We are excited to introduce the latest features and enhancements in Endor Labs.
Discontinuation of CI/CD tool scanning Breaking change
CI/CD tool scanning functionality is being deprecated and will be discontinued by the end of September 2025. This change does not affect the scanning of GitHub Action dependencies.
Dedicated commands for container scans New
You can now use the dedicated command endorctl container scan
for container scanning. This replaces the older endorctl scan --container
command. Migrate to endorctl container scan
to ensure continued compatibility. For more information, see Use new container scan commands.
Deprecation notice
The oldendorctl scan --container
commands and their corresponding flags (--container
, --container-tar
, and --container-as-ref
) will be removed after a three-month deprecation period.
Opengrep support for SAST and AI model detection New
Endor Labs now uses Opengrep to scan your code for SAST and AI model findings instead of Semgrep. Opengrep is an open-source, static analysis tool that finds bugs and vulnerabilities in the source code using pattern matching. Endor Labs automatically downloads Opengrep for you when you run a scan that needs it.
You can continue using Semgrep with Endor Labs if you prefer. See Use Semgrep with Endor Labs for more information.
Customize project scans using scan workflow New
Endor Labs now supports Scan Workflow, which lets you define scan profiles as sequential steps within a single project scan. This gives you fine grained control over how scans run, allowing you to target different parts of your codebase more precisely.
You can configure a scan workflow and assign it to your project either using the Endor Labs API or through the Endor Labs user interface.
For more information see Configure Scan Workflow in Endor Labs.
Support for SAST scan on Windows Enhancement
With the use of Opengrep instead of Semgrep for SAST scan, you can now run SAST scans on Windows. For more information, see SAST scan with Endor Labs.
SwiftPM support for Swift/Objective-C projects Enhancement
Endor Labs now supports scanning Swift projects that use the Swift Package Manager (SwiftPM) by resolving dependencies from the Package.swift
file.
For more information, see Scan Swift projects.
Filter findings exported to GitHub Advanced Security Enhancement
Endor Labs now supports filtering findings exported to GitHub Advanced Security through action policies. Findings are exported only from projects covered by configured action policies.
For more information, see Export findings to GitHub Advanced Security.
Top 10 secret rules by severity Enhancement
The First Party Code dashboard now features a stacked bar chart that displays the top 10 secret rules along with their corresponding findings. This enables you to identify high impact rules and prioritize remediation by severity.
For more information, see First-party code.
Enhanced SARIF output with vulnerability identifiers Enhancement
Endor Labs now includes vulnerability aliases in SARIF output for SCA findings. Aliases such as CVE IDs, GHSA IDs, and other OSV identifiers help you track multiple identifiers for the same vulnerability and improve integration with security tools and workflows.
Filter projects to view OSS overview Enhancement
You can now use the search bar to filter projects by name and tags to focus the OSS overview on specific projects. This helps organizations prioritize the most critical and exploitable vulnerabilities, enabling more targeted security efforts.
For more information, see First-party code.