New Features and Updates
Contextual Project Classification is now available on request in Mend Forge. When enabled, AI automatically analyzes your codebase, identifies applications that handle sensitive data like payments, healthcare records, and PII and assigns corresponding labels to the project.
The MCP server used in the agentic integrations now supports an optional X-OrgId header in its configuration. Users who belong to multiple organizations can use this to specify which organization the MCP tools should operate against.
Added a Select all results option when creating a Legal automation workflow with the Licenses event condition, allowing users to quickly select all visible licenses (up to 50 per page).
Updated the security dashboard header with new filter buttons for scan engine, labels, and timeframe, providing a streamlined and consistent user experience that matches the value dashboard. Outdated text was removed and filter accessibility was improved.
Resolved Issues
(SCA) Fixed an issue where the package URL for NuGet packages in the due diligence report was incorrectly generated with an unnecessary api. prefix. The URL construction logic has been updated to ensure accurate links.
New Features and Updates
Added support for the uv package manager via both Mend CLI and repository integrations, enabling security scanning and Reachability analysis for Python projects managed with uv.
(SCA) Added support for disabling specific package manager resolvers in the Mend CLI using the MEND_SCA_{PACAKGE_MANAGER}_RESOLVEDEPENDENCIES environment variable, allowing more granular control over dependency resolution.
Improved the detection accuracy of Go libraries.
Added a risk score of 65 to the LGPL 2.1 or later license.
The Mend AppSec Platform now provides a dedicated Zero-Day Data page, available via the Profile menu. This page is designed as a live, authoritative source of ZeroDay information. It is independent of your inventory: You can see Mend.ios ZeroDay data even before or beyond your specific scans.
Resolved Issues
Fixed an issue where the package URL for NuGet packages in the due diligence report was incorrectly generated with an unnecessary api. prefix. The URL construction logic has been updated to ensure accurate links.
New Features and Updates
Organization admin users can now see all suppression requests across the organization in a single view, with filtering by application, project, status, and reason. Results can be exported to CSV for compliance and audit purposes. The view is accessible via Findings --> Suppression Requests.
This feature will be gradually rolled out to all environments until April 6th, 2026.
Reduced memory consumption and improved performance of Go analysis.
Optimized a potentially time consuming post-processing step for log records.
Resolved Issues
Fixed an issue where suppressing findings via the API did not update the findings count in the Code Findings JSON report, causing the count to remain non-zero even though findings were suppressed. Now, the count correctly reflects zero after suppression through the API, ensuring consistency with the UI behavior.
Fixed an issue where certain DOM-based cross-site scripting (CWE-79) vulnerabilities were not being identified by the JavaScript analysis engine.
Fixed an issue where NoSQL Injection vulnerabilities in JavaScript applications using MongoDBClient were not properly detected.
Injecting objects into Angular components is now handled correctly during JavaScript/TypeScript analysis.
New Features and Updates
Introduced a new risk factor based on Docker VEX data, highlighting when vulnerabilities are not applicable to Docker packages, with improved visibility and filtering in the Containers view.
Added support for Docker Hardened Images (DHI), including a clear badge and filtering options for DHI packages.
Added a Suppression Comment column to the CSV export of suppressed container findings.
Resolved Issues
Fixed an issue where the java-17-amazon-corretto-headless package was falsely flagged with multiple CVEs, caused by identical software versions being incorrectly flagged as different.
Fixed an issue where the total findings count in the summary page did not match the findings listed under Containers > Findings, ensuring consistent and accurate reporting across both views.
Fixed an issue where the "Total Findings by Severity" widget in the Security Dashboard displayed inconsistent numbers compared to the detailed application view after findings were suppressed. The dashboard now accurately reflects the correct number of findings for each severity level.
Improved CVE detection for RPM packages.
Fixed an issue where CycloneDX SBOMs generated from container image scans did not include license information for certain NuGet components. Now, all detected NuGet dependencies will have their license data properly reflected in the SBOM when available.
New Features and Updates
(Premium / Core) Introducing System Prompt Risk (open beta), a new detection and remediation offering by Mend AI, for mitigating risks posed by system prompts used in conversational AI interfaces.
