ReARM 26.05.90: Pull Requests as a First-Class Entity, VEX Export and Import, and Faster Component Search

We're excited to announce a major release of ReARM v26.05.90. Detailed information is available on its release view on the ReARM Demo instance. This is one of our largest releases to date, introducing Pull Requests as a first-class entity across the platform, a new VEX import flow with a staging area, webhook support, and a significant rework of how SBOM components are stored that makes supply chain forensics dramatically faster.

Note that all ReARM Pro installations have already been upgraded to this version. If you are using ReARM CE, action is required on your side to upgrade.

Pull Requests as a First-Class Entity

ReARM now treats Pull Requests as primary entities — not just branch metadata. Each PR is uniquely identified by its target VCS repository and SCM-side identity, and stores commits, state, title, and validation outcomes. This design gives organizations a stable PR identity that does not change across CI reruns, cross-component attribution for monorepos that supports multiple releases from several components within the same PR scope, and historical independence from upstream branch lifecycle changes.

Further, for monorepo projects, ReARM aggregates per-component-latest releases into a single PR-level verdict (SUCCESS, FAILURE, PENDING, or NEUTRAL) that reflects the state of every component built from that PR.

PR creation, attribution, and aggregation work in both ReARM CE and ReARM Pro. Posting verdicts, comments, and check-runs back to GitHub — including per-release vulnerability and violation breakdowns, metrics summaries, and external validation outcomes — is ReARM Pro only capability. ReARM Pro also adds free-form approval comments, policy snapshots attached to PR comments, and a Global PR Validation tab.

Full details are available in the Pull Requests documentation.

Additionally, ReARM Pro now includes full webhook management for GitHub Pull Requests. Organizations can configure webhooks through a new management UI to receive notifications about PR statuses.

VEX Export and Import with Staging Area

ReARM now supports full round-trip VEX (Vulnerability Exploitability eXchange) handling — both export and import — in CycloneDX and OpenVEX 0.2.0 formats. Inbound VEX is optionally processed through a staging area for proposed analysis state changes, so teams can review and approve changes before they are applied to a release's posture. A new Finding Analysis page introduces severity gates and CISA VEX compliance checks, and the previous FIXED analysis state has been renamed to RESOLVED to align with industry terminology.

ReARM also allows to record mitigations applied based on recommendations found in inbound VEX files.

On the export side, ReARM now generates CycloneDX VEX with metadata markers and OpenVEX 0.2.0 documents directly from per-release finding analyses. Exports are Component Lifecycle Event (CLE)-aware, and per-organization canonical vulnerability records ensure consistent identifiers across imports and exports — completing the round-trip workflow for organizations managing VEX as part of their compliance posture.

Freeform API Keys are now GA

Freeform API keys have graduated from preview to general availability. They are now accepted across programmatic endpoints with configurable RBAC rules similar to user and user group RBAC rules. These keys can also now be annotated for easier management.

Scan Pending Badge

Previously, releases that had not yet completed their first scan would display the regular vulnerability circles with all zero counts — which was confusing and gave the false impression of a clean scan. ReARM now correctly displays a scan pending badge in this state, making it clear that results are not yet available. Once the first scan completes, the badge is replaced with the actual posture circles.

Additionally, ReARM shows current activity per artifact - such as when enrichment is in progress or scanning is being performed.

SBOM Components Now Native to ReARM — Much Faster Forensics

ReARM now stores SBOM components natively rather than relying on round-trips to Dependency-Track for component lookups. This includes per-release component aggregation, ancestors and path-to-root tracking, a single-release graph endpoint, a new tree view, and product-release support with stable component UUIDs.

The practical impact is dramatic: supply chain forensics — answering questions like "which of our releases contain library X?" or "which releases shipped with this vulnerable dependency?" — is now significantly faster, especially across large component portfolios.

CycloneDX 1.7 Support

ReARM now accepts incoming CycloneDX 1.7 BOMs. They are currently stored canonically as CycloneDX 1.6 for downstream compatibility while preserving the upstream format on ingest.

Additional Improvements

This release also includes:

• Component-level Component Lifecycle Events (CLE) with bulk-bump capability and CLE document export
• Approval policy provenance with organization-wide assignment, opt-out semantics, and a Global Approval Policies tab (ReARM Pro)
• Approved environments for releases with admin override (ReARM Pro, Preview)
• DevOps-scoped permissions with per-instance and per-cluster permission editing (ReARM Pro, Preview)
• Numerous performance improvements, particularly around metrics rollup, DTrack cleanup queries, and transaction handling
• Many bug fixes covering BOM and license normalization

Dependency Updates

This release contains a number of dependency updates, including those fixing underlying CVEs in dependencies. ReARM users are encouraged to upgrade to this release to benefit from these fixes.

Release Identification

We are continuing to publish TEIs for all ReARM releases. TEI for this release: urn:tei:purl:demo.rearmhq.com:pkg:github/relizaio/rearm@26.05.90.