New Features and Updates
Mend's MCP server now exposes security findings across SAST and SCA scanning engines so developers can query vulnerability data directly from their AI-powered tools and workflows. The findings come enriched with remediation suggestions, making it easier to understand and fix issues without leaving the tools they already use, or by instructing an agent to fix them. Developers can ask questions like "What are the top 5 security issues in this repo?" or "Explain this SQL injection finding" and their preferred agent will be able to answer these questions by communicating with the MCP server.
Resolved Issues
Fixed an issue where the "Show only vulnerable libraries" toggle in the Tree View did not filter out non-vulnerable libraries, causing all libraries to be displayed regardless of their vulnerability status. Now, enabling the toggle correctly shows only libraries with associated findings.
(SCA) Fixed an issue where the APIv3 endpoint for exporting project SBOM reports asynchronously did not generate reports as expected.
(SCA) Fixed an issue where users with the Product Administrator role received a failed scan status when using the SBOM Import API. The fix ensures that scans now finish with the correct status for authorized users.
Resolved Issues
Fixed an issue where inconsistent license information was identified for popular Python packages. The license reporting logic has been updated to ensure the primary license is consistently and accurately reflected across all versions and distributions.
Fixed an issue where the "Show only vulnerable libraries" toggle in the Tree View did not filter out non-vulnerable libraries, causing all libraries to be displayed regardless of their vulnerability status. Now, enabling the toggle correctly shows only libraries with associated findings.
Fixed an issue where the APIv3 endpoint for exporting project SBOM reports asynchronously did not generate reports as expected.
Fixed an issue where users with the Product Administrator role received a failed scan status when using the SBOM Import API. The fix ensures that scans now finish with the correct status for authorized users.
New Features and Updates
(Closed Beta) Mend SAST now supports a new programming language! First as a closed beta program, customers can now analyze Scala projects to even further reduce security risk.
Resolved Issues
Improved accuracy of Dangerous Method detection in Swift.
Resolved Issues
Fixed an issue where the bson package version was incorrectly detected as UNKNOWN, resulting in a false positive for CVE-2020-7610. The scanner now accurately identifies bson@1.1.4 and avoids reporting this vulnerability when the correct version is present.
New Features and Updates
(Premium / Core) Introducing System Prompt Risk (open beta), a new detection and remediation offering by Mend AI, for mitigating risks posed by system prompts used in conversational AI interfaces.
A new System Prompt Risk table inventories system prompts and provides quick export/sharing and deep-link side panel for prompt context.
System Prompt Risks are integrated into the existing AI Security Risk Factors across Projects and Applications. The classification appears as a Conversational Interface chip, is filterable, and automatically participates in dashboards and workflows.
Remediation in the form of a hardened system prompt is available in the System Prompt side panel, providing clear, copy-ready remediation guidance for AppSec engineers and developers.
The AI Security Dashboard has been enriched with system prompt risk data.
System prompt risk data is also available via API.
New Features and Updates
(Limited Availability) (SCA) Introducing an improved .NET resolver which relies on .deps.json in the build folder for increased dependency detection accuracy.
Resolved Issues
(SCA) Fixed an issue where dependency scans would intermittently fail during policy compliance checks, resulting in an "asyncCheckPolicyCompliace failed" message. Scans now complete successfully without unexpected interruptions.
(SCA) Fixed an issue where environment variable-based configurations were not loaded correctly in the CLI, resulting in empty values. The CLI now properly reads MEND_-prefixed environment variables and applies them as expected.
Resolved Issues
Fixed an issue where the Unified Agent would hang indefinitely when processing compressed offline request files on newer JDK versions, such as Java 21. This was caused by a threading deadlock during decompression. The process has been updated to use a more efficient, non-threaded decompression method, ensuring compatibility across all supported JDK versions and significantly improving processing speed.
New Features and Updates
Enhanced the onboarding and sidebar experience for GitLab users by enabling efficient loading and navigation of large numbers of groups and subgroups. This update introduces incremental loading, improved selection indicators, and removes the search bar and group counters for a smoother, more scalable user experience.
Resolved Issues
(GitHub) Fixed an issue where non-admin members of GitHub organizations enforcing SAML SSO were denied access to their organization in the Developer Platform. This occurred when the user's OAuth token was not SAML-authorized, causing a permission error. The authentication process has been updated to verify organization membership using GitHub App credentials, ensuring consistent access for all legitimate members regardless of their individual token's SAML status.
(AZDO) Fixed an issue where an organization secret could not be added in developer-eu.mend.io for Azure DevOps.
New Features and Updates
(SAST) Introducing seamless two-way communication between developers and security reviewers on security findings. Developers can now comment on findings directly from their repository, while reviewer comments from the Mend Platform are instantly visible to developers, streamlining collaboration and accelerating issue resolution.
