Mend for GitHub.com Release Notes
Version 25.7.1 (27-July-2025)
Unified Agent 25.4.3-179 | Renovate 41.40.0 | Remediate 25.7.1 | Pre-Scan Builder (PSB) 25.4.1
New Features and Updates
(SCA) Poetry 2.x project scans are now supported.
This enhancement allows users to analyze dependencies defined and locked with Poetry 2.x using the same repo integration workflow, at no additional configuration overhead.
Version 25.6.1 (29-June-2025)
Unified Agent 25.4.3-179 | Renovate 40.62.1 | Remediate 25.6.1 | Pre-Scan Builder (PSB) 25.4.1
New Features and Updates
Mend AI is now available in all the repository integrations!
The Mend AI detection is performed automatically as part of your SCA scan.
Mend AI results are only available in the Mend AppSec Platform UI.
Upgraded the Node version in the scanner from 20.12.0 to 22.11.0.
(SAST) Introduced the capability to scan both source code and configuration files for exposed credentials. This feature can be enabled using the enableSecretsScan parameter.
Version 25.5.1 (08-June-2025)
Unified Agent 25.4.3-179 | Renovate 39.264.0 | Remediate 25.5.1 | Pre-Scan Builder (PSB) 25.4.1
Resolved Issues
Fixed a bug where commits with code changes to a submodule were not being scanned.
Version 25.4.2 (04-May-2025)
Unified Agent 25.4.2-169 | Renovate 39.257.3 | Remediate 25.4.2 | Pre-Scan Builder (PSB) 25.4.1
New Features and Updates
The “CVE” column in check run and issues tables has been renamed as "Vulnerability".
(SAST) SAST scanning now supports timeout values exceeding 30 minutes.
Resolved Issues
(SCA) Fixed scenarios where a null message parameter within exceptions in the resolution phase led to an additional, unhandled exception, which failed the scan entirely.
Version 25.4.1 (20-April-2025)
Unified Agent 25.3.2-163 | Renovate 39.238.0 | Remediate 25.4.1 | Pre-Scan Builder (PSB) 25.3.1
New Features and Updates
Changes in the
packages.lock.jsonfile will now trigger scans.
Version 25.3.2 (07-April-2025)
Unified Agent 25.3.2-163 | Renovate 39.200.0 | Remediate 25.3.2 | Pre-Scan Builder (PSB) 25.3.1
Resolved Issues
Fixed an issue where Reachability was skipped and partial results were produced in Reachability-enabled scans of projects containing private registries.
Version 25.3.1.1 (02-April-2025)
Resolved Issues
Hotfix: Fixed an issue in the SCA scanner where the execution of the
pip downloadcommand resulted in[WARN] 'Read error'messages in the logs due to environment configuration, causing a reachability failure.
Version 25.3.1 (23-March-2025)
Unified Agent 25.1.2-146 | Renovate 39.200.0 | Remediate 25.3.1 | Pre-Scan Builder (PSB) 25.3.1
New Features and Updates
(SAST) Developers can now suppress security findings directly in the code repository without needing to log into the Mend application. This prevents context switches and streamlines the development process, because developers will not get blocked by false positives anymore. This feature can be disabled via a new configuration option in the .ws file if restricted developer autonomy is preferred.
Remediate: Upgraded dependency from
npm v9tonpm v10.
Resolved Issues
Fixed an issue where the path was not properly displayed when issues were grouped by vulnerability, and the same CVE appeared in two source files.
Fixed a bug where cloning a pull request from a forked repository was failing if the branch name existed only in the forked repo.
Removed two vulnerabilities from the Scanner image (25.1.1.3):
CVE-2021-29425
CVE-2024-47554
Version 25.2.2 (09-March-2025)
Unified Agent 25.1.2-146 | Renovate 39.185.2 | Remediate 25.2.2 | Pre-Scan Builder (PSB) 25.2.2
New Features and Updates
Mend scans can now be silenced, to reduce noise for developers. The results of the scans will still be visible in the Mend AppSec Platform, but no issues or check runs within the repository will be created.
