> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# June 2026

We are excited to introduce the latest features and enhancements in Endor Labs.

### Discontinuation of GitHub Cloud App

<Badge icon="triangle-exclamation" color="orange" shape="pill">Deprecation notice</Badge>

The standard GitHub Cloud App onboarding flow is deprecated. New projects should use [GitHub Cloud App Pro](/setup-deployment/scm-integrations/github-app). While existing projects using the standard app will continue to be scanned, we recommend [migrating to GitHub Cloud App Pro](/setup-deployment/scm-integrations/github-app/migrate-to-github-app-pro).

### Google Artifact Registry (GAR) support

<Badge icon="star" color="green" shape="pill">New</Badge>

You can now configure Endor Labs to authenticate with GAR for agentless dependency scanning of private npm, Maven, Gradle, and PyPI packages. Endor Labs generates short-lived OAuth2 access tokens automatically at scan time from a service account key, eliminating the need for long-lived static credentials.

For more information, see [Configure integration with Google Artifact Registry](/integrations/package-managers/google-artifact-registry).

### Direct integration with Package Firewall

<Badge icon="star" color="green" shape="pill">New</Badge>

You can now configure the Package Firewall using direct integration, which routes package installation requests through the firewall without relying on an intermediary registry such as JFrog Artifactory. The firewall evaluates each request against the Endor Labs malware database and your configured Package Firewall policies to block, warn, or allow the installation.

For more information, see [Configure the Package Firewall with direct integration](/integrations/package-firewall/direct-integration).

### Git-based dependencies

<Badge color="green">Beta</Badge> <Badge icon="star" color="green" shape="pill">New</Badge>

Endor Labs now resolves private Git-based dependencies hosted outside the repository being scanned, including those in a different organization, workspace, or project. Configure credentials for these repositories in the Git-based dependency integration to improve dependency resolution and reachability analysis. If an existing SCM integration already has access to these repositories, Endor Labs reuses those credentials.

For more information, see [Git-based dependencies](/integrations/package-managers/git-based-dependencies).

### OSS Coverage dashboard

<Badge color="green">Beta</Badge> <Badge icon="star" color="green" shape="pill">New</Badge>

You can now use the OSS Coverage dashboard to get a centralized view of open source coverage across your namespace. You can see how Endor Labs resolves dependencies and performs reachability analysis on your scanned projects. The dashboard groups coverage gaps by root cause, and each error links to the full scan log so you can investigate and fix scan failures.

For more information, see [OSS coverage](/inventory-insights/dashboards/oss-coverage)

### AI SAST detection agent

<Badge icon="star" color="green" shape="pill">New</Badge>

Endor Labs now offers an AI SAST detection agent that goes beyond traditional rule-based scanners. Instead of just matching patterns, it uses AI and the full repository context to find security issues that rules alone would miss, such as business logic flaws and broken access control.
You can run this scan using endorctl, your CI/CD pipelines, or SCM integrations

For more information, see [AI SAST](/scan/ai-sast) and [AI SAST detection agent](/scan/ai-sast/detection-agent).

### AI SAST PR scans, diff scans, and skill scanning

<Badge icon="star" color="green" shape="pill">New</Badge>

Endor Labs now offers the following AI SAST capabilities:

* **PR scans**: Run AI SAST on pull requests to scan the code changes, surface the findings the PR introduces, and post them as PR comments.
* **Local diff scans**: Run AI SAST on your uncommitted local changes to catch issues before you open a pull request.
* **Skill scanning**: The AI SAST detection agent now scans AI agent skill files, such as `SKILL.md`, `AGENT.md`, and `CLAUDE.md`, for risky instructions and unsafe scripts.

For more information, see [AI SAST PR scans](/scan/ai-sast/ai-sast-pr-scans) and [AI SAST detection agent](/scan/ai-sast/detection-agent).

### Dry-run mode for container scanning

<Badge icon="check" color="blue" shape="pill">Enhancement</Badge>

You can now run `endorctl container scan` and `endorctl container registry scan` in dry-run mode using the `--dry-run` flag. Scan results are stored only in memory and not forwarded to the Endor Labs API, so you can test container scans locally without writing any data. Base image scanning is not supported in dry-run mode.

For more information, see [container scanning](/developers-api/cli/commands/container).

### Exit code for baseline not found

<Badge icon="check" color="blue" shape="pill">Enhancement</Badge>

When a PR scan cannot locate the baseline specified with `--pr-baseline`, endorctl now returns exit code 43 (`ENDORCTL_RC_BASELINE_NOT_FOUND`) instead of the generic invalid-arguments code. This makes it easier to identify and script against baseline resolution failures.

For more information, see [endorctl CLI exit codes](/best-practices/troubleshooting/endorctl-exitcodes).

### Custom lock file location for JavaScript scans

<Badge icon="check" color="blue" shape="pill">Enhancement</Badge>

You can now specify an exact lock file path for JavaScript and TypeScript scans using the `ENDOR_JS_LOCK_FILE_PATH` environment variable. This is useful when the lock file does not live at the package directory or repository root.

For more information, see [Specify a custom lock file location](/scan/sca/javascript#specify-a-custom-lock-file-location).

### Maven support for the Package Firewall

<Badge icon="check" color="blue" shape="pill">Enhancement</Badge>

You can now configure the Package Firewall for Maven to route Java dependency requests through Endor Labs and block known malicious packages. Maven is supported for both JFrog Artifactory and direct integration.

For more information, see [Configure the Package Firewall with JFrog Artifactory](/integrations/package-firewall/jfrog-artifactory) and [Configure the Package Firewall with direct integration](/integrations/package-firewall/direct-integration).

### Vulnerability detection in Package Firewall policies

<Badge icon="check" color="blue" shape="pill">Enhancement</Badge>

You can now set a CVSS severity threshold in your Package Firewall policy to block or warn on package versions that have a known vulnerability.

For more information, see [Package Firewall policy](/platform-administration/policies/package-firewall-policies).

### Test dependencies in SBOM and VEX exports

<Badge icon="check" color="blue" shape="pill">Enhancement</Badge>

By default, test dependencies are excluded from SBOM and VEX exports. You can now include them by selecting **Include test dependencies** during CycloneDX or SPDX export.

For more information, see [Export SBOMs and VEX](/inventory-insights/sbom/exporting-sboms).

### Custom headers for webhook notification targets

<Badge icon="check" color="blue" shape="pill">Enhancement</Badge>

Webhook notification targets now support custom HTTP headers for passing vendor-specific API keys required by your webhook receiver. You can configure up to 20 headers per target, and Endor Labs sends them on every webhook request irrespective of the authentication method.

For more information, see [Set up integrations using webhooks](/integrations/webhooks).

### Harbor support for container registry scanning

<Badge icon="check" color="blue" shape="pill">Enhancement</Badge>

Endor Labs now supports container scanning with Harbor registries. You can scan images from both cloud-hosted and self-hosted Harbor instances.

For more information, see [Container registry scanning](/scan/containers/container-registry-scan).
