January 2025 Edition

By now you’re probably back from all your holiday vacations and shenanigans (and if not? Honestly, good for you! Stop reading and get back to shenanigans in progress!). We have some big updates this month with the release of 1.7.0. But first, a warm “Happy New Year!”

Community

We’re sponsoring so many local events, from OWASP to developer users groups now, it no longer makes sense to list them all. I consider this an absolute win.

We held our second AppSec Practitioner Appreciation event, this time in Palo Alto, CA. Nothing like a bunch of AppSec folks learning to swing lightsabers from a real stage-combat instructor — and all with no CISOs, no sales pitch, and no strings attached. We plan to do more such events across the US (and maybe around the world!) to celebrate the front-line folks that keep the world’s software safe.

What’s new in January?

This has been a BIG month for us!

AI Model Discovery— discover and report on use of LLMs and other GenAI models from HuggingFace, and set policies to alert (or even prevent use) where there are unapproved licenses or other risks with adopting a given model.

Policy-based fix PRs (GitHub App only)— automatically open a new pull request to fix vulnerabilities if and only if it violates a policy you set. Say goodbye to hundreds of nonsense PRs and hello to automated PRs that actually make sense.

JavaScript and TypeScript Function Reachability is out of beta and enabled by default. Most users won’t have to do anything, but make sure you’re on endorctl 1.7.0 or newer. (Some situations might require a small change to the scan configuration.)

Have CI/CD workloads under Linux on ARM? Our scanning and other command-line client features are now available natively for Linux on arm64.

Users of our cloud-based scanners get a bunch of new capabilities:

• Cloud-based PR Checks (GitHub App only)— trigger cloud-based scans for pull requests. Early access required an API call from the command-line, but this can now be configured via our web console as well.
• Cloud-based SAST scans— cloud-based scans now include SAST scans by default for all SAST-licensed users
• GitLab App— use GitLab instead of GitHub or Azure DevOps? Cloud-based scans are now available to you!

Endor Labs Tip

Did you know you can create comprehensive exception policies??

• Like any other policy, these can be built in our web console or by uploading a Rego policy document.?
• Exception policies allow you to create exceptions for risks, either individually, or based on patterns of attributes — you can, for example, create an exception that accepts risk for all instances of a specific vulnerability for applications that are tagged as “internal only”.