Search Results

Nx supply chain attack: malicious npm versions of Nx exfiltrated SSH keys and tokens to GitHub—abusing AI code assistants. Learn how to detect and fix.

As AI reshapes software development, security teams can be the catalyst for unlocking productivity without sacrificing safety.

Endor Labs improves C/C++ SCA by combining cryptographic hashing, code embeddings, and a curated index for accurate dependency and vulnerability detection.

Kudelski Security uncovered an RCE flaw in CodeRabbit exposing 1M+ repos. Here’s what happened, how it was fixed, and key lessons for secure AI apps.

Unvetted AI models and services are entering your codebase. Do you have a plan to find and govern them?

Five9 uses Endor Labs’ SCA to ensure they focus on just the risks that matter and can respond quickly to zero days.

Greg Pettengill, a Principal Product Security Engineer at Five9, is an early adopter of startup technology. In this article he shares his methodology for picking vendors that can deliver on promises.

Endor Labs now detects end-of-life (EOL) software in containers, helping AppSec teams eliminate risk early.

Learn about the most common and emerging security risks of AI-generated code, from injection flaws to hallucinated dependencies.

Developers are generating more code with AI coding assistants, but release velocity isn’t increasing. Here’s how to fix it.

Learn how to detect prompt injection vulnerabilities in GenAI applications and prevent attackers from exploiting LLM-powered workflows.

LLMs often recommend outdated or vulnerable open source packages—here’s why it happens, why it matters, and how AppSec and DevOps leaders can stay ahead.

How CWE-specific prompts cut LLM code vulnerabilities by more than half.

Secure AI-generated code at the source with a new integration for GitHub Copilot powered by the Endor Labs platform.

A CISO’s guide to analyzing and containing the security costs of AI-generated code

Endor Labs is now available on the Google Cloud Marketplace, enabling faster procurement and deployment of software supply chain security for GCP customers and partners.

Learn how to detect misconfigurations in Infrastructure as Code (IaC) files, preventing privilege escalation and unsafe defaults before they reach production.

Secure AI-generated code at the source with a new Cursor integration powered by the Endor Labs platform.

How a multi-step prompt technique can reduce vulnerabilities in AI-generated code

A step-by-step guide to testing Endor Labs SCA accuracy for C/C++ projects

CVE-2025-54313 tracks a supply chain attack on eslint-config-prettier, where four malicious versions of a popular npm library targeted Windows machines with a remote-code execution payload. Learn how it happened and how to stay safe.

The new FedRAMP RFC shifts the standard to require deep context into the reachability and exploitability of vulnerabilities. Here’s what you need to know.

A practical guide to embedding security requirements into AI coding workflows

Endor Outpost extends the full capabilities of the Endor Labs AppSec platform to Self-Hosted SCMs like Bitbucket Datacenter and GitLab Self-Managed.

Endor Labs and Oligo keep pipelines fast and secure with unified reachability, real-time threat blocking, and safe, automatic fixes.

Fixing Java deserialization vulnerabilities in Spring-Web is notoriously difficult, but Endor Labs offers an alternative with patches.

Hear how a CISO at an AI-first company is thinking about securing AI, and how AI should improve security programs.

People.ai uses Endor Labs for application security that provides an outstanding developer experience and makes it easier (and cheaper) to hit compliance targets.

Endor Labs Vulnerability Search helps you investigate CVEs with enriched metadata, call paths, and precise impact analysis—resolving conflicts across public feeds.

Learn what Application Security (AppSec) is, why it matters, and how to build a modern, scalable AppSec program across the SDLC.

This whitepaper details Endor Labs’ novel approach to indexing open source dependencies and detecting vulnerabilities in C and C++ codebases.

Within weeks of deployment, Endor Labs helped Mysten Labs transform its application security strategy.

How Mysten Labs builds secure and low-friction systems for blockchain by focusing on code ownership, usability, and AppSec strategy.

With fewer alerts and more accuracy, Zebra Technologies now spends more time building and less time chasing false positives.

A new method for identifying OSS dependencies and vulnerabilities in C/C++ with greater accuracy and precision than legacy tools.

