Blog

OWASP OSS Risk 2: Explore the compromise of legitimate open-source packages, with an in-depth case study of the tj-actions/changed-files GitHub Action supply chain attack.

Analysis of the tj-actions/changed-files GitHub Actions compromise, assessing the impact and damage from the attack.

Cyber Essentials helps UK businesses guard against internet-based attacks and prove their security measures are truly effective.

GitHub Action tj-actions/changed-files was compromised, exposing CI/CD secrets. Learn how this attack impacts repositories and what steps to take now.

Learn when application security posture management (ASPM) solutions work, their limitations, and alternatives for cutting through security alert noise.

Endor Patches are backported open-source security fixes. Learn how we build and test Endor Patches for compatibility and security.

Each stage of the application security maturity staircase evolves your program—and Endor Labs is your escalator to the top.

Improve your mean time to remediation (MTTR) with smarter automatic pull requests that use upgrade impact analysis to reduce alert fatigue for developers.

Learn how to evaluate security risk factors for DeepSeek R1, and about important considerations for working with open source AI models.

Use Endor Labs to discover, evaluate, and enforce policies governing the usage of open source AI models from Hugging Face in your applications.

CVE-2024-53677 and CVE-2023-50164 are vulnerabilities in Apache Struts that could pave the way for remote code execution, or RCE. Learn how to figure out if you’re affected, and if so what to do about it

Opengrep is a fork of Semgrep's open source static code analysis engine. Learn about the benefits and how you can contribute.

Vulnerability metrics can help you uncover remediation and SLA trends, and demonstrate the value of AppSec investments to your leadership.

False positives can make FedRAMP ConMon costly. Learn why it’s hard to accurately identify false positives and some tactics for making this process less challenging.

Learn how Endor Labs targets the critical dependencies that are responsible for most of the open source vulnerabilities in the software supply chain.

JavaScript reachability is tricky for SCA tools because of how JavaScript approaches dependency resolution, dependency imports, and functions.

Grip Security values strong application security because it helps them build trust with their customers. Learn how a security company approaches AppSec.

Learn where common industry sayings such as “stay up to date” come from and how you can help Endor Labs help you overcome those challenges.

Learn why OVAL feeds, curated by Linux distributions, offer more precise vulnerability data than the NVD, reducing container scanning false positives and wasted efforts.

Breaking Changes, Breaking Trust

Vulnerability Management for FedRAMP compliance is expensive; your SCA tool should help you make it cheaper and easier.

Integrate Microsoft Defender for Cloud with Endor Labs for reachability analysis and attack path visibility — available natively within the Defender for Cloud console. Prioritize what to fix without switching tools.

Understand how models are factored and scored at Endor Labs, new exploration tab for HuggingFace models

Endor Labs now integrates Static Application Security Testing (SAST) into your application security testing stack.