Mend.io may modify this page retroactively from time to time.
-
This integration is not hosted by Mend.io, it’s self-hosted. New major versions are traditionally released once a month and supported until the first version of the sixth month after their release. Example: 26.7.1 rotates out all 26.1.x versions, and so on.
-
To download one of the supported versions, click the desired version.
-
To stay informed about hotfixes, modifications, and additions to Mend.io's products, check this page from time to time in between releases, or use our RSS Feed:
-
Click here to view known issues in repo integrations.
-
Release notes refer to SCA unless explicitly denoted otherwise.
-
Visit the release notes hub for all Mend.io release notes. Most notably:
Version 26.6.1.3 (08-July-2026)
Resolved Issues
-
Fixed an issue where the Gradle `mendDeps` pre-step was executed in the incorrect directory when using the SCA orchestrator. This occurred due to a path resolution mismatch that caused the process to default to the workspace root instead of the specific project directory. The logic has been corrected to ensure Gradle commands run in the proper context, allowing for successful dependency resolution and preventing failures in multi-module or nested repository structures.
-
Fixed an issue where scan results were sorted alphabetically, potentially causing high-severity findings to be omitted due to database column size limitations. Results are now prioritized by severity level, ensuring that the most critical vulnerabilities are always reported and accurately reflected in scan success or failure statuses.
Version 26.6.1.2 (28-June-2026)
Unified Agent 26.5.1 | Renovate 43.235.0 | Remediate 26.6.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
-
Introduced a new configuration field, `arrayInheritanceSetting`, which allows users to control whether specific array-type fields in the local `.whitesource` file append to or override global values from `repo-config.json`. This update enables more granular control over repository settings, such as the ability to re-enable scan customization hooks for individual repositories even when they are disabled globally. Supported fields include scan settings, base and release branches, and issue settings.
-
(SCA) Java 25 projects are now supported in SCA scans.
-
(SAST) It’s now possible to control which GitHub repositories are included in or excluded from SAST scanning directly from global-config.json, using the new
sastsub-key undeignoredReposandincludedRepos. This allows a gradual SAST rollout across an organization without modifying per-repository .whitesource files and without affecting other scanners. Applies to GitHub repositories configured via .whitesource. -
(Renovate Enterprise Self-hosted) Introduced a comprehensive Dependency Dashboard in the Renovate Self-hosted Web UI, providing users with centralized visibility and actionable control over dependency management. The dashboard features dedicated sections for repository notes and warnings, detected dependencies, and suggested updates. Users can now directly trigger Renovate jobs, create or open pull requests, and retry or rebase updates. This enhancement streamlines workflows and ensures parity for environments where in-repository dashboards are unavailable.
-
(Renovate) (Open Beta) Mend Remediate can be replaced with Renovate EE with all its features, APIs, Web-UI and all additional features to come. This allows existing Mend Repository Integration users to deploy Renovate EE instead of the existing Remediate containers.
More documentation on this can be found at Remediate docs.
Resolved Issues
-
Fixed an issue where GitHub issues were incorrectly closed when the project hierarchy response exceeded the 200MB size limit. The system now correctly identifies these large responses as API failures rather than empty projects, ensuring that existing GitHub issues remain open and untouched when a scan cannot be completed due to response size constraints.
-
Fixed an issue where renaming a repository and triggering a scan from a non-default branch caused the default branch project to be incorrectly named with a literal "_DEFAULT_BRANCH" suffix. This fix ensures that project names are correctly synchronized with the new repository name across all branches, maintaining consistent naming conventions.
-
(SCA) Fixed an issue where Mend SCA check runs were not created for pull requests originating from forks within the same GitHub organization. The system now correctly identifies same-organization forks by comparing the full repository name, ensuring that security scans are triggered for all fork-based pull requests.
-
(SCA) Fixed an issue where the `gradle.additionalArguments` parameter was not correctly applied when defined within the `whitesource.config` file during repository integrations.
-
(SAST) Fixed an issue where manual SAST scans could be triggered via the API even if SAST was not enabled for the target repository. The system now correctly verifies repository settings before initiating a scan, ensuring that no check-runs or security reports are generated for repositories without SAST enablement.
