Changelog

Highlights

• Get alerted the moment a dependency or container scan finds something — no more waiting for a daily check
• Four new notification rule types covering npm/Docker dependencies and container, IaC, and Kubernetes scans
• "Notify only on new findings" so you hear about each vulnerability once, not on every scan
• Existing container scan notification settings are migrated into the same rules — all alerts in one place

New Features

• Dependency vulnerability alerts. Create a rule that fires when a dependency scan finds a CVE at or above a severity threshold (Critical / High / Medium / Low) in your npm or Docker projects. Filter by project, and choose to be alerted only about findings you haven't seen before.
• Outdated dependency alerts. Get notified when packages fall behind their latest release, with the major/minor/patch update level included.
• Container image vulnerability alerts. A rule that fires when a container image scan finds a CVE above your chosen severity. Filter by image.
• IaC / Kubernetes misconfiguration alerts. Be notified when an infrastructure-as-code or Kubernetes scan flags a misconfiguration above a severity threshold.
• Event-driven delivery. These new rules fire the instant a scan completes rather than on a fixed schedule, so security findings reach your channels (Slack, Email, Telegram, Discord, MS Teams, PagerDuty) right away.

Improvements

• Container and IaC scan notifications now run through the unified notification rules engine. Your existing container scan notification settings are automatically migrated into equivalent rules, so every alert — servers, dependencies, and containers — is configured and delivered the same way.
• Each scan rule supports a "notify only on new findings" toggle, with built-in deduplication so the same vulnerability doesn't alert you on every scan.

Highlights

• TOTP-based two-factor authentication with backup codes and admin enforcement
• Cloudflare Turnstile captcha on register and login to block automated abuse
• Welcome emails for new accounts and reminders before the trial expires
• One-click cancellation link that works even when you can't log in
• Invoice payments: receive a PDF invoice and pay it from your inbox

New Features

• Two-factor authentication (TOTP). Enroll from Settings → Security with any authenticator app (Google Authenticator, 1Password, Authy, Bitwarden). Sign in with a 6-digit code. Each enrollment issues 10 single-use backup codes for recovery. Org admins can require MFA for all admin users in their organization.
• Captcha on Register and Login. Cloudflare Turnstile silently blocks automated sign-up and login attempts without forcing real users through a puzzle.
• Welcome email sequence. New accounts — email/password and OAuth alike — now receive a short welcome series with quick-start steps.
• Trial expiring reminders. Trial accounts get a heads-up three days before the trial ends, and a final reminder one day before, with a one-click upgrade link.
• Invoice payments. Issued invoices arrive by email with a PDF attachment; you can download the same PDF from the dashboard at any time.
• Account cancellation by tokenized link. If you've lost access to the email used to sign up, you can cancel and delete the account through a secure one-time link without needing to log in.

Improvements

• Past-due invoices now send a gentle multi-step reminder instead of a single email — and stop the moment the invoice is paid.
• Cleaner sign-up and sign-in pages: the captcha widget resets automatically on any failed submit, so you never get stuck on a stale token.

Highlights

• Scan private container images from any registry — AWS ECR, GCP, Azure, GitLab, GitHub, Harbor, and more
• Universal registry credentials management with encrypted storage
• One-click connection testing for instant credential verification
• Automatic credential resolution during scheduled scans

New Features

• Private container registry support — connect your private registries to scan images for vulnerabilities without exposing credentials or deploying additional agents.
• Universal registry authentication — supports username/password (Docker Hub, GitLab, GitHub, Harbor, JFrog, Nexus, Quay), AWS ECR, Google Artifact Registry, Azure Container Registry, and static bearer tokens.
• Cloud-native credential adapters — for AWS ECR, GCP GAR, and Azure ACR, VersionOps automatically obtains and refreshes short-lived tokens using your cloud credentials.
• Connection testing — verify your registry credentials work before saving, with one-click test directly from the UI.
• New "Registries" tab in the Security section — manage all your container registries in one place with status monitoring and search/filter.
• Registry presets for popular providers — select Docker Hub, AWS ECR, GCP, Azure, GitHub, GitLab, Harbor, JFrog, or custom registries with pre-filled configuration templates.
• Automatic credential injection — when scanning a private image, VersionOps automatically finds and applies the matching registry credentials based on the image URL.

Improvements

• All registry credentials are encrypted at rest using AES-256 encryption and masked in API responses.
• Full audit trail for registry credential operations — create, update, delete, and connection tests are logged.
• SSRF protection on connection testing prevents scanning of internal network addresses.
• Auto-scan fully supports private registries — scheduled scans automatically resolve credentials for private images.

Highlights

• Unified Security Hub with aggregated vulnerability overview across all sources
• Container image scanning powered by Trivy — detect CVEs in Docker images
• Infrastructure as Code scanning for Terraform, CloudFormation, Dockerfiles, and Helm charts
• Kubernetes manifest security analysis with CIS benchmark checks

New Features

• Security Hub — a unified security dashboard that aggregates vulnerabilities from container images, IaC files, Kubernetes manifests, and npm dependencies into a single view.
• Container image scanning powered by Trivy — scan any public Docker image for known vulnerabilities with severity breakdown (Critical, High, Medium, Low).
• Container image tracking — add images to your inventory with auto-scan on a configurable schedule (1 to 168 hours).
• Infrastructure as Code scanning — upload or scan Terraform, CloudFormation, Dockerfiles, Kubernetes manifests, and Helm charts for misconfigurations.
• Kubernetes security analysis — scan K8s manifests against CIS benchmarks and security best practices with remediation guidance.
• Secret detection — automatically find exposed API keys, passwords, and tokens in your scanned artifacts.
• Scan history and trends — track vulnerability counts over time with analytics dashboard showing 7/30/90 day trends.
• Security notifications — get alerted via Slack, Email, Telegram, Discord, MS Teams, or PagerDuty when scans find vulnerabilities above your severity threshold.

