Release notes

Endor Labs helps you select, secure, and maintain dependencies, so development moves fast and supply chain risk remains low. The following release notes highlight the most recent major capabilities and any major bug fixes published by Endor Labs.

August 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

The first-party code dashboard provides a comprehensive view of the vulnerabilities in your codebase from a SAST and secrets perspective.

For more information, see First-party code dashboard.

July 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

Endor Labs now supports CVSS v4.0, as an enhanced standard for vulnerability severity assessment.

CVSS v4.x scores, including full vector strings and metadata are available in Endor Lab’s reporting and data exports. Note that Vanta exports continue to support only CVSS v3.x.

By default, Endor Labs uses CVSS v3.x. You must explicitly configure the system to use CVSS v4.x.

For more information, see Configure CVSS score version

Endor Labs now includes a comprehensive vulnerability database to search and analyze known issues across software dependencies using CVE, GHSA, and PySEC identifiers. It maps vulnerable package versions to impacted projects and findings to support easier remediation.

For more information, see Endor Labs vulnerability database.

Endor Labs now supports exporting findings to GitHub Advanced Security as SARIF files. You can use GitHub Advanced Security to analyze and triage findings from Endor Labs.

For more information, see Export findings to GitHub Advanced Security.

Endor Labs extends AI model detection to include external providers, listing detected models as dependencies. Hugging Face models are scored, as they are open source and provide extensive public metadata. Models from other providers are detected but not scored due to limited data.

For more information, see AI model detection.

Effective Monday, July 21, 2025, Endor Labs is releasing new updates to the code segment analyzer and the underlying database of hashes and embeddings used in C/C++ Software Composition Analysis. If you use continuous integration workflows or perform local scans, you must update to the latest version of endorctl and re-run your scan with:

endorctl scan --languages=c

The first scan may take longer than usual, as it rebuilds the cache of code segments. You may also see differences in the results compared to previous scans. These changes improve the accuracy of dependency detection and matching.

June 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

Endor Labs MCP server is now available in alpha for Cursor and Visual Studio Code.

The Endor Labs MCP server integrates directly into your IDE to scan code in real-time, and catch security issues before they reach production. This workflow secures both human and AI-generated code from the moment it’s written. For more information, see Endor Labs MCP Server.

You can now grant the Endor Labs support team read-only access to your tenant for a limited time. This feature enables our support team to assist you more efficiently while ensuring your data remains secure and private.

For more information, see Grant support access.

You can now configure two new finding policies and manage the use of AI models more effectively in your organization.

  • Restricted AI models: Raise a finding when a repository uses an AI model that your organization has marked as restricted or allowed only in specific contexts.

  • Restricted AI model providers: Raise a finding when a repository uses an AI model from a provider that is restricted based on your organization’s policy.

For more information, see Detect AI models.

You can now upgrade a finding policy when a new version is available. Policy upgrades may include changes such as updated Rego code, new fields, parameters, or tags. After upgrading, you cannot revert the policy to its previous version.

For more information, see Upgrade a finding policy.

endorctl now evaluates MSBuild properties from files like Directory.Build.props, enabling resolution of package names and versions defined using variables.

For more information, see Resolving package names from props files.

Findings in the SCA, Vulnerability, and Container categories are now grouped by Dependency by default, making it easier to review your scans.

For more information, see View findings.

Endor Labs now automatically detects AI models during SCA scans when using the GitHub App, Bitbucket App, Azure DevOps App, and GitLab App. You can view AI models from the AI Inventory.

For more information, see View AI model findings using Endor Labs GitHub App.

You can now configure the Jira integration in Endor Labs to automatically populate the Components field in Jira tickets for both company-managed and team-managed Jira projects.

For more information, see Integrate Jira with Endor Labs.

By default, the Endor Labs dashboard includes data from all child namespaces. Use the All child namespaces excluded toggle to exclude child namespaces and view data and metrics for only the selected namespace.

For more information, see Namespaces in Endor Labs.

May 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

Outpost is a new on-premise scheduler for monitoring scans that you can run in your own Kubernetes cluster. When you install and configure Outpost, monitoring scans on your source code repositories are scheduled and run on your own Kubernetes cluster inside your firewall. For more information, see Outpost.

You can now use Personal Access Token (PAT) to authenticate your Jira Data Center to Endor Labs.

For more information, see Configure Jira integration.