Resolved Issues
Fixed an issue in the scanner where the
dotnet restorecommand would execute in the wrong directory when multiple .csproj files were present in the original directory.Fixed an issue where particularly large log files failed to get uploaded to the ‘ws-logs’ GitHub repository.
Fixed a bug in Mend Remediate where remediation was not suggesting the correct package version.
Version 25.2.1 (23-February-2025)
Unified Agent 25.1.2-146 | Renovate 39.145.0 | Remediate 25.2.1 | Pre-Scan Builder (PSB) 25.1.2
New Features and Updates
A
sourceUrltag containing information about the URL of the scanned repository will be added to projects in the Legacy SCA Application and to both projects and scans in the Mend AppSec Platform.(SAST) Triggering manual Code scans via the scan.json file is now supported for any configured base branch, not just the default branch.
Resolved Issues
Fixed a Remediate issue where a single invalid remediation suggestion would result in an entire batch of suggestions being suppressed. As a result of this fix, more remediation pull requests could be created, each with its own branch, which can result in increased SCA scanning activity.
Version 25.1.2 (10-February-2025)
Unified Agent 25.1.2-146 | Renovate 39.107.0 | Remediate 25.1.2 | Pre-Scan Builder (PSB) 25.1.2
New Features and Updates
The default Python version in the scanner was updated to 3.9.
Resolved Issues
Fixed an issue where incorrect parsing of gem (Ruby) library versions containing platform-specific suffixes, e.g.,
nokogiri (1.17.2-x86_64-linux), led to those libraries not being identified.
Version 25.1.1 (26-January-2025)
Unified Agent 25.1.1-134 | Renovate 39.107.0 | Remediate 25.1.1 | Pre-Scan Builder (PSB) 25.1.1
New Features and Updates
Users can now control whether SCA scanning is enabled or disabled using the
enableSCAfield in the configuration file. Disabling SCA does not affect SAST scanning.(SAST) Added support for scanning multiple base branches into dedicated projects on GitHub.com. This allows security managers to monitor and set policies for each branch individually.
Resolved Issues
Fixed an issue where the existence of “setup.py” in certain filenames caused the scanner to mistakenly identify such files as manifest files, leading to false dependencies being reported in the scan results of scanned Python projects.
Fixed an issue in the scanner where, under certain conditions, some scans would fail due to a
java.lang.NoSuchMethodErrorexception.
Version 24.12.2 (12-January-2025)
Unified Agent 24.12.1-123 | Renovate 39.80.0 | Remediate 24.12.2 | Pre-Scan Builder (PSB) 24.11.2
New Features and Updates
(Open Beta) Reachability for .NET is now available, supporting applications developed in C# and utilizing the NuGet package manager. This enhancement enables the detection of reachable vulnerabilities within .NET projects, helping to improve security analysis and reduce false positives.
libs.gradle files are now supported for triggering scans.
Resolved Issues
Fixed a bug where Remediate jobs were being triggered for repos not in the “includedRepos” list.
Version 24.12.1 (06-January-2025)
Unified Agent 24.12.1-123 | Renovate 39.80.0 | Remediate 24.12.1 | Pre-Scan Builder (PSB) 24.11.2
New Features and Updates
Improved error and warning messages in strict mode for Ruby scans.
Resolved Issues
Fixed an issue where Pipenv or Poetry scans experienced Security Check errors under certain conditions.
Version 24.11.2 (15-December-2024)
Unified Agent 24.11.2-87 | Renovate 39.49.0 | Remediate 24.11.2 | Pre-Scan Builder (PSB) 24.11.2
New Features and Updates
Mend Renovate Enterprise Edition now supports a read-only filesystem.
This allows for a more sandboxed running environment, helping to reduce the ability for malicious software to leak onto the machines that are processing Renovate jobs.The SCA scanner now supports .NET version 9.
Resolved Issues
Fixed a bug where the scanner was failing when attempting to scan repos with names that start with “-”.