For GitHub.com (using the .whitesource file), security actions such as suppressing findings can now be triggered by posting a comment on the PR or issue instead of checking a checkbox. This makes it easier to add context when suppressing a finding and provides clearer feedback confirming that an action was performed.
Introduced a new issueType configuration option - findingsIncludingPullRequests - which creates a separate issue for all findings on both base branches and on feature branches with pull requests to base branches.
When that option is enabled, developers and security reviewers can communicate directly on security findings without leaving their tools. Developers can add comments on findings from their GitHub repository, and comments added by security reviewers in the Mend Platform are automatically synced to the repository. Likewise, comments added in the repository (via a special command) are synced back to the Mend Platform, ensuring conversations stay mirrored and visible in both locations. This eliminates the need for back-and-forth communication through external channels, making it faster and easier to clarify remediation steps and resolve security issues.
When suppression requests are approved or rejected, the corresponding GitHub issue gets updated.
The feature will be rolled out gradually in the next two weeks.
Added logic to prevent AI scans from running on feature branches during repository integration scans. AI scans will now only run on base branches, ensuring feature branches are excluded from automated AI analysis.
Unified Agent 26.4.3.1 | Renovate 43.141.3 | Remediate 26.5.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
(SAST) Introducing seamless two-way communication between developers and security reviewers on security findings. Developers can now comment on findings directly from their repository, while reviewer comments from the Mend Platform are instantly visible to developers, streamlining collaboration and accelerating issue resolution.
For GitHub Enterprise (using the .whitesource file), security actions such as suppressing findings can now be triggered by posting a comment on the PR or issue instead of checking a checkbox. This makes it easier to add context when suppressing a finding and provides clearer feedback confirming that an action was performed.
Introduced a new issueType configuration option - findingsIncludingPullRequests - which creates a separate issue for all findings on both base branches and on feature branches with pull requests to base branches.
When that option is enabled, developers and security reviewers can communicate directly on security findings without leaving their tools. Developers can add comments on findings from their GitHub Enterprise repository, and comments added by security reviewers in the Mend Platform are automatically synced to the repository. Likewise, comments added in the repository (via a special command) are synced back to the Mend Platform, ensuring conversations stay mirrored and visible in both locations. This eliminates the need for back-and-forth communication through external channels, making it faster and easier to clarify remediation steps and resolve security issues.
When suppression requests are approved or rejected, the corresponding GitHub issue gets updated.
The feature will be rolled out gradually in the next two weeks.
Added logic to prevent AI scans from running on feature branches during repository integration scans. AI scans will now only run on base branches, ensuring feature branches are excluded from automated AI analysis.
Resolved Issues
Fixed an issue where deleting a GitHub Enterprise organization did not remove the corresponding Mend product/application, resulting in orphaned entries. Now, Mend correctly deletes the product/application when the organization is deleted.
(SCA) Fixed an issue where projects specifying .NET 10 in the .csproj file did not resolve dependencies as expected. The system now detects SDK version mismatches, automatically installs the required .NET SDK, and retries dependency resolution to ensure all dependencies are properly detected.
(SCA) Fixed an issue where preserved user agent properties were not enforced during SCM scans, allowing unintended overrides. Now, all relevant properties are correctly handled to ensure consistent enforcement.
Unified Agent 26.4.3.1 | Renovate 43.141.3 | Remediate 26.5.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
Added logic to prevent AI scans from running on feature branches during repository integration scans. AI scans will now only run on base branches, ensuring feature branches are excluded from automated AI analysis.
Resolved Issues
(SCA) Fixed an issue where projects specifying .NET 10 in the .csproj file did not resolve dependencies as expected. The system now detects SDK version mismatches, automatically installs the required .NET SDK, and retries dependency resolution to ensure all dependencies are properly detected.
(SCA) Fixed an issue where preserved user agent properties were not enforced during SCM scans, allowing unintended overrides. Now, all relevant properties are correctly handled to ensure consistent enforcement.
Unified Agent 26.4.3.1 | Renovate 43.141.3 | Remediate 26.5.1 | Pre-Scan Builder (PSB) 25.8.1
New Features and Updates
Added logic to prevent AI scans from running on feature branches during repository integration scans. AI scans will now only run on base branches, ensuring feature branches are excluded from automated AI analysis.
Resolved Issues
Fixed an issue where projects specifying .NET 10 in the .csproj file did not resolve dependencies as expected. The system now detects SDK version mismatches, automatically installs the required .NET SDK, and retries dependency resolution to ensure all dependencies are properly detected.
Fixed an issue where preserved user agent properties were not enforced during SCM scans, allowing unintended overrides. Now, all relevant properties are correctly handled to ensure consistent enforcement.