Release notes

Endor Labs helps you select, secure, and maintain dependencies, so development moves fast and supply chain risk remains low. The following release notes highlight the most recent major capabilities and any major bug fixes published by Endor Labs.

February 2026

We are excited to introduce the latest features and enhancements in Endor Labs.

Endor Labs now supports Bazel aspects to improve dependency resolution accuracy in Bazel workspaces. Endor Labs automatically discovers and applies the appropriate rules for your project, and also supports custom aspects for projects with custom build rules.

For more information, see Bazel aspects.

Endor Labs now supports AI-powered analysis for SAST findings to automatically classify them as true positives or false positives. The AI agent analyzes code context, traces data flows, and evaluates security controls to reduce false positives, helping security teams and developers focus on genuine security vulnerabilities. AI SAST analysis features require a Code Pro license.

For more information, see SAST scan with AI analysis.

The Endor Labs Bitbucket Cloud App now supports automated pull request scanning for security vulnerabilities, policy violations, and exposed secrets. You can also configure PR comments directly on your pull requests when issues are detected, helping developers address security concerns before merging code.

For more information, see Bitbucket Cloud App PR scans.

You can now use search for notifications using the policy name or Jira issue key, and also apply filters to narrow down notifications by time range, projects, notification channels, or error status. This helps you quickly locate specific notifications, identify patterns across your security events, and efficiently manage notification workflows.

For more information, see Notifications.

Endor Labs now features a redesigned interface with updated navigation, layout, and workflows, making it easier to find and manage your security data. For more information, see Endor Labs user interface.

DroidGPT has been removed from the product. For AI-powered help with findings and scan errors, use the Endor AI Chat in the application.

January 2026

We are excited to introduce the latest features and enhancements in Endor Labs.

Endor Labs now supports exporting scan data to an Amazon S3 storage bucket for archival, compliance, or integration with other tools. The S3 exporter supports exporting findings in JSON or SARIF format.

For more information, see Export findings to S3.

You can now use the None (Notify for each Finding) aggregation type to send separate notifications for every finding generated from the configured action policy, making it easier to track and assign individual security issues. This aggregation type is supported only for SAST and Secrets action policies.

For more information, see Aggregation types for notifications.

Endor Labs now includes finding tags and categories in the SARIF output when exporting findings to GitHub Advanced Security (GHAS). You can use these tags to filter and identify specific types of findings in GitHub code scanning, such as reachable vulnerabilities, findings with available fixes, or findings by category, like SCA, SAST, and Secrets.

For more information, see Filter findings by tags in GitHub.

December 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

The Endor Labs MCP server is now available in Developer Edition. You can get started without any prior configuration or Endor Labs account.

The Endor Labs MNP server Enterprise Edition has also been updated to provide easier configuration and setup.

For more information, see Endor Labs MCP server.

The Endor Labs MCP server is now available as a Gemini extension. You can use natural language commands to interact with the MCP server. For more information, see Endor Labs MCP server as a Gemini extension.

The dependency graph now offers improved rendering performance and enhanced node interactions, making it easier to visualize and explore complex dependency trees.

For more information, see View dependency graph.

November 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

You can now scan merge requests using the Endor Labs GitLab App. You can also configure MR comments to receive comments on your merge requests.

For more information, see GitLab App MR scans.

You can now enable urgent notifications in Endor Labs to receive real-time alerts for newly discovered malware, allowing you to take immediate action.

For more information, see Urgent Notifications.

Endor Labs now sets the default branch detection flag for all projects to true by default. Endor Labs automatically detects the new default branch and sets that as the default reference for all the projects configured with the Endor Labs SCM Apps.

For more information, see Default branch detection.

Endor Labs now enables the malware finding policy by default for all tenants. You automatically receive findings for suspicious and malicious code across all projects, helping you detect and remediate security issues faster.

For more information, see OSS finding policy.

October 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

CI/CD tool scanning has been discontinued and is no longer available. This change does not affect the scanning of GitHub Action dependencies.

Endor Labs now includes Endor AI Chat, an AI-powered assistant designed to help you understand vulnerabilities and take quicker, more informed action. You can ask natural language questions about security findings, scan results, package versions, and vulnerabilities. See Endor AI chat.