Version 24.11.1 (01-December-2024)
Unified Agent 24.11.1-60 | Renovate 38.142.7 | Remediate 24.11.1 | Pre-Scan Builder (PSB) 24.9.2
New Features and Updates
(Open Beta) Reachability for Python now supports the Conda package manager.
Improved error and warning messages in strict mode for Pip, Poetry and Pipenv scans.
(SAST) Remediation suggestions can now be generated from GitHub Issues created per single finding.
Resolved Issues
Fixed an issue using privateKey values for Renovate/Remediate.
(SAST) In case a Code scan is finished partially, missing findings are not reported as resolved anymore in the GitHub check run. Instead it is clearly indicated that the scan was partial.
Version 24.10.3 (17-November-2024)
Unified Agent 24.10.3-199 | Renovate 38.142.7 | Remediate 24.10.3 | Pre-Scan Builder (PSB) 24.9.2
New Features and Updates
(Open Beta) Reachability for Python now supports the Poetry package manager.
The following parameters can now configured to be either overridden or appended to:
"includes", "excludes", "archiveIncludes", and "archiveExcludes", by using the "uaConfigMergeSetting" parameter in the repo-config.json file.
Version 24.10.2 (03-November-2024)
Unified Agent 24.10.2-198 | Renovate 38.115.1 | Remediate 24.10.2 | Pre-Scan Builder (PSB) 24.9.2
New Features and Updates
(Open Beta) Reachability for Python is now available in the repo integration.
This feature enhances visibility and significantly reduces noise. By focusing on actionable insights, it empowers you to take targeted and effective remediation actions.
To enable Python Reachability, follow the instructions in this article.
(SAST) The "Date" column of the findings table was renamed as "Detected", to make it more explicit.
(SAST) Scans on feature branches are now always performed as incremental scans.
Resolved Issues
Fixed a mismatch issue where the License checkrun didn't show a partial scan failure warning while the Vulnerability checkrun did.
Version 24.10.1 (21-October-2024)
Unified Agent 24.10.1-191 | Renovate 38.115.1 | Remediate 24.10.1 | Pre-Scan Builder (PSB) 24.9.2
Resolved Issues
Fixed an issue when making changes to a pull request, if the latest commit did not contain a qualifying commit to trigger a Mend scan, the status checks on the pull request would show as "Neutral" even if the previous scan was a valid passing Mend scan.
The status will now be inherited from previous scans results.
Version 24.9.2 (13-October-2024)
Unified Agent 24.9.1.2-185 | Renovate 38.59.2 | Remediate 24.9.2 | Pre-Scan Builder (PSB) 24.9.1-1
New Features and Updates
Upgraded the default Python version in the scanner to 3.8.12 and the default poetry version to 1.6.0.
Resolved Issues
Fixed an issue where the check run status was stuck in status "In progress" while retrying a failed scan.
Fixed an issue accessing public dependencies not available in private Gradle registries during the pre-scan build (PSB).
Fixed an issue of failing Gradle scans when java home was set in gradle.properties.
(SAST) Implemented a logic that prevents user-created PR comments from erroneously being removed by a Code Security scan, in certain scenarios.
Version 24.9.1 (22-September-2024)
Unified Agent 24.9.1-180 | Renovate 37.440.7 | Remediate 24.8.2 | Pre-Scan Builder (PSB) 24.8.1
New Features and Updates
When a *.gemspec file is added or edited, a scan will be triggered automatically.
Resolved Issues
Fixed an issue where Mend projects were created in the default Mend organization instead of the specified Product/Application when using the
customPropertyProductMappingfeature, if the .whitesource file defined additional base branches beyond those in the global configuration.Fixed an issue where setting the "configMode" in the global config file was not inherited by the regular repository if the parameter values were uppercase (e.g., LOCAL/EXTERNAL).
Version 24.8.2 (09-September-2024)
Unified Agent 24.8.1-159 | Renovate 37.440.7 | Remediate 24.8.2 | Pre-Scan Builder (PSB) 24.8.1
New Features and Updates
(SAST) [Controlled Release] To help developers reduce the security risk, Mend.io now offers automated remediation suggestions for Code findings in Java, JavaScript/TypeScript and C#.