The critical SQL injection vulnerability in LlamaIndex shows how LLMs can be a backdoor into your vector store

A breakdown of DBIR, M-Trends, and DevSecOps reports and what they reveal about the future of AppSec in the age of AI.

Opengrep's improvements to rule load times resulted in 3.15x faster average scan times than Semgrep

How the UK Software Security Code of Practice reshapes supply chain security—and how Endor Labs helps vendors meet its core requirements.

Information on the likelihood and impact of CVE-2025-47949

This whitepaper talks about how Endor Labs uses context-aware security policies, like finding, action, exception, and remediation policies, to reduce noise, improve remediation speed, and help developers focus on real risks.

Critical CVE-2025-4641 in WebDriverManager likely poses low real-world risk, but it should still be on radar. Here’s what you need to know, plus quick steps to check versions, upgrade, and secure CI pipelines.

Learn how Endor Labs cuts through security noise, stops unnecessary build breaks, and keeps developers focused on real risks—making security policy automation truly developer-friendly.

Upgrading dependencies in a Bazel monorepo? Learn 5 tips to avoid breakages, reduce risk, and keep your team (and builds) running smoothly.

Most security policies create more problems than they solve, overwhelming developers with noise and unnecessary build breaks. Here's what a better approach looks like.

A look at the easyjson controversy, open source provenance, and how Go's built-in protections help teams manage risk without overreacting.

Endor Labs raised a $93M Series B to accelerate its mission of securing the AI-driven software era. Learn why top investors preempted the round—and how Endor is redefining AppSec for modern development.

This solution brief shows how application security teams can fix risks from AI-generated code earlier in development and become the catalyst for secure, scalable adoption of AI coding tools like GitHub Copilot and Cursor in their organizations.

This whitepaper introduces how AI Security Code Review works, what it detects, how it integrates into your workflows, and why it represents the next generation of code scanning technology — built for the complexity and speed of AI-native software development.

Endor Labs MCP Server powers real security fixes for vibe coding and AI-generated code—reduce noise and help AI tools fix risks for you.

Endor Labs helps application security teams identify the few code changes that impact their security architecture across thousands of pull requests.

The era of vibe coding is here. Learn how Endor Labs is helping AppSec teams secure and fix AI-generated code with a new agentic AI platform.

Endor Labs advisory: Critical CVE-2025-30065 in Apache Parquet lets attackers run code via schema parsing. Patch now by upgrading to version 1.15.1.

Learn how Endor Labs improves AppSec accuracy with better SCA and SAST, so you can decide if ASPM is the right fit for your organization.

OWASP OSS Risk 2: Explore the compromise of legitimate open-source packages, with an in-depth case study of the tj-actions/changed-files GitHub Action supply chain attack.

Analysis of the tj-actions/changed-files GitHub Actions compromise, assessing the impact and damage from the attack.

Cyber Essentials helps UK businesses guard against internet-based attacks and prove their security measures are truly effective.

GitHub Action tj-actions/changed-files was compromised, exposing CI/CD secrets. Learn how this attack impacts repositories and what steps to take now.

Learn when application security posture management (ASPM) solutions work, their limitations, and alternatives for cutting through security alert noise.

Endor Patches are backported open-source security fixes. Learn how we build and test Endor Patches for compatibility and security.

Each stage of the application security maturity staircase evolves your program—and Endor Labs is your escalator to the top.

Improve your mean time to remediation (MTTR) with smarter automatic pull requests that use upgrade impact analysis to reduce alert fatigue for developers.

Learn how to evaluate security risk factors for DeepSeek R1, and about important considerations for working with open source AI models.

Use Endor Labs to discover, evaluate, and enforce policies governing the usage of open source AI models from Hugging Face in your applications.

CVE-2024-53677 and CVE-2023-50164 are vulnerabilities in Apache Struts that could pave the way for remote code execution, or RCE. Learn how to figure out if you’re affected, and if so what to do about it

Opengrep is a fork of Semgrep's open source static code analysis engine. Learn about the benefits and how you can contribute.

