Breadcrumbs

Mend for GitHub Enterprise Release Notes

Mend.io may modify this page retroactively from time to time.

  • This integration is not hosted by Mend.io, it’s self-hosted. New major versions are traditionally released once a month and supported for six months after their release.

  • To download one of the supported versions, click the desired version.

  • To stay informed about hotfixes, modifications, and additions to Mend.io's products, check this page from time to time in between releases, or use our RSS Feed: image-20250820-105237.png

  • Click here to view known issues in repo integrations.

  • Release notes refer to SCA unless explicitly denoted otherwise.

  • Visit the release notes hub for all Mend.io release notes. Most notably:

Version 26.5.1.4 (19-June-2026)

  • Security hotfix: Upgraded a few packages in the scanner to resolve CVEs.

Version 26.5.1.2 (01-June-2026)

Unified Agent 26.4.3.1 | Renovate 43.141.3 | Remediate 26.5.1 | Pre-Scan Builder (PSB) 25.8.1

New Features and Updates

  • (SAST) Introducing seamless two-way communication between developers and security reviewers on security findings. Developers can now comment on findings directly from their repository, while reviewer comments from the Mend Platform are instantly visible to developers, streamlining collaboration and accelerating issue resolution.

    • For GitHub Enterprise (using the .whitesource file), security actions such as suppressing findings can now be triggered by posting a comment on the PR or issue instead of checking a checkbox. This makes it easier to add context when suppressing a finding and provides clearer feedback confirming that an action was performed.

    • Introduced a new issueType configuration option - findingsIncludingPullRequests - which creates a separate issue for all findings on both base branches and on feature branches with pull requests to base branches.

    • When that option is enabled, developers and security reviewers can communicate directly on security findings without leaving their tools. Developers can add comments on findings from their GitHub Enterprise repository, and comments added by security reviewers in the Mend Platform are automatically synced to the repository. Likewise, comments added in the repository (via a special command) are synced back to the Mend Platform, ensuring conversations stay mirrored and visible in both locations. This eliminates the need for back-and-forth communication through external channels, making it faster and easier to clarify remediation steps and resolve security issues.

    • Introduced the ability for organizations to configure which SAST suppression reasons are available to developers in GitHub by specifying an array in the .whitesource file, enabling enforcement of custom suppression policies.

    • When suppression requests are approved or rejected, the corresponding GitHub issue gets updated.

    • The feature will be rolled out gradually in the next two weeks.

  • Added logic to prevent AI scans from running on feature branches during repository integration scans. AI scans will now only run on base branches, ensuring feature branches are excluded from automated AI analysis.

  • (SAST) Security managers can now configure which suppression reasons are available to developers when requesting a SAST suppression. By adding a suppressionReasons array to scanSettingsSAST in the .whitesource file, organizations can restrict the available options to any combination of false-positive, acceptable-risk, temporarily-ignore, etc. — ensuring developers can only submit justifications aligned with the organizational policy.

  • (Renovate) Introduced enhanced customization in Renovate Enterprise Cloud, enabling organizations to run custom scripts and configure environment variables and headers. These new capabilities, powered by secure MicroVM technology, provide greater flexibility and control for enterprise users. For more details, refer to the Renovate documentation.

Resolved Issues

  • Fixed an issue where deleting a GitHub Enterprise organization did not remove the corresponding Mend product/application, resulting in orphaned entries. Now, Mend correctly deletes the product/application when the organization is deleted.

  • (SCA) Fixed an issue where projects specifying .NET 10 in the .csproj file did not resolve dependencies as expected. The system now detects SDK version mismatches, automatically installs the required .NET SDK, and retries dependency resolution to ensure all dependencies are properly detected.

  • (SCA) Fixed an issue where preserved user agent properties were not enforced during SCM scans, allowing unintended overrides. Now, all relevant properties are correctly handled to ensure consistent enforcement.

Version 26.4.1.1 (19-April-2026)

Unified Agent 26.3.2 | Renovate 43.102.11 | Remediate 26.4.1 | Pre-Scan Builder (PSB) 25.8.1

New Features and Updates

  • Added support for disabling specific package manager resolvers using the {PACAKGE_MANAGER}.resolveDependencies parameter, allowing more granular control over dependency resolution.

  • Introduced a lower priority queue for Reachability "zero day" scans. This enhancement prevents system overload and ensures more reliable scan processing for enterprise customers with large deployments during periods of high CVE alert activity.

