Release notes

Endor Labs helps you select, secure, and maintain dependencies, so development moves fast and supply chain risk remains low. The following release notes highlight the most recent major capabilities and any major bug fixes published by Endor Labs.

March 2026

We are excited to introduce the latest features and enhancements in Endor Labs.

Endor Labs Skills are pre-built AI agent instructions that automate common security workflows using endorctl. Skills provide structured prompts that guide your AI coding assistant through tasks like installing and configuring endorctl, authenticating with identity providers, scanning repositories for vulnerabilities, and running secrets and SAST scans. Skills are available for Claude Code and Cursor.

For more information, see Skills.

The Endor Labs MCP server now supports Claude Code, OpenAI Codex, Devin, Augment Code, and IntelliJ IDEA, in addition to the previously supported Cursor, Visual Studio Code, and Gemini CLI platforms. You can integrate the MCP server into your preferred AI-powered development workflow to scan code in real-time and catch security issues before they reach production.

For more information, see MCP Server.

Endor Labs now supports software composition analysis for Scala projects in Bazel repositories that use Bzlmod for external dependency management. Bzlmod support requires Bazel aspects with rules_scala >= 5.0.0.

For more information, see Bazel and Bazel Aspects.

The Endor Labs Bitbucket Data Center App now supports automated pull request scanning for security vulnerabilities, policy violations, and exposed secrets. You can also configure PR comments directly on your pull requests when issues are detected, helping developers address security concerns before merging code.

For more information, see Bitbucket Data Center App PR scans.

You can now snooze findings to temporarily dismiss them and choose when they should reappear, making it easier to defer action on findings without creating permanent exception policies.

For more information, see Snooze findings.

You can use an ignore file in your repository to exclude specific findings from scan results. The file is read during a scan and applies only to the repository version that contains it. Entries that match the file are excluded from the findings view and do not trigger action policies.

For more information, see Dismiss findings using an ignore file and Allow ignore files to dismiss findings.

February 2026

We are excited to introduce the latest features and enhancements in Endor Labs.

Endor Labs now supports container reachability, which determines which OS packages in a container image are used at runtime and marks them as Reachable, Potentially Reachable, or Unreachable. This helps you prioritize remediation for dependencies that are actually exercised during execution.

Endor Labs supports two container reachability modes based on how your workload runs and its runtime dependencies.

  • Basic reachability: Profiles the container locally during the scan. Use when the application has no external dependencies.
  • Instrumented reachability: Runs the image in your real environment with an embedded sensor to capture runtime behavior. Use when the workload requires databases, queues, or other external services.

For more information, see Container reachability and Instrumented container reachability.

Endor Labs now supports Bzlmod when you use Bazel aspects. Currently, only Go and Java rulesets support Bzlmod. For more information, see Bazel and Bazel aspects.

For more information, see Bazel Bzlmod support.

Endor Labs now supports Bazel aspects to improve dependency resolution accuracy in Bazel workspaces. Endor Labs automatically discovers and applies the appropriate rules for your project, and also supports custom aspects for projects with custom build rules.

For more information, see Bazel aspects.

Endor Labs now supports AI-powered analysis for SAST findings to automatically classify them as true positives or false positives. The AI agent analyzes code context, traces data flows, and evaluates security controls to reduce false positives, helping security teams and developers focus on genuine security vulnerabilities. AI SAST analysis features require a Code Pro license.

For more information, see SAST scan with AI analysis.

The Endor Labs Bitbucket Cloud App now supports automated pull request scanning for security vulnerabilities, policy violations, and exposed secrets. You can also configure PR comments directly on your pull requests when issues are detected, helping developers address security concerns before merging code.

For more information, see Bitbucket Cloud App PR scans.

You can now use search for notifications using the policy name or Jira issue key, and also apply filters to narrow down notifications by time range, projects, notification channels, or error status. This helps you quickly locate specific notifications, identify patterns across your security events, and efficiently manage notification workflows.

For more information, see Notifications.

Endor Labs now features a redesigned interface with updated navigation, layout, and workflows, making it easier to find and manage your security data. For more information, see Endor Labs user interface.

DroidGPT has been removed from the product. For AI-powered help with findings and scan errors, use the Endor AI Chat in the application.

Some API services are now designated as internal. As a result, they are no longer visible in the public API documentation.

January 2026

We are excited to introduce the latest features and enhancements in Endor Labs.

Endor Labs now supports exporting scan data to an Amazon S3 storage bucket for archival, compliance, or integration with other tools. The S3 exporter supports exporting findings in JSON or SARIF format.

For more information, see Export findings to S3.

You can now use the None (Notify for each Finding) aggregation type to send separate notifications for every finding generated from the configured action policy, making it easier to track and assign individual security issues. This aggregation type is supported only for SAST and Secrets action policies.

For more information, see Aggregation types for notifications.

Endor Labs now includes finding tags and categories in the SARIF output when exporting findings to GitHub Advanced Security (GHAS). You can use these tags to filter and identify specific types of findings in GitHub code scanning, such as reachable vulnerabilities, findings with available fixes, or findings by category, like SCA, SAST, and Secrets.

For more information, see Filter findings by tags in GitHub.

December 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

The Endor Labs MCP server is now available in Developer Edition. You can get started without any prior configuration or Endor Labs account.

The Endor Labs MNP server Enterprise Edition has also been updated to provide easier configuration and setup.

For more information, see Endor Labs MCP server.

The Endor Labs MCP server is now available as a Gemini extension. You can use natural language commands to interact with the MCP server. For more information, see Endor Labs MCP server as a Gemini extension.

The dependency graph now offers improved rendering performance and enhanced node interactions, making it easier to visualize and explore complex dependency trees.

For more information, see View dependency graph.

November 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

You can now scan merge requests using the Endor Labs GitLab App. You can also configure MR comments to receive comments on your merge requests.

For more information, see GitLab App MR scans.

You can now enable urgent notifications in Endor Labs to receive real-time alerts for newly discovered malware, allowing you to take immediate action.

For more information, see Urgent Notifications.

Endor Labs now sets the default branch detection flag for all projects to true by default. Endor Labs automatically detects the new default branch and sets that as the default reference for all the projects configured with the Endor Labs SCM Apps.

For more information, see Default branch detection.

Endor Labs now enables the malware finding policy by default for all tenants. You automatically receive findings for suspicious and malicious code across all projects, helping you detect and remediate security issues faster.

For more information, see OSS finding policy.

October 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

CI/CD tool scanning has been discontinued and is no longer available. This change does not affect the scanning of GitHub Action dependencies.

Endor Labs now includes Endor AI Chat, an AI-powered assistant designed to help you understand vulnerabilities and take quicker, more informed action. You can ask natural language questions about security findings, scan results, package versions, and vulnerabilities. See Endor AI chat.

Endor Labs now supports pre-computed reachability analysis to determine vulnerability exposure in dependencies without requiring code compilation or full call graph generation. You can enable it using the pre-computed flag for quick scans and full scans.

For more information, see Pre-computed reachability analysis.

You can now search for authorization policies using rule criteria, creator email addresses, and namespace assignments.

For more information, see Search authorization policies.

You can now filter notifications by project name to focus on notifications from specific projects and reduce noise from others.

For more information, see Notifications.

Endor Labs now supports scanning Scala projects built with Gradle by resolving dependencies from build.gradle or build.gradle.kts files.

For more information, see Scan Scala projects.