FossID Workbench 26.1 is now available, and this release marks a significant step forward in making continuous compliance practical for every team. As organizations scale their software development and integrate more complex supply chains, they need an SCA workflow that supports them beyond the initial scan, one that makes it easier to understand existing risks and manage new ones as they emerge. Workbench 26.1 delivers exactly that. This release introduces a modernized Scan UI built on React, a new structured three-stage workflow, and enhancements to onboarding, user management, and SBOM reporting, all designed to reduce friction and accelerate time to compliance.
A Modernized Scan UI Built for Continuous Workflows
Workbench 26.1 migrates the Scan Interface to a modern React foundation. Beyond the technical modernization, this transition was an opportunity to rethink and improve existing workflows, making the path from scan to compliance outcome cleaner and more intuitive for daily users.
A Structured Three-Stage Workflow: Audit → Review → Report
26.1 introduces a new three-stage workflow that brings clarity and structure to how teams progress from scan to compliance deliverable.
- Audit: Review identifications and dependencies to build a complete Software Bill of Materials (SBOM)
- Review: Assess and triage security vulnerabilities and license risks in one unified view
- Report: Generate SBOMs and other compliance deliverables with validated, triaged results
Within this new workflow, the existing auditing UX has a new home in the Audit stage.
Audit Stage: Enhanced Dependency Visibility
The existing audit experience carries forward into the new Audit stage with meaningful improvements to the Dependencies Tab. New columns and filters for scope and transitive dependencies make it faster to sort and prioritize your component list. Note that scans must be re-run to surface this additional data.
A new bulk action for “Include in Report” further accelerates dependency review. Combined with filters, teams can now mark multiple dependencies in a single action, eliminating the need to process them one by one.
Review Stage: CVE Triage and VEX Authoring in the Scan UI
Previously, users had to leave the Scan UI to triage CVEs, a workflow interruption that added friction for security and compliance teams. The new Review stage resolves this by bringing CVE triage and VEX authoring directly into the Scan UI. Teams can now assess vulnerabilities and produce VEX documents without switching context.
The License Risk tab introduces License Conclusions, giving users direct control over the Concluded License field for components in SBOMs. This enables more accurate and intentional license attribution, supporting downstream compliance and audit requirements.
Reducing Onboarding and Administrative Overhead
Alongside improvements to the daily user experience, Workbench 26.1 reduces the operational burden on administrators responsible for installation, upgrades, and team management.
Simpler Installation and Upgrades
For teams running Workbench on bare metal, the most common deployment model, a new Ansible playbook simplifies both fresh installations and upgrades. Administrators can now deploy and maintain Workbench with significantly less manual effort, while retaining full control when needed.
Support for User Groups and SCIM Sync
Administrators can now organize users into User Groups directly within the Users tab. User Groups streamline team and project onboarding by enabling bulk role and project assignment, eliminating repetitive per-user configuration. For organizations using an Identity Provider, User Groups can be fully managed and synchronized via SCIM, keeping access controls aligned with your IdP (Identity Provider) without manual intervention.
SBOM and Reporting Enhancements
Workbench 26.1 also delivers targeted improvements to SBOM import and export capabilities, expanding interoperability and strengthening the accuracy of compliance outputs:
- The License DB is up to date with the SPDX License List 3.28.
- Excel Reports now Display if Dependencies are Direct or Transitive
All Reports now support the Concluded License set in the Review tab
CycloneDX 1.7 JSON now supported for import
Looking Ahead: What’s Coming in 26.2
These are the highlights of Workbench 26.1. For a complete breakdown of everything included in this release, see the Release Notes.
Workbench 26.2 continues to build on the foundation established in this release. The focus will be on refining the Audit and Review stages to help teams reach the Report stage faster, with a particular emphasis on improving CVE triage workflows and VEX authoring in preparation for the upcoming requirements of the Cyber Resilience Act (CRA).
To learn more about Workbench 26.1 or discuss how these capabilities support your compliance program, open a support ticket, contact your account manager, or visit www.fossid.com/contact. We’re here to help.