Introduction
Mend.io (formerly WhiteSource) is an AI-native application and software supply chain security platform, centered on SBOM (Software Bill of Materials). It enables organizations to continuously track the composition, vulnerabilities, and licensing risks of applications and open-source components throughout the software development lifecycle (SDLC), establishing a governable, traceable, and auditable software supply chain security management framework.
The platform also supports AI security and AI BOM (AIBOM), helping enterprises inventory AI components and model sources. Through AI Red Team exercises, Mend.io validates LLM exposure risks such as prompt injection, data leakage, hallucinations, and misuse. It aligns with OWASP Top 10 for LLM Applications and assists organizations in complying with AI governance and risk management requirements, including the EU AI Act and NIST AI Risk Management Framework (AI RMF).
For remediation, Mend Renovate with automated fix capabilities provides immediate upgrade and patch recommendations for vulnerable open-source dependencies, automatically creating Pull Requests (PRs) to integrate fixes directly into development workflows, significantly reducing manual effort and remediation costs.
Additionally, the platform supports static application security testing (SAST), container security scanning, and IaC analysis, helping organizations identify risks early across code, dependencies, and deployment environments. Security governance and remediation are embedded into existing development workflows, maintaining both speed and security without impacting delivery efficiency.
Features / strengths
• SBOM-centered software supply chain security governance
By continuously inventorying third-party components and open-source packages through SBOM, organizations can transform hidden supply chain risks into visible, manageable, and auditable governance items. Supply chain risk management becomes an integral part of the development process, scalable according to organizational security maturity and compliance requirements.
• AI-native capabilities for tracking and validating AI and LLM supply chain risks
In addition to tracking AI components and model composition (AIBOM), Mend.io leverages AI Red Team exercises to validate exposure risks under realistic attack scenarios. Using the OWASP Top 10 for LLM Applications as a risk validation framework, organizations can ensure AI governance and testing are completed before deployment.
• Mend Renovate with automated fixes to actively remediate vulnerabilities
The platform continuously monitors open-source versions and vulnerabilities, automatically generating Pull Requests (PRs) to upgrade and patch dependencies directly within the development workflow. This approach reduces manual effort, prevents technical debt accumulation, and improves both code maintainability and overall software quality.
• Seamless integration of security governance into development workflows, accelerating delivery
Integrated with CI/CD pipelines, SCA-driven supply chain risk checks and remediation are embedded directly into existing development operations. Combined with SAST, container, and IaC analysis, organizations can continuously reduce risk without impacting development speed, achieving both efficient delivery and long-term security governance.
Specification in detail
For details, please see the product webpage description
https://www.gss.com.tw/mend-io