Within the repository integration, an end-to-end remediation flow is offered, allowing developers to immediately update their feature branches with a click of a button to fix a newly introduced vulnerability before merging the code.
More details about the automatic remediation for Code Findings and how to enable it can be found here.
Resolved Issues
Fixed an issue where uppercase letters in the excludes statement in the whitesource.config file were being read as lowercase.
(SAST) Fixed an issue that led to failing Code scans in GitHub when they were manually triggered through the commit of a scan.json file.
Version 24.8.1.2 (28-August-2024)
Unified Agent 24.8.1-159 | Renovate 37.440.7 | Remediate 24.8.1 | Pre-Scan Builder (PSB) 24.8.1
New Features and Updates
Implemented a throttling mechanism to prevent spikes in API calls during Issue syncs that could lead to rate limit failures and inconsistencies between GitHub issues and the Mend UI.
Resolved Issues
Fixed an issue which led to NuGet hostRules being ignored by the integration.
Version 24.7.2 (11-August-2024)
Unified Agent 24.7.2-155 | Renovate 37.440.7 | Remediate 24.7.2 | Pre-Scan Builder (PSB) 24.7.2
New Features and Updates
(SAST) The "Code Security Report" of a GitHub report now links to the corresponding project in the Mend Platform, not to a specific scan.
Resolved Issues
Fixed an issue where a non-primitive custom property (e.g. array) on a GitHub repository caused an exception in the controller.
Fixed an issue that led to incorrect Gradle versions being used by the scanner to resolve dependencies in projects that use Java 17 or above.
(SAST) Triggering manual Code scans in GitHub through the commit of a scan.json file is now working correctly.
Version 24.7.1 (28-July-2024)
Unified Agent 24.7.1-148 | Renovate 37.438.0 | Remediate 24.7.1 | Pre-Scan Builder (PSB) 24.6.2
New Features and Updates
Users can now set
configModeto LOCAL in the global configuration, which repos will inherit. The global configuration can include a whitesource.config file, merged with local repo configurations. Repository-level configuration overrides global configuration. This behavior also applies to the use ofconfigExternalURL.
Resolved Issues
Fixed an issue leading to the controller failing to process large IaC scan results.
Fixed an edge-case null pointer exception that caused the Scanner to fail.
Version 24.6.2 (15-July-2024)
Unified Agent 24.6.2-146 | Renovate 37.425.1 | Remediate 24.6.2 | Pre-Scan Builder (PSB) 24.6.2
New Features and Updates
git-lfs is now installed in the Scanner and Remediate, for successful scanning of repositories that require this technology, to be properly cloned.
Resolved Issues
Fixed an issue leading to a false partial result message in the scanner, for some .NET project scans.
Version 24.6.1 (01-July-2024)
Unified Agent 24.6.1-144 | Renovate 37.413.2 | Remediate 24.6.1.1 | Pre-Scan Builder (PSB) 24.6.1
New Features and Updates
Improved the logic for the scheduled issue sync to only sync projects with changes to CVE list, CVE scores or ignored alerts, instead of syncing all projects with any modification to the Alerts category (applicable for Mend SCA Core).
.NET versions in the scanner were updated to: 6.0.421, 7.0.408, 8.0.204.
Resolved Issues
Fixed an issue where the overrideConfigAllowList set in global-config.json did not work if the not allowed repository had the inheritsFrom property.
Fixed an issue where neutral checks after failures were incorrectly displayed as passed when using failOnVulnerabilityMinCvss in a feature branch.
Fixed an issue with PSB falsely warning about an invalid hostType (
hostType gradle)when"hostType": "maven"is configured in the hostRule.
Version 24.5.3 (16-June-2024)
Unified Agent 24.5.3-137 | Renovate 37.368.10 | Remediate 24.5.3 | Pre-Scan Builder (PSB) 24.5.3
New Features and Updates
Partial failure reports controlled by the strictMode parameter were enhanced to include errors and warnings generated by the Unified Agent. The report structure was also updated to provide a better user experience.
