Skip to main content
Skip table of contents

Mend for GitLab Release Notes

Mend.io may modify this page retroactively from time to time.

  • This integration is not hosted by Mend.io, it’s self-hosted. New major versions are traditionally released once a month.

  • To stay informed about hotfixes, modifications, and additions to Mend.io's products, check this page from time to time in between releases, or use our RSS Feed: image-20250820-105358.png

  • Click here to view known issues in repo integrations.

  • Release notes refer to SCA unless explicitly denoted otherwise.

  • Visit the release notes hub for all Mend.io release notes. Most notably:

Version 25.10.1.2 (19-October-2025)

Unified Agent 25.7.2-196 | Renovate 41.97.10 | Remediate 25.10.1 | Pre-Scan Builder (PSB) 25.9.1

New Features and Updates

  • SCA Reachability is now available.

  • (SAST) Introducing a new approval process for security finding suppressions in code repositories. Developers can propose suppressions, while security managers can approve or reject them, ensuring control without development delays. This bridges developer and security workflows, enhancing efficiency.

  • (SAST) The onboarding configuration template for SCMs using .whitesource or .mend files now explicitly lists available options, including those that previously relied only on defaults, making it easier for users to understand and adjust the settings.
    Note: enableRemediation is intentionally not part of the onboarding template, as it requires activating the AI Usage toggle in the Mend AI Native AppSec Platform.

Version 25.9.1.2 (08-October-2025)

Unified Agent 25.7.2-196 | Renovate 41.97.10 | Remediate 25.9.1 | Pre-Scan Builder (PSB) 25.8.1

New Features and Updates

  • Introducing a new API endpoint for retrieving the number of pending webhooks in the system. This addition provides visibility into the current webhook state and enables users to scale up/down based on webhook backlog.

Version 25.8.1.1 (24-August-2025)

Unified Agent 25.4.3-179 | Renovate 41.71.1 | Remediate 25.8.1 | Pre-Scan Builder (PSB) 25.8.1

New Features and Updates

  • The First Fix remediation strategy is now available for Python in self-hosted repository integrations. Enable by setting the environment variable MEND_PYTHON_FIRSTFIX_ENABLED to ‘true’ (default is ‘false’).

Resolved Issues

  • (SAST) Fixed a bug in the proxy configuration of the repository integration which erroneously led to SAST scans not being triggered and a message about incorrect SAST credentials.

Version 25.7.1.1 (03-August-2025)

  • No notable updates.

Version 25.7.1 (28-July-2025)

  • No notable updates.

Version 25.6.1.3 (01-July-2025)

Resolved Issues

  • Updated the org.eclipse.jgit dependency in the scanner and controller to version 6.10.1.202505221210-r to fix CVE-2025-4949.

Version 25.6.1 (29-June-2025)

Unified Agent 25.4.3-179 | Renovate 40.62.1 | Remediate 25.6.1 | Pre-Scan Builder (PSB) 25.4.1

New Features and Updates

  • SAST is now available in the Mend for GitLab Repository Integration.
    Developers can now trigger automated SAST scans for every code change, offering real-time vulnerability feedback directly within the familiar GitLab environment.

  • Mend AI is now available as part of the integration.
    Disabled by default, Mend AI code scanning can be enabled by setting both of the following environment variables to ‘true’:
    MEND_SCA_ORCHESTRATOR_ENABLED (Default: false)
    MEND_AI_ENABLE_CODE_CAPABILITIES (Default: false)
    Mend AI results will be available automatically as part of your SCA scan results.

Resolved Issues

  • Fixed an issue where the controller did not recognize a push with a change to a Git submodule as valid, leading to scans not being triggered.

Version 25.4.3.11 (06-August-2025) (Hotfix)

New Features and Updates

  • Updated the following package managers in the scanner:
    Cocoapods: 1.11.2 → 1.16.2
    Go: 1.22.2 → 1.24.0
    R: 4.3.3 → 4.5.0

Version 25.4.3.2 (18-May-2025)

Unified Agent 25.4.3.179 | Renovate 39.257.3 | Remediate 25.4.3 | Pre-Scan Builder (PSB) 25.4.1

New Features and Updates

  • The “CVE” column in check run and issues tables has been renamed as "Vulnerability".