Endor Labs now offers support for scanning Python projects that use Pipenv as their package manager by resolving dependencies from Pipfile and Pipfile.lock. For more information, see Scan Python projects.

You can now view which features in the Endor Labs application use AI services. To modify AI access settings, go to Settings > AI Access and contact support to customize access based on your organization’s needs. For more information, see AI access.

Projects page user interface improvements Enhancement

The Projects page now includes enhancements that make it easier to explore, sort, and filter package data.

  • The following new columns help you assess the overall health of your project.
    • Dependency Resolution Status - Shows the percentage of packages for which dependency resolution was successful.
    • Reachability Analysis Status - Shows the percentage of packages for which reachability analysis was successful.
  • Click any column header to sort projects in ascending or descending order. For more information, see Manage projects.
  • From Inventory > Packages, you can now filter packages by Dependency Resolution or Reachability Analysis statuses to focus on relevant results.
  • Sort packages by Package name, Created date, and Last Scanned date to quickly locate changes or specific dependencies. For more information, see Packages.

Reachability analysis is no longer supported for Rust projects. However, you can continue to scan Rust projects for software composition analysis and vulnerability detection.

You can now view the location of the findings identified by Endor Labs in your Jira tickets. For more information, see Findings in Jira.

April 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

Endor Labs now provides an app that you can use to onboard your Bitbucket Cloud workspace and projects, and continuously monitor them in Endor Labs. The Bitbucket Cloud repositories in the projects are scanned every 24-hours, and you can initiate a rescan according to your convenience.

For more information, see Endor Labs App for Bitbucket Cloud.

Endor Labs now provides an app that you can use to onboard your Bitbucket Data Center host and projects, and continuously monitor them in Endor Labs. The Bitbucket Data Center repositories in the projects are scanned every 24-hours, and you can initiate a rescan according to your convenience.

For more information, see Endor Labs App for Bitbucket Data Center.

Endor Labs has updated the OSS Packages navigation. You can now access explore OSS Packages through the left sidebar, providing a more direct navigation.

For more information, see Search for open source packages.

Endor Labs GitHub App (Pro) now supports PR remediation for .NET, alongside Java, JavaScript, Go, and Python. Automated remediation is available for dependencies managed through *.csproj.

For more information, see Pull requests remediation in GitHub

March 2025

We are excited to introduce the latest features and enhancements in Endor Labs.

You can now perform Software Composition Analysis (SCA) for C and C++ projects using Endor Labs to identify vulnerabilities, track dependencies, and ensure compliance with open-source security best practices. This helps you manage risk effectively and maintain a secure codebase.

You can now include C and C++ in your scan profile to enable scanning for C and C++ projects.

For more information, see Scan C/C++ projects.

Endor Labs now supports keyless authentication for Azure, enabling seamless and secure access without the need to store or manage keys. By configuring your Azure virtual machine with a managed identity and creating an authorization policy in Endor Labs, you can integrate with Azure services while ensuring credential security.

For more information, see Keyless authentication for Azure.

The following enhancements are available for scan profiles.

  • You can configure the latest .NET SDK 9.0 toolchain in your scan profiles. This update is available for Linux and Darwin (macOS)’s arm64 and amd64 architectures, ensuring seamless integration across platforms. For more information, see Toolchain reference.

  • You can set a default scan profile for a namespace. For more information, see Set a default scan profile.

  • You can create a standard version of a build tool and use it across all scan profiles. For more information, see Configure build tools.

You can now filter findings that violate action policy with the action policy enforcement attribute.

For more information, see Search for findings with basic filters.

With Jira integration, scan findings are now automatically updated in your Jira ticket comments. If new issues are detected or existing findings are resolved, a comment is generated with details.

For more information, see Comments in Jira tickets.

You can now configure NTLM proxy settings on machines that need to connect to Endor Labs when Internet access requires NTLM-authenticated proxy servers.

For more information, see Configure proxy servers.

Endor Labs GitHub App (Pro) now supports PR remediation for Python, alongside Java, JavaScript, and Go. Automated remediation is available for dependencies managed through pyproject.toml and requirements.txt.

For more information, see Pull requests remediation in GitHub

You can now include or exclude archived repositories when configuring scans using Azure DevOps and GitLab Apps. By default, archived repositories are excluded to conserve resources.

For more information, see Deploy Azure DevOps App and Deploy GitLab App.