which features in the Endor Labs application use AI services. To modify AI access settings, go to Settings > AI Access and contact support to customize access based on your organization’s needs. For more information, see AI access.

Projects page user interface improvements Enhancement

The Projects page now includes enhancements that make it easier to explore, sort, and filter package data.

  • The following new columns help you assess the overall health of your project.
    • Dependency Resolution Status - Shows the percentage of packages for which dependency resolution was successful.
    • Reachability Analysis Status - Shows the percentage of packages for which reachability analysis was successful.
  • Click any column header to sort projects in ascending or descending order. For more information, see Manage projects.
  • From Inventory > Packages, you can now filter packages by Dependency Resolution or Reachability Analysis statuses to focus on relevant results.
  • Sort packages by Package name, Created date, and Last Scanned date to quickly locate changes or specific dependencies. For more information, see Packages.

Reachability analysis is no longer supported for Rust projects. However, you can continue to scan Rust projects for software composition analysis and vulnerability detection.

You can now view the location of the findings identified by Endor Labs in your Jira tickets. For more information, see Findings in Jira.