Vulnerability metrics can help you uncover remediation and SLA trends, and demonstrate the value of AppSec investments to your leadership.

False positives can make FedRAMP ConMon costly. Learn why it’s hard to accurately identify false positives and some tactics for making this process less challenging.

Learn how Endor Labs targets the critical dependencies that are responsible for most of the open source vulnerabilities in the software supply chain.

JavaScript reachability is tricky for SCA tools because of how JavaScript approaches dependency resolution, dependency imports, and functions.

When upgrading is too risky, complex, or time consuming due to regressions, breaking changes, or new bugs, you can use Endor Patches to stay safe now while still meeting your SLA requirements.

Grip Security replaced their traditional SCA tool with Endor Labs to improve their ability to build trust with customers without taxing developers.

Grip Security values strong application security because it helps them build trust with their customers. Learn how a security company approaches AppSec.

Learn where common industry sayings such as “stay up to date” come from and how you can help Endor Labs help you overcome those challenges.

Endor Labs reduces false positives and prioritizes real vulnerabilities, helping your team meet FedRAMP requirements with less stress and lower costs.

Learn why OVAL feeds, curated by Linux distributions, offer more precise vulnerability data than the NVD, reducing container scanning false positives and wasted efforts.

Breaking Changes, Breaking Trust

Vulnerability Management for FedRAMP compliance is expensive; your SCA tool should help you make it cheaper and easier.

Integrate Microsoft Defender for Cloud with Endor Labs for reachability analysis and attack path visibility — available natively within the Defender for Cloud console. Prioritize what to fix without switching tools.

Understand how models are factored and scored at Endor Labs, new exploration tab for HuggingFace models

Endor Labs now integrates Static Application Security Testing (SAST) into your application security testing stack.

The Cyber Resilience Act (CRA) sets mandatory security requirements for hardware and software. This blog covers key compliance objectives, challenges with OSS vulnerabilities, and best practices for maintaining security throughout the product life cycle.

You can now use Endor Labs to evaluate AI models on HuggingFace for security, popularity, quality, and activity.

The U.S. Federal government's FY 2026 Cybersecurity Priorities focus on securing open source software, improving governance, and supporting OSS sustainability to strengthen the software supply chain.

Understand what LLMs are, how foundational LLMs are built, the opportunities they offer and the risks they pose.

Container layer analysis tells you which layer contains a vulnerability so you can prioritize remediation efforts more effectively and meet SLAs like FedRAMP.

Endor Labs reduces open-source vulnerability noise by 92%, boosting productivity and improving collaboration between development and security teams.

We're thrilled to have Karl Mattson as Endor Labs first Chief Information Security Officer (CISO)!

Get key insights from the 2024 Dependency Management webinar with Darren Meyer and Henrik Plate. We discuss how to prioritize vulnerabilities, navigate breaking changes, and leverage public vulnerability databases effectively.

Relativity changed their security program from a blocker to an enabler by integrating security into developer workflows and empowering developers to prevent risks before they ship to production.

Relativity changed their security program from a blocker to an enabler by integrating security into developer workflows and empowering developers to prevent risks before they ship to production.

Discover the top open-source tools for Python applications, ranked by Endor Scores based on security, activity, popularity, and code quality.

This blog covers key steps to simplify FedRAMP vulnerability management, helping you reduce risks and meet compliance timelines. It also provides practical tips to empower developers and streamline fixes for a smoother FedRAMP process.

Automatically patch open source libraries with Endor Patches during the build process, ensuring software is continuously protected against vulnerabilities without manual intervention.

Our third-annual Dependency Management Report explores how emerging trends in open source security should guide SDLC security strategy in 2024.

Starburst, an open data lakehouse, replaced Rezillion with Endor Labs for SCA. They improved their ability to identify and prioritize open source while complementing the developer experience.

Wondering how to build or revamp a DevSecOps program? Get some immediately useful tips that you can apply to your startup or mature enterprise…or anywhere in between.

Learn what CI/CD security is, why it’s important, and discover the key tools Endor Labs offers to help you secure your CI/CD pipelines.