Overview
Release 1.11.0 extends VersionOps notification rules beyond servers to your dependencies and container scans. You can now be alerted the moment a dependency scan or a container scan finds a new vulnerability, an outdated package, or an infrastructure misconfiguration — delivered straight to Slack, Email, Telegram, Discord, MS Teams, or PagerDuty.
The Problem
Until now, notification rules in VersionOps were built around servers and installed software: outdated versions, version drift between hosts, servers going quiet. Meanwhile, two of the most security-relevant signals had no way to reach you automatically.
Your npm and Docker dependency scans surfaced CVEs in the dashboard, but nothing told you when a new one appeared — you had to go look. And container image scanning had its own separate notification settings, configured in a different place from every other alert. There was no single, consistent way to say "tell me when a Critical vulnerability shows up in this project."
How It Works
VersionOps now has a single notification engine that covers servers, dependencies, and container/IaC scans alike. The new rule types fire the instant a scan finishes rather than on a fixed schedule, so security findings don't wait for the next polling cycle.
Four New Rule Types
Create any of these from Settings → Notifications, just like a server rule:
| Rule type | Fires when | Filter by |
|---|---|---|
| Dependency Vulnerability | A dependency scan finds a CVE at or above your severity threshold | Project |
| Outdated Dependency | A package falls behind its latest release (major/minor/patch) | Project |
| Container Image Vulnerability | A container image scan finds a CVE above your severity | Image |
| IaC / K8s Misconfiguration | An IaC or Kubernetes scan flags a misconfiguration | Target |
Each rule has a Severity Threshold (Critical / High / Medium / Low) and an optional filter, so you can scope a rule to a specific project or image and only hear about what matters.
Notify Only on New Findings
Because these rules run on every scan, alerting on everything each time would be noise. Every scan rule has a "Notify only on new findings" toggle, on by default. VersionOps remembers which findings it has already told you about (per rule) and only alerts on ones it hasn't seen before — so a long-standing CVE alerts you once, not on every scan. Turn the toggle off if you'd rather get the full list each time.
Getting Started
- Go to Settings → Notifications and click Add Notification Rule.
- Pick one of the new types — for example, Dependency Vulnerability.
- Set the Severity Threshold (e.g. High and above) and, optionally, a Project Filter.
- Leave Notify only on new findings on, attach your channels, and save.
The next time that project is scanned, any new finding at or above your threshold is delivered to your channels automatically.
Container Settings, Migrated
If you previously configured container scan notifications, those settings are automatically migrated into equivalent notification rules. Nothing to redo — your container and IaC alerts keep working, now managed in the same place as everything else.
What's Next
We're continuing to unify and deepen alerting — richer per-finding context in messages and more delivery options. Have a notification scenario you'd like to see? Let us know.