-
(Remediate) Fixed an issue where Mend Remediate incorrectly opened First Fix pull requests instead of Least Vulnerable Package (LVP) pull requests, even when the LVP feature was enabled in the repository integration. The fix ensures that the preferred LVP version is correctly identified and proposed to minimize security risks.
-
Several CVE fixes.
-
Fixed an issue where renaming a repository in GitHub Enterprise (GHE) multi-org deployments failed to update the corresponding Mend project name, even when `repoNameSync` was enabled. This occurred due to an authentication error when the system incorrectly used administrative credentials instead of the specific user's email for the update process. The synchronization now correctly updates both project names and tags across all GHE deployment types.
Version 26.5.1.4 (19-June-2026)
-
Security hotfix: Upgraded a few packages in the scanner to resolve CVEs.
Version 26.5.1.2 (01-June-2026)
Unified Agent 26.4.3.1 | Renovate 43.141.3 | Remediate 26.5.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
-
(SAST) Introducing seamless two-way communication between developers and security reviewers on security findings. Developers can now comment on findings directly from their repository, while reviewer comments from the Mend Platform are instantly visible to developers, streamlining collaboration and accelerating issue resolution.
-
For GitHub Enterprise (using the .whitesource file), security actions such as suppressing findings can now be triggered by posting a comment on the PR or issue instead of checking a checkbox. This makes it easier to add context when suppressing a finding and provides clearer feedback confirming that an action was performed.
-
Introduced a new issueType configuration option -
findingsIncludingPullRequests- which creates a separate issue for all findings on both base branches and on feature branches with pull requests to base branches. -
When that option is enabled, developers and security reviewers can communicate directly on security findings without leaving their tools. Developers can add comments on findings from their GitHub Enterprise repository, and comments added by security reviewers in the Mend Platform are automatically synced to the repository. Likewise, comments added in the repository (via a special command) are synced back to the Mend Platform, ensuring conversations stay mirrored and visible in both locations. This eliminates the need for back-and-forth communication through external channels, making it faster and easier to clarify remediation steps and resolve security issues.
-
Introduced the ability for organizations to configure which SAST suppression reasons are available to developers in GitHub by specifying an array in the .whitesource file, enabling enforcement of custom suppression policies.
-
When suppression requests are approved or rejected, the corresponding GitHub issue gets updated.
-
The feature will be rolled out gradually in the next two weeks.
-
-
Added logic to prevent AI scans from running on feature branches during repository integration scans. AI scans will now only run on base branches, ensuring feature branches are excluded from automated AI analysis.
-
(SAST) Security managers can now configure which suppression reasons are available to developers when requesting a SAST suppression. By adding a suppressionReasons array to scanSettingsSAST in the .whitesource file, organizations can restrict the available options to any combination of false-positive, acceptable-risk, temporarily-ignore, etc. — ensuring developers can only submit justifications aligned with the organizational policy.
-
(Renovate) Introduced enhanced customization in Renovate Enterprise Cloud, enabling organizations to run custom scripts and configure environment variables and headers. These new capabilities, powered by secure MicroVM technology, provide greater flexibility and control for enterprise users. For more details, refer to the Renovate documentation.
Resolved Issues
-
Fixed an issue where deleting a GitHub Enterprise organization did not remove the corresponding Mend product/application, resulting in orphaned entries. Now, Mend correctly deletes the product/application when the organization is deleted.
-
(SCA) Fixed an issue where projects specifying .NET 10 in the .csproj file did not resolve dependencies as expected. The system now detects SDK version mismatches, automatically installs the required .NET SDK, and retries dependency resolution to ensure all dependencies are properly detected.
-
(SCA) Fixed an issue where preserved user agent properties were not enforced during SCM scans, allowing unintended overrides. Now, all relevant properties are correctly handled to ensure consistent enforcement.
Version 26.4.1.1 (19-April-2026)
Unified Agent 26.3.2 | Renovate 43.102.11 | Remediate 26.4.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
-
Added support for disabling specific package manager resolvers using the {PACAKGE_MANAGER}.resolveDependencies parameter, allowing more granular control over dependency resolution.
-
Introduced a lower priority queue for Reachability "zero day" scans. This enhancement prevents system overload and ensures more reliable scan processing for enterprise customers with large deployments during periods of high CVE alert activity.