Improvements

• Navigation updated with a dedicated Security section in the main menu.
• Vulnerability details include CVSS scores, fixed versions, and direct links to advisories.
• Scan results are paginated for large images with hundreds of findings.
• Background scanning with progress tracking — navigate away and return to see results.

Highlights

• Create projects to track npm dependencies separately from host inventory
• Import package.json or package-lock.json for dependency tracking
• CVE scanning for npm packages via OSV and GitHub Advisory databases
• Background processing for large dependency imports with progress tracking

New Features

• Projects feature for npm dependency monitoring — create projects, import package files, and track vulnerabilities.
• Support for both package.json and package-lock.json imports. Lock files provide exact versions; package.json versions are resolved via npm registry.
• "Scan Now" button to re-scan existing dependencies for newly published CVEs.
• "Update Dependencies" button to re-import package files after local npm update/install.
• Background job processing for dependency imports with real-time progress indication.
• Transitive dependency resolution from package-lock.json for complete vulnerability coverage.

Improvements

• Documentation updated with Projects section in Docs, User Guide, and API Reference.
• Clear guidance on package.json vs package-lock.json — lockfiles recommended for accurate CVE results.
• API responses now indicate background job status for import operations.
• CI/CD integration examples updated with package-lock.json support.

Bug Fixes

• Resolved version resolution edge cases when semver ranges are complex.
• Fixed transitive dependency deduplication in lockfile parsing.

Highlights

• New reset password flow with branded HTML emails
• Public plans endpoint for landing/marketing
• Stricter multi-tenant isolation for configs and tokens
• Smart recommendations gating with upgrade prompt
• Changelog page powered by release notes data

New Features

• Added reset password page/route with HTML email template and CTA link
• New /api/public/plans endpoint with active plans fallback to defaults
• Landing Changelog page backed by structured releaseNotes data
• Upgrade prompt for Smart Recommendations when feature is locked

Improvements

• Multi-tenant scoping for application_configs CRUD, agent application configs, and default configs per organization
• Multi-tenant scoping for service token delete/toggle operations
• Emails sent as multipart (plain + HTML) for better deliverability
• Version source UI labels clarified (Add/Remove Version Source)

Bug Fixes

• Prevent cross-organization leakage of application configs to agents
• Ensure default application configs are stored with organization_id
• Skip Smart Recommendations requests when feature not enabled (avoid pollution)

Highlights

• Template catalog with categories and tags in user dashboard
• User-facing template catalog with categories and tags
• Selective apply of applications and notifications with overwrite options
• Recommendations toggle when applying templates

New Features

• Template catalog in Settings → Templates with category/tag filters and details before applying.
• Apply templates fully or select specific applications/notifications with overwrite flags.
• Shared categories metadata across templates to keep taxonomy consistent.

Improvements

• User catalog UI with grid cards, empty states, and recommendations toggle on apply.
• Branded password reset email uses product logo instead of emoji.
• Layout polish: wider dashboard overview grid and adjusted landing features grid.

Highlights

• Safer smart recommendations behavior
• Stricter org scoping for configs and tokens

New Features

• Upgrade prompt UX for Smart Recommendations when feature is locked

Improvements

• Skip Smart Recommendations requests when feature is not enabled to avoid noise
• UI labels clarified for version sources (Add/Remove Version Source)
• Additional multi-tenant checks for application configs and service tokens

Bug Fixes

• Prevent potential cross-organization leakage of application configs
• Ensure defaults carry organization_id in configs

Highlights

• Smart version recommendations with risk assessment
• Enhanced CVE scanning with multiple data sources
• Improved agent performance

New Features

• Added smart version recommendations with semantic versioning analysis
• New risk assessment for upgrade recommendations (Low/Medium/High)
• Support for multiple version sources per application (GitHub, Repology, Docker Hub)
• Cascade version detection - fallback through multiple sources
• Version preview in application configuration
• Include/exclude prerelease versions option

Improvements

• CVE scanning now checks multiple databases for better coverage
• Agent performance optimizations - 30% faster scanning
• Improved error handling and retry logic in notifications
• Better logging for debugging agent issues
• Dashboard loading time reduced by 40%

Bug Fixes

• Fixed version regex matching for complex version strings
• Resolved duplicate notifications issue
• Fixed timezone handling in version history
• Corrected host count display on organization dashboard

Highlights

• Team member invitations
• Role-based access control
• Organization settings page

New Features

• Invite team members via email with role assignment
• Role-based access control: Owner, Admin, Member, Viewer
• Organization settings page with member management
• Transfer organization ownership
• Leave organization functionality
• Pending invitation management

Improvements