A new System Prompt Risk table inventories system prompts and provides quick export/sharing and deep-link side panel for prompt context.
System Prompt Risks are integrated into the existing AI Security Risk Factors across Projects and Applications. The classification appears as a Conversational Interface chip, is filterable, and automatically participates in dashboards and workflows.
Remediation in the form of a hardened system prompt is available in the System Prompt side panel, providing clear, copy-ready remediation guidance for AppSec engineers and developers.
The AI Security Dashboard has been enriched with system prompt risk data.
System prompt risk data is also available via API.
New Features and Updates
(SCA) Added support for the uv package manager, enabling security scanning and Reachability analysis for Python projects managed with uv.
(SCA) Added support for disabling specific package manager resolvers using the MEND_SCA_{PACAKGE_MANAGER}_RESOLVEDEPENDENCIES environment variable, allowing more granular control over dependency resolution.
(SAST) Updated some of the CLIs Code dependencies for improved security.
Resolved Issues
Fixed an issue where scanning OCI-format Docker images with layers larger than 2 GB caused manifest parsing to fail, resulting in scans returning zero dependencies and potentially overriding existing project inventory. The layer size field is now correctly handled for large images.
Fixed an issue where Go module package names were incorrectly treated as case-insensitive when calculating the Additional SHA1. Package names differing only by letter casing are now recognized as distinct, aligning with Go language standards.
New Features and Updates
(SCA) Added support for the uv package manager, enabling security scanning and Reachability analysis for Python projects managed with uv.
New Features and Updates
(SCA) Added support for the uv package manager, enabling security scanning and Reachability analysis for Python projects managed with uv.
Unified Agent 26.2.2 | Renovate 43.59.4 | Remediate 26.3.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
(SCA) Added support for the uv package manager, enabling security scanning and Reachability analysis for Python projects managed with uv. Refer to this table for more details.
Note: The SCA orchestrator scanner environment variable must be enabled for uv detection to work (MEND_SCA_ORCHESTRATOR_ENABLED=true).
Manual scan triggering based on role-based authentication is now supported.
The previous method of storing a secret using MEND_CONTROLLER_API_SECRET is still supported.
Resolved Issues
(SCA) Fixed an issue where scans of .NET projects would fail with error MSB4057 if a
(SCA) Fixed an issue where Gradle dependencies failed to resolve for React Native Android projects, ensuring accurate detection and resolution of dependencies by properly handling project structure and Gradle wrapper logic.
(SCA) Fixed an issue where post-scan cleanup and statistics were not executed if the scan process ended with an error, ensuring proper handling and reporting even when scans fail.
Unified Agent 26.2.2 | Renovate 43.59.4 | Remediate 26.3.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
(SCA) Added support for the uv package manager, enabling security scanning and Reachability analysis for Python projects managed with uv. Refer to this table for more details.
Note: The SCA orchestrator scanner environment variable must be enabled for uv detection to work (MEND_SCA_ORCHESTRATOR_ENABLED=true).
Resolved Issues
(SCA) Fixed an issue where scans of .NET projects would fail with error MSB4057 if a
(SCA) Fixed an issue where Gradle dependencies failed to resolve for React Native Android projects, ensuring accurate detection and resolution of dependencies by properly handling project structure and Gradle wrapper logic.
(SCA) Fixed an issue where post-scan cleanup and statistics were not executed if the scan process ended with an error, ensuring proper handling and reporting even when scans fail.
Unified Agent 26.2.2 | Renovate 43.59.4 | Remediate 26.3.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
(SCA) Added support for the uv package manager, enabling security scanning and Reachability analysis for Python projects managed with uv. Refer to this table for more details.
Note: The SCA orchestrator scanner environment variable must be enabled for uv detection to work (MEND_SCA_ORCHESTRATOR_ENABLED=true).
Resolved Issues
(SCA) Fixed an issue where scans of .NET projects would fail with error MSB4057 if a
(SCA) Fixed an issue where Gradle dependencies failed to resolve for React Native Android projects, ensuring accurate detection and resolution of dependencies by properly handling project structure and Gradle wrapper logic.
(SCA) Fixed an issue where post-scan cleanup and statistics were not executed if the scan process ended with an error, ensuring proper handling and reporting even when scans fail.