Release notes

We are excited to introduce the latest features and enhancements in Endor Labs.

Endor Labs Integration with Microsoft Defender for Cloud New

You can now set up an integration between Endor Labs and Microsoft Defender for Cloud.

This integration allows you to access reachability analysis directly within the Microsoft Defender for Cloud console, enabling you to prioritize fixes based on exploitability without switching between tools. Additionally, you can view detailed attack paths that reveal where vulnerable code is running throughout the SDLC and in the cloud, providing a new way to prioritize which vulnerabilities to remediate first.

For more information, see Set up Microsoft Defender for Cloud integration with Endor Labs.

Azure DevOps App New

Endor Labs now provides an Azure DevOps app that you can use to onboard your Azure Repos and continuously monitor in Endor Labs. You can seamlessly integrate your Azure project to an Endor Labs namespace. The Azure repos in the project are scanned every 24-hours, and you can initiate a rescan according to your convenience.

For more information, see Azure DevOps App.

Analytics dashboard New

Endor Labs’ new Analytics dashboard provides a comprehensive overview of your security metrics, tracking vulnerability trends, and resolution times across projects. You can use it to quickly assess risk levels, monitor progress, and identify areas for improving your security posture. For more information, see Analytics dashboard

Function level reachability for JavaScript projects (Beta) New

Endor Labs is excited to announce the function level reachability analysis for JavaScript/TypeScript projects.

You can now track the exact portion of the code in a dependency that is being reused by a program. Endor Labs generates call graphs for JavaScript/TypeScript projects to help you:

• Analyze the dependencies and relationships among various functions in JavaScript projects. They help identify functions or methods with known vulnerabilities or potential security issues.
• Examine the call graph to identify the functions that directly or indirectly call the vulnerable functions by tracing the paths of execution.
• Prioritize the vulnerabilities based on their severity, threat levels, and application importance.

Call graphs assist users in comprehending the potential consequences and enable them to prioritize the resolution of vulnerabilities that are more likely to result in additional exploitation.

For more information, see Scan JavaScript/TypeScript projects.

Configure package manager integrations with AWS CodeArtifact New

Configure Endor Labs to integrate with AWS CodeArtifact to use private libraries to build and scan your software.

You can set up an OpenID Connect provider in AWS and create roles with trust policies to allow Endor Labs access to your CodeArtifact repositories. For more information, see Configure package manager integrations with AWS CodeArtifact.

Configure Scan profile through Endor Labs user interface Enhancement

While scanning projects using the GitHub App, you can configure a scan profile and assign it to your projects directly from the Endor Labs user interface. For more information, see Configure Scan profile.

Differentiate base image and application layer vulnerabilities Enhancement

While scanning containers, you can now distinguish the base image related vulnerabilities from those in the application layer by first scanning the base image, followed by scanning any images built on top of it. For more information, see Discover base images.

Support for Go image with Bazel Enhancement

Endor Labs now supports scanning Go image with Bazel. For more information, see Select and build your Bazel targets.

Include resolved status for Jira integration Enhancement

Enhanced the RESOLVED STATUS configuration for Jira integrations. You can now specify a custom resolved status such as Completed for updating Jira tickets after findings are resolved. If no status is provided, Endor Labs will default to Done, Resolved, Closed, or Fixed based on the project settings. For more information, see Configure Jira integration.

Dependency detection for GitHub Action packages Enhancement

Endor Labs no longer detects test dependencies in GitHub Action packages. This update reduces the number of transitive dependencies detected for GitHub Action packages, thereby streamlining dependency analysis and improving overall clarity.

We are excited to introduce the latest features and enhancements in Endor Labs.

Find and evaluate AI models New

You can now view AI models from Hugging Face on the Endor Labs platform. Search for AI models and review their Endor scores, including security, activity, popularity, and quality. These scores help you make informed decisions before integrating models into your organization. See Discover AI models for more information.

Scan Java projects without pom.xml New

You can now scan Java projects that do not have a pom.xml file. This feature enables Endor Labs to scan a non-Maven and non-Gradle Java artifact, and provide the list of unresolved dependencies, resolved dependencies, and dependency tree. You can set the environment variables ENDOR_JVM_USE_ARTIFACT_SCAN,ENDOR_JVM_USE_ARTIFACT_SCAN_CLASSPATH, and ENDOR_JVM_FIRST_PARTY_PACKAGE to facilitate the scan of projects that contain such artifacts. See Scan projects without pom.xml for more information.

Export multiple package versions in SBOM New

You can now export multiple package versions in an SBOM through endorctl with the new command options --package-version-uuids, --project-uuid, and --project-name. This feature allows aggregating multiple package versions across one or many projects in a single SBOM file. See Export multiple package versions in SBOM for more information.

Enhanced user interface to view findings of a project Enhancement

Endor Labs has a new user interface to view findings of a project.