Resolved Issues

  • Fixed scenarios where a null message parameter within exceptions in the resolution phase of the scanner led to an additional, unhandled exception, which failed the scan entirely.

Version 25.4.1 (20-April-2025)

Unified Agent 25.3.2-163 | Renovate 39.238.0 | Remediate 25.4.1 | Pre-Scan Builder (PSB) 25.3.1

New Features and Updates

  • Changes in the packages.lock.json file will now trigger scans.

  • GitLab Server users can now use the settingsInheritedFrom field to point to a subgroup’s global configuration (“whitesource-config”).

Version 25.3.1 (24-March-2025)

Unified Agent 25.1.2-146 | Renovate 39.200.0 | Remediate 25.3.1 | Pre-Scan Builder (PSB) 25.3.1

New Features and Updates

  • Remediate: Upgraded dependency from npm v9 to npm v10.

Resolved Issues

  • Fixed a bug in Mend Remediate where remediation was not suggesting the correct package version.

  • Removed two vulnerabilities from the Scanner image (25.1.1.3):
    CVE-2021-29425
    CVE-2024-47554

Version 25.2.1 (24-February-2025)

Unified Agent 25.1.2-146 | Renovate 39.145.0 | Remediate 25.2.1 | Pre-Scan Builder (PSB) 25.1.2

New Features and Updates

  • A sourceUrl tag containing information about the URL of the scanned repository will be added to projects in the Legacy SCA Application and to both projects and scans in the Mend AppSec Platform.

  • The default Python version in the scanner was updated to 3.9.

Resolved Issues

  • Fixed a scanner issue where incorrect parsing of gem (Ruby) library versions containing platform-specific suffixes, e.g., nokogiri (1.17.2-x86_64-linux), led to those libraries not being identified.

  • Fixed a Remediate issue where a single invalid remediation suggestion would result in an entire batch of suggestions being suppressed. As a result of this fix, more remediation pull requests could be created, each with its own branch, which can result in increased SCA scanning activity.

Version 25.1.1 (02-February-2025)

Unified Agent 25.1.1-134 | Renovate 39.107.0 | Remediate 25.1.1.1 | Pre-Scan Builder (PSB) 25.1.1

New Features and Updates

  • Mend for GitLab (self-hosted) now supports running the integration on gitlab.com (cloud). The installation guide is available here.

  • New Parameter added to the config: enableNeutralCommitComment, which enables Gitlab Server users to configure the Mend Integration to not show commit comments for neutral commits.

  • libs.gradle files are now supported for triggering scans.

Resolved Issues

  • Fixed a bug which caused Remediate jobs to be triggered for repos not in the “includedRepos” list.

  • Fixed an issue where the existence of “setup.py” in certain filenames caused the scanner to mistakenly identify such files as manifest files, leading to false dependencies being reported in the scan results of scanned Python projects.

  • Fixed an issue in the scanner where, under certain conditions, some scans would fail due to a java.lang.NoSuchMethodError exception.

Version 24.12.1 (06-January-2025)

Unified Agent 24.12.1-123 | Renovate 39.80.0 | Remediate 24.12.1 | Pre-Scan Builder (PSB) 24.11.2

New Features and Updates

  • The SCA scanner now supports .NET version 9.

  • Improved error and warning messages in strict mode for Ruby scans.

  • Kubernetes Intracluster Authentication is now supported. This can be achieved by using the REMEDIATE_SERVER_SECRET environment variable.
    Once set up, API calls that have an Authorization: Bearer $REMEDIATE_SERVER_SECRET header will be processed. The REMEDIATE_SERVER_SECRET environment variable needs to be added to both the Controller and Remediate containers.

  • Mend Renovate Enterprise Edition now supports a read-only filesystem.
    This allows for a more sandboxed running environment, helping to reduce the ability for malicious software to leak onto the machines that are processing Renovate jobs.

Resolved Issues

  • Fixed a bug where the Scanner was failing when attempting to scan repos which name starts with “-”.

  • Fixed an issue where Pipenv or Poetry scans experienced Security Check errors under certain conditions.