Added support for custom product mapping using GitHub repository custom properties, controlled using the customPropertyProductMapping parameter.
Resolved Issues
Fixed an issue that caused a null pointer exception when handling GitHub check run timeout requests.
Fixed an issue where enabling both LOG_FORMAT_JSON and EXTERNAL_LOG_IN_CONSOLE caused duplicate log statements in JSON and plaintext formats.
Version 24.5.2 (02-June-2024)
Unified Agent 24.5.1-134 | Renovate 37.368.10 | Remediate 24.5.2 | Pre-Scan Builder (PSB) 24.5.2
New Features and Updates
The strictMode parameter now supports updated values:
none: No warnings or errors published in the Scan Details report.
warning: Warnings and errors published, but do not cause Security Check failures.
failure: Warnings and errors published, and errors cause Security Check failures.
failOnWarning: Warnings and errors published, and both cause Security Check failures.
Added a new parameter strictModeInfo to control the inclusion of INFO logs in the Scan Details report.
Node was updated to version 20.12.0 in the scanner
npm was updated to version 10.5.0 in the scanner
Resolved Issues
(SAST) Commits without analysis-relevant files are now handled correctly.
Version 24.5.1.2 (20-May-2024)
Unified Agent 24.5.1-134 | Renovate 37.351.2 | Remediate 24.4.2 | Pre-Scan Builder (PSB) 24.5.1
New Features and Updates
Versions 3.10 and 3.12 of Python are now installed into the Scanner, for scanning projects using these versions.
A scan will now be triggered when changes are made to a Cargo.lock file.
Partial failure reports controlled by the strictMode parameter now have an updated markdown where all results are presented in collapsible sections.
overrideConfigAllowList can now be set in the global-config.json file. This new implementation fixes a known issue that caused repos that are not allowed to override global configuration to get a failed Configuration Update Check (in case of wrongly formatted .whitesource file).
Resolved Issues
Fixed an issue that prevented Config Change check from failing when instead of the standard " U+0022 QUOTATION MARK, the “ U+201C LEFT DOUBLE QUOTATION MARK or ” U+201D RIGHT DOUBLE QUOTATION MARK were used.
Fixed an issue where the controller logs contained incorrect repository names and incorrect log messages during app re-installation events (Org name was used where Repo name should have been used).
Fixed an issue that could prevent issue publishing due to a null pointer exception.
Fixed: In some scenarios of npm resolution, unhandled exceptions during the parsing of package.json files led to scan failure. The previously unhandled exceptions will now be handled properly. Furthermore, a partial result warning will be reported by the Unified Agent, in case a package.json file couldn’t be parsed.
Fixed an issue where archived GitHub repositories were causing error messages in the controller logs during issue sync flows.
Version 24.4.2 (06-May-2024)
Unified Agent 24.4.1-132 | Renovate 37.313.1 | Remediate 24.4.2 | Pre-Scan Builder (PSB) 24.4.1-1
Resolved Issues
Fixed issue where GitHub API call optimization was not implemented in all required processes.
Version 24.4.1.2 (21-April-2024)
Unified Agent 24.4.1-132 | Renovate 37.261.0 | Remediate 24.4.1 | Pre-Scan Builder (PSB) 24.4.1
New Features and Updates
SCA Reachability | Improvements have been made, to reduce memory used in reachability scans and enhance performance. Memory usage has been reduced by approximately 33%.
Improved error and warning messages in strictMode for Nuget scans.
Improved reporting of Unified Agent failures in Gradle projects.
SPM Swift resolution is now supported by the Unified Agent, including error and warning messages in strictMode for Swift scans.
Resolved Issues
Fixed an issue where the strictMode setting was not correctly creating reports and failing the Security Check if there were no vulnerabilities meeting the CVSS threshold defined in failOnVulnerabilityMinCvss.
Previously, if lock files were found in the repo and the private registry was configured via host rules, the configuration via host rules was not used. Moving forward, host rules configuration will be used to define private registry credentials regardless of the presence of lock files in the repo.