• Findings list: The new findings come in a tabular format with columns that include location, EPSS, tags, and more.
• Preset filters: Preset filters help you to look for the category of findings you care about the most. For example, Prioritized Findings gives the list of critical vulnerability findings in the last 30 days that have either a reachable function or a reachable dependency, are not test dependencies, and have an available fix.
• Detailed drawers: This side panel drawer provides detailed metadata inside the drawer that includes risk details, fix info, and call graphs when available.

The new updates are designed to enhance your experience by providing:

• Modern look and feel: A refreshed, modern design that’s cleaner and more intuitive.
• Enhanced navigation bar: Streamlined menus to help you find what you need faster.
• Improved performance: Faster load times and smoother transitions for a more efficient workflow with default filters pre-loaded.

See View findings associated with a project for more information.

Manage build tools Enhancement

The following enhancements are now available for specifying project build toolchains:

• Auto detection of build tools - You can enable auto detection of build tools for their projects based on the manifest files present in the repository. Auto detection is supported for Long Term Support (LTS) versions of Java, Python, Go, and .NET (C#) projects. See Enable auto detection for more information.

• Specify toolchains with scanprofile.yaml - You must now specify build toolchains in the scanprofile.yaml file, a multi-document yaml file with a structure similar to Kubernetes configuration files. Previously, build toolchains were defined in the profile.yaml file. See Manage build tools for more information.

Jira integration Enhancement

When integrating Jira with Endor Labs, you can:

• Specify an issue type from the custom Jira project such as Bug, Task, Epic, Story, or any other value when raising a Jira ticket. This enables efficient categorization and tracking of issues within the project.
• Configure the integration to define custom fields with appropriate values, that align with your organization’s workflows. For instance, you can create key-value pairs like Source = Endor Labs to associate specific information with each Jira ticket raised from Endor Labs.

See Set up Jira integration with Endor Labs for more information.

Support for Bazel with Gazelle in vendored mode in Go projects Enhancement

Endor Labs now supports scanning Go projects that use Bazel with Gazelle in vendored mode. See Scan Go projects using Bazel with Gazelle in vendored mode

Kotlin 2.0 Support Enhancement

Endor Labs has extended Kotlin support to include version 2.0. With this enhancement, Endor Labs supports Kotlin projects from version 1.4 to 2.0.

Other enhancements Enhancement

• Archived repositories - The Endor Labs GitHub App no longer scans archived repositories by default. To include archived repositories in the scan, you can adjust the preferences during the GitHub App installation or by editing the integration settings afterwards.

• Name change from SCPM to RSPM - Endor Labs now uses RSPM (Repository Security Posture Management) as the standard terminology for all SCPM (Source Code Posture Management) policies and findings across the user interface and documentation. Previously, both RSPM and SCPM were used interchangeably.

• Removal of Dismiss Findings - You can no longer dismiss a finding from the Findings page on the Endor Labs user interface. Instead, you can apply an exception policy if you want the finding to not trigger any action policy. See Apply exception to findings.

We are excited to introduce the latest features and enhancements in Endor Labs.

Enhanced user interface for Global Findings New

Endor Labs has a new user interface for viewing all findings.

• Findings list: The new findings come in a tabular format with columns that include location, EPSS, tags, and more
• Preset filters: These preset filters help you to look for the category of findings you care about the most. For example, Prioritized Findings gives you a List of critical vulnerability findings in the last 30 days that have either a reachable function or a reachable dependency, are not test dependencies, and have an available fix.
• Detailed drawers: This side panel drawer provides detailed metadata inside the drawer that includes risk details, fix info, and call graphs when available.

The new updates are designed to enhance your experience by providing:

• Modern look and feel: A refreshed, modern design that’s cleaner and more intuitive.
• Enhanced navigation bar: Streamlined menus to help you find what you need faster.
• Improved performance: Faster load times and smoother transitions for a more efficient workflow with default filters pre-loaded.

.

Scan Scala projects with Bazel Enhancement

Users can now scan Scala projects with Bazel using endorctl scan --use-bazel. By leveraging this command as a Bazel rule, you can analyze dependencies while using Bazel commands.

• Bazel Integration: Scan Scala projects by calling the endorctl scan command as a Bazel rule, ensuring smooth integration with Bazel workflows.
• Targeted Scanning: Choose between scanning the entire repository or specific Scala targets using Bazel rules. You can also use a Bazel query to scan targets based on specific criteria.
• Incremental Scans: Execute scans by focusing only on recently updated targets, optimizing the scanning process for enhanced efficiency.

For more information, see Scan with Bazel.

Discover container base images Enhancement

Endor Labs container scan automatically identifies the base image used in your container, along with its dependencies, such as software packages and libraries. This enables you to perform a comprehensive security assessment by detecting any vulnerabilities in the base image, ensuring your containers are secure.

You can view and filter dependencies based on the container images. For more details, see Discover container images

.