Resolved Issues

  • Fixed an issue where the clone, fetch, and checkout commands in the scanner were limited to a fixed 15‑minute timeout, which caused failures with large repositories. Timeouts are now configurable through the environment variables listed below, providing better support for large repositories.

    • GIT_CLONE_TIMEOUT_MINS 

    • GIT_FETCH_TIMEOUT_MINS 

    • GIT_CHECKOUT_TIMEOUT_MINS

(06-April-2026)

New Features and Updates

  • (SCA) The SCA scanner now automatically detects and uses the correct Python version specified in repository files, improving vulnerability detection accuracy for Python projects and reducing manual configuration. This update supports multiple version specification formats and provides clear user guidance, ensuring more reliable results for large-scale and enterprise users.

    • Note: The feature is only supported in version 26.3.1 of the integration or above.

Version 26.3.1 (23-March-2026)

Unified Agent 26.2.2 | Renovate 43.59.4 | Remediate 26.3.1 | Pre-Scan Builder (PSB) 25.8.1

New Features and Updates

  • (SCA) Added support for the uv package manager, enabling security scanning and Reachability analysis for Python projects managed with uv. Refer to this table for more details.

  • Manual scan triggering based on role-based authentication is now supported.

    • The previous method of storing a secret using MEND_CONTROLLER_API_SECRET is still supported.

Resolved Issues

  • (SCA) Fixed an issue where scans of .NET projects would fail with error MSB4057 if a <Project> tag existed under <ProjectReference> in the csproj file. Scans now complete successfully in this scenario.

  • (SCA) Fixed an issue where Gradle dependencies failed to resolve for React Native Android projects, ensuring accurate detection and resolution of dependencies by properly handling project structure and Gradle wrapper logic.

  • (SCA) Fixed an issue where post-scan cleanup and statistics were not executed if the scan process ended with an error, ensuring proper handling and reporting even when scans fail.

Version 26.2.1.1 (23-February-2026)

Unified Agent 25.12.2 | Renovate 42.99.0 | Remediate 26.2.1 | Pre-Scan Builder (PSB) 25.8.1

Resolved Issues

  • Fixed an issue where the scanner could get stuck in a loop after a scan timed out, repeatedly logging timeout errors instead of properly cancelling the task. The process now ensures scans are cancelled as expected, improving reliability for long-running scans.

  • Fixed a bug which led to scans running for more than 6 hours and timing out.

  • Fixed an issue where the DockerfileFull output image size exceeded 20GB. The build process was optimized to reduce image size and improve efficiency.

Version 26.1.1 (25-January-2026)

Unified Agent 25.11.1-223 | Renovate 42.74.5 | Remediate 26.1.1 | Pre-Scan Builder (PSB) 25.8.1

New Features and Updates

  • The repo cloning default utility has been changed from Jgit to Git Shell. This is controllable via the WS_GIT_CONNECTOR scanner environment variable.

Resolved Issues

  • Fixed an issue where marking a license alert as “Ignored” in the Mend Platform would not prevent the integration from listing it as a policy violation in the License Check run and auto-creating a GitHub issue for it.

  • Fixed a bug where PR scans were skipped when the PR originated from a cross-org fork.

  • Upgraded the "cryptography" library in the scanner from version 42.0.2 to 46.0.3, to fix CVE-2024-26130.

  • Fixed an authentication issue which led to project installation errors in npm scans if non-default ports were configured to communicate with the package registry. The scanner now correctly preserves the port in the .npmrc file, ensuring proper credential matching and preventing installation errors for projects using custom registry setups.

Version 25.12.1 (05-January-2026)

Unified Agent 25.11.1-223 | Renovate 42.59.0 | Remediate 25.12.1 | Pre-Scan Builder (PSB) 25.8.1

New Features and Updates

  • (SCA) An SCA scan will now be triggered when a versions.kt file is added or modified.

Resolved Issues

  • Fixed a bug where triggering a manual scan via API resulted in a 404 error when the controller webhook interceptor was configured for HTTPS.

  • Fixed a bug where Out of Memory (OOM) errors were raised while reading HTTP responses.

  • (SCA) Fixed an issue where invalid system paths in certain pnpm and Yarn projects caused Reachability analysis to fail.

(15-November-2025)

New Features and Updates

  • (SCA) Conan support in SCA scans, including Reachability analysis, is now generally available.