Version 24.11.1 (02-December-2024)

Unified Agent 24.11.1-60 | Renovate 38.142.7 | Remediate 24.11.1 | Pre-Scan Builder (PSB) 24.9.2

New Features and Updates

  • Improved error and warning messages in strict mode for Pip, Poetry and Pipenv scans.

  • The following parameters can now configured to be either overridden or appended to:
    "includes", "excludes", "archiveIncludes", and "archiveExcludes", by using the "uaConfigMergeSetting" parameter in the repo-config.json file.

  • Remediate Workers can now perform periodic disk cleanup.
    This is controlled with the following two new environment variables:
    MEND_REMEDIATE_WORKER_CLEANUP and MEND_REMEDIATE_WORKER_CLEANUP_DIRS

  • Remediate Worker will communicate with Server using a secret. The secret must be set as a `Bearer` field in API calls. Uses new environment variable `REMEDIATE_SERVER_SECRET`, which must be defined with the same value in the Server and Worker.

  • Log statements in JSON output will show "renovate" for CLI output, "remediate-work" for standalone Worker output, and "remediate" for all others (combine Server+Worker instances, and Server-only instances).

Resolved Issues

  • Fixed a mismatch issue where the License checkrun didn't show a partial scan failure warning while the Vulnerability checkrun did.

  • Fixed an issue using privateKey values for Renovate/Remediate.

Version 24.10.1.1 (30-October-2024) (Hotfix)

Resolved Issues

  • Fixed a mismatch between the Vulnerability check run and the License check run: The License check run did not report a partial scan failure warning while the Vulnerability check run did.

  • Aligned the controller logs so that GET_REMEDIATE_FEED now uses repo name instead of repo id.

Version 24.10.1 (21-October-2024)

Unified Agent 24.10.1-191 | Renovate 38.115.1 | Remediate 24.10.1 | Pre-Scan Builder (PSB) 24.9.2

New Features and Updates

  • Upgraded the default Python version in the scanner to 3.8.12 and the default poetry version to 1.6.0.

  • Updated Remediate default node version from 18.20.4 to 20.17.0 (server and worker).

  • Remediate/Renovate configuration and architecture changes have been implemented.

Resolved Issues

  • Fixed an issue where the check run status was stuck in status "In progress" while retrying a failed scan.

  • Fixed an issue accessing public dependencies not available in private Gradle registries during the pre-scan build (PSB).

  • Fixed an issue where partial scan errors for Python/Gradle/Bower projects were not printed in the scanner log. Also fixed an issue where package managers not yet supported by the reporting tables were not being reported accordingly.

Version 24.9.1 (23-September-2024)

Unified Agent 24.9.1-180 | Renovate 37.440.7 | Remediate 24.8.2 | Pre-Scan Builder (PSB) 24.8.1

New Features and Updates

  • When a *.gemspec file is added or edited, a scan will be triggered automatically.

Resolved Issues

  • Fixed an issue where Mend projects were created in the default Mend organization instead of the specified Product/Application when using the customPropertyProductMapping feature, if the .whitesource file defined additional base branches beyond those in the global configuration.

  • Fixed an issue where uppercase letters in the excludes statement in the whitesource.config file were being read as lowercase.

Version 24.8.1.3 (02-September-2024)

Unified Agent 24.8.1-159 | Renovate 37.440.7 | Remediate 24.8.1 | Pre-Scan Builder (PSB) 24.8.1

Resolved Issues

  • Fixed an issue that was causing partial failure reports to exclude Unified Agent results while also failing to generate foldable sections. Also introduced a DETAILED_SCA_RESULTS_INFO environment variable in the scanner to disable this functionality by setting it to FALSE.

Version 24.8.1.2 (28-August-2024)

Unified Agent 24.8.1-159 | Renovate 37.440.7 | Remediate 24.8.1 | Pre-Scan Builder (PSB) 24.8.1

Resolved Issues

  • Fixed an issue that led to incorrect Gradle versions being used by the scanner to resolve dependencies in projects that use Java 17 or above.

  • Fixed an issue which led to NuGet hostRules being ignored by the integration.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.