Endor Labs now supports pre-computed reachability analysis to determine vulnerability exposure in dependencies without requiring code compilation or full call graph generation. You can enable it using the pre-computed flag for quick scans and full scans.

For more information, see Pre-computed reachability analysis.

You can now search for authorization policies using rule criteria, creator email addresses, and namespace assignments.

For more information, see Search authorization policies.

You can now filter notifications by project name to focus on notifications from specific projects and reduce noise from others.

For more information, see Notifications.

Endor Labs now supports scanning Scala projects built with Gradle by resolving dependencies from build.gradle or build.gradle.kts files.

For more information, see Scan Scala projects.

September 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

CI/CD tool scanning functionality is being deprecated and will be discontinued by the end of September 2025. This change does not affect the scanning of GitHub Action dependencies.

You can now use the dedicated command endorctl container scan for container scanning. This replaces the older endorctl scan --container command. Migrate to endorctl container scan to ensure continued compatibility. For more information, see Use new container scan commands.

Deprecation notice
The old endorctl scan --container commands and their corresponding flags (--container, --container-tar, and --container-as-ref) will be removed after a three-month deprecation period.

Endor Labs now uses Opengrep to scan your code for SAST and AI model findings instead of Semgrep. Opengrep is an open-source, static analysis tool that finds bugs and vulnerabilities in the source code using pattern matching. Endor Labs automatically downloads Opengrep for you when you run a scan that needs it.

You can continue using Semgrep with Endor Labs if you prefer. See Use Semgrep with Endor Labs for more information.

Endor Labs now supports Scan Workflow, which lets you define scan profiles as sequential steps within a single project scan. This gives you fine grained control over how scans run, allowing you to target different parts of your codebase more precisely.

You can configure a scan workflow and assign it to your project either using the Endor Labs API or through the Endor Labs user interface.

For more information see Configure Scan Workflow in Endor Labs.

Endor Labs now supports Upgrade Impact Analysis (UIA) for JavaScript and TypeScript projects. UIA helps you understand the potential impact of upgrading dependencies by identifying breaking changes and dependency conflicts that may occur during upgrades.

For more information, see Upgrade impact analysis and JavaScript/TypeScript scanning.

Endor Labs now offers policies that reduce supply chain risks by detecting newly released open source dependencies within a configurable cooldown period and optionally blocking their adoption to prevent issues from unverified packages and malware.

  • Recently Released Dependencies finding policy: Enable this finding policy to identify and raises findings for dependency versions that have been published within the defined cooldown period. Default cooldown period is 48 hours.

  • Recently Released Dependencies (Cooldown) action policy: Create an action policy from the template to define how to handle these findings.

For more information, see OSS finding policy, and Recently released dependencies action policy.

With the use of Opengrep instead of Semgrep for SAST scan, you can now run SAST scans on Windows. For more information, see SAST scan with Endor Labs.

Endor Labs now supports scanning Swift projects that use the Swift Package Manager (SwiftPM) by resolving dependencies from the Package.swift file.

For more information, see Scan Swift projects.

Endor Labs now supports filtering findings exported to GitHub Advanced Security through action policies. Findings are exported only from projects covered by configured action policies.

For more information, see Export findings to GitHub Advanced Security.

The First Party Code dashboard now features a stacked bar chart that displays the top 10 secret rules along with their corresponding findings. This enables you to identify high impact rules and prioritize remediation by severity.

For more information, see First-party code.

Endor Labs now includes vulnerability aliases in SARIF output for SCA findings. Aliases such as CVE IDs, GHSA IDs, and other OSV identifiers help you track multiple identifiers for the same vulnerability and improve integration with security tools and workflows.

You can now use the search bar to filter projects by name to focus the OSS overview on specific projects. This helps organizations prioritize the most critical and exploitable vulnerabilities, enabling more targeted security efforts.

For more information, see First-party code.

Endor Labs now supports Gradle package manager integration. You can configure private package manager repositories for Gradle through the user interface to scan dependencies from custom repositories and enhance dependency resolution.

For more information, see Gradle private package manager.

You can now filter findings by project name, allowing you to target the findings of a specific project, focus on them, and eliminate noise from other projects.

For more information, see Search for findings using basic filters.

You can now clone scan profiles in your namespace. The cloned profile retains all parameters and custom settings, helping you set up new profiles faster and maintain consistent configurations across scans.

For more information, see Clone scan profile.