Resolved Issues
-
Fixed an issue where the clone, fetch, and checkout commands in the scanner were limited to a fixed 15‑minute timeout, which caused failures with large repositories. Timeouts are now configurable through the environment variables listed below, providing better support for large repositories.
-
GIT_CLONE_TIMEOUT_MINS
-
GIT_FETCH_TIMEOUT_MINS
-
GIT_CHECKOUT_TIMEOUT_MINS
-
(06-April-2026)
New Features and Updates
-
(SCA) The SCA scanner now automatically detects and uses the correct Python version specified in repository files, improving vulnerability detection accuracy for Python projects and reducing manual configuration. This update supports multiple version specification formats and provides clear user guidance, ensuring more reliable results for large-scale and enterprise users.
-
Note: The feature is only supported in version 26.3.1 of the integration or above.
-
Version 26.3.1 (23-March-2026)
Unified Agent 26.2.2 | Renovate 43.59.4 | Remediate 26.3.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
-
(SCA) Added support for the uv package manager, enabling security scanning and Reachability analysis for Python projects managed with uv. Refer to this table for more details.
-
Note: The SCA orchestrator scanner environment variable must be enabled for uv detection to work (
MEND_SCA_ORCHESTRATOR_ENABLED=true).
-
-
Manual scan triggering based on role-based authentication is now supported.
-
The previous method of storing a secret using
MEND_CONTROLLER_API_SECRETis still supported.
-
Resolved Issues
-
(SCA) Fixed an issue where scans of .NET projects would fail with error MSB4057 if a <Project> tag existed under <ProjectReference> in the csproj file. Scans now complete successfully in this scenario.
-
(SCA) Fixed an issue where Gradle dependencies failed to resolve for React Native Android projects, ensuring accurate detection and resolution of dependencies by properly handling project structure and Gradle wrapper logic.
-
(SCA) Fixed an issue where post-scan cleanup and statistics were not executed if the scan process ended with an error, ensuring proper handling and reporting even when scans fail.
Version 26.2.1.1 (23-February-2026)
Unified Agent 25.12.2 | Renovate 42.99.0 | Remediate 26.2.1 | Pre-Scan Builder (PSB) 25.8.1
Resolved Issues
-
Fixed an issue where the scanner could get stuck in a loop after a scan timed out, repeatedly logging timeout errors instead of properly cancelling the task. The process now ensures scans are cancelled as expected, improving reliability for long-running scans.
-
Fixed a bug which led to scans running for more than 6 hours and timing out.
-
Fixed an issue where the
DockerfileFulloutput image size exceeded 20GB. The build process was optimized to reduce image size and improve efficiency.
Version 26.1.1 (25-January-2026)
Unified Agent 25.11.1-223 | Renovate 42.74.5 | Remediate 26.1.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
-
The repo cloning default utility has been changed from Jgit to Git Shell. This is controllable via the WS_GIT_CONNECTOR scanner environment variable.
Resolved Issues
-
Fixed an issue where marking a license alert as “Ignored” in the Mend Platform would not prevent the integration from listing it as a policy violation in the License Check run and auto-creating a GitHub issue for it.
-
Fixed a bug where PR scans were skipped when the PR originated from a cross-org fork.
-
Upgraded the "cryptography" library in the scanner from version 42.0.2 to 46.0.3, to fix CVE-2024-26130.
-
Fixed an authentication issue which led to project installation errors in npm scans if non-default ports were configured to communicate with the package registry. The scanner now correctly preserves the port in the
.npmrcfile, ensuring proper credential matching and preventing installation errors for projects using custom registry setups.
Version 25.12.1 (05-January-2026)
Unified Agent 25.11.1-223 | Renovate 42.59.0 | Remediate 25.12.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
-
(SCA) An SCA scan will now be triggered when a
versions.ktfile is added or modified.
Resolved Issues
-
Fixed a bug where triggering a manual scan via API resulted in a 404 error when the controller webhook interceptor was configured for HTTPS.
-
Fixed a bug where Out of Memory (OOM) errors were raised while reading HTTP responses.
-
(SCA) Fixed an issue where invalid system paths in certain pnpm and Yarn projects caused Reachability analysis to fail.
(15-November-2025)
New Features and Updates
-
(SCA) Conan support in SCA scans, including Reachability analysis, is now generally available.