Integrate Endor Labs with Google Cloud Build Enhancement

Integrate security scans into your Google Cloud Build pipelines to automatically detect vulnerabilities and issues during the development process. By performing scans within Google Cloud Build, you ensure that code changes are analyzed before deployment, strengthening the security and reliability of your cloud-native applications.

For more details, see Scan with Google Cloud Build.

We are excited to introduce you to the latest version of Endor Labs and endorctl - v1.6.448. This release includes new features and enhancements.

Upgrades and recommendations (Beta) New

Endor Labs upgrade and remediation workflows provide an end-to-end solution to help you discover, prioritize, manage, and resolve risks in your software development environment.

• Upgrade Impact Analysis: Endor Labs identifies and recommends upgrades for your dependencies. By pinpointing the distinct actions that can resolve your vulnerabilities and mitigate the risks associated with updates, your security program can make more informed risk management decisions and triage issues more effectively.
• Endor Patches: Endor Labs backports security fixes to your packages, allowing you to minimize the impact of software updates. By using an Endor patch, you can update the libraries with a minimal viable security patch that reduces your risk of breaking changes, bugs, or performance issues associated with an upgrade.

For more information, see Upgrades and remediation.

Manage build tools (Beta) New

Endor Labs provides you with the following options to define tools necessary for building your software while performing endorctl scans:

• Specify tool chain configuration through endorctl API.
• Specify tool chain configuration through profile.yaml file.
• Falls back to the system default values for your tool chain specifications.

Endor Labs will automatically install build tools in a sandbox to ensure you can run highly accurate scans. Build tools are not installed on your host. For more information, see Manage build tools.

Support for Azure pipelines and Azure Advanced Security New

You can integrate endorctl inside an Azure pipeline and view the scan results in Azure Advanced Security.

When you integrate endorctl in the Azure pipeline, endorctl scan runs and generates SARIF files during the pipeline run. The SARIF file is consumed by Advanced Security in your Azure repository. By configuring this integration, you can use Endor Labs seamlessly within the Azure ecosystem to enhance security and streamline workflows. For more information, see Scan with Azure Pipelines.

Changes to endorctl CLI options Enhancement

Endor Labs is introducing two new endorctl CLI options --include-path and --exclude-path to replace the existing include and exclude options.

• Using these new options, you can specify the file paths or patterns to exclude or include from the endorctl scan using Glob style expressions which are easier to use.
• You can easily scope your scans by defining inclusion or exclusion patterns. See scoping scans for more details.

The existing --include and --exclude options are deprecated. However, if these options are already in use, such as in a script, the updates remain backwards compatible, ensuring continued functionality.

Changes to the default view on the Findings page Enhancement

By default, Endor Labs now displays findings that meet the following criteria in the Findings page:

• Critical severity vulnerabilities
• Reachable vulnerabilities
• Vulnerabilities with EPSS probability above 1%
• Security vulnerabilities
• Vulnerabilities created in the last week

Previously, the Findings page displayed all findings when you opened the Findings page.

You can use the basic or advanced filters to view additional findings. For more information, see View Findings.

Container action policy templates Enhancement

Endor Labs now provides action policy templates that you can use to quickly create action policies specific to container scanning. For more information, see Action policy templates.

PDM package manager support for Python projects Enhancement

Endor Labs now offers support for scanning Python projects that use PDM as their package manager. For more information, see Scan Python projects.

New fields to filter project dependencies Enhancement

You can filter project dependencies and export additional fields for project dependencies with the following new fields:

• License File
• License Matched Text
• License Name
• License Type
• License URL

Sign up with GitHub Enhancement

You can now sign up to Endor Labs with your GitHub account.

Quickstart with Endor Labs GitHub App Enhancement

Endor Labs GitHub App is now available as an option in quick start. The Endor Labs GitHub App allows you to quickly set up your GitHub repositories in Endor Labs and initiate scans. For more information, see Quick start with GitHub App.

We are excited to introduce you to the latest version of Endor Labs and endorctl - v1.6.372. This release includes new features and enhancements.

Scan containers (Beta) New

Endor Labs introduces comprehensive container image scanning to help you identify and prioritize risks while ensuring compliance.

Key Features:

• Operating system packages: Detects packages installed via the container’s base OS package manager.
• Programming language packages: Identifies packages installed through language-specific package managers.
• Libraries and dependencies: Scans for static and dynamic libraries, and runtime dependencies required by the application.

In addition, Endor Labs generates an SBOM (Software Bill of Materials) that details all components, their versions, and associated metadata, providing a complete inventory of the container’s contents.

Customize notification templates Enhancement

Endor Labs provides out-of-the-box notification templates with standard information for policy violation messages in GitHub PR comments, webhooks, email, and Slack notifications. You can use the default template or customize it to fit your organization’s specific requirements. Additionally, you can create your custom templates using Go Templates.

For more details, see

• Customize GitHub PR comments notification templates.
• Customize email notification templates.
• Customize webhook notification templates.
• Customize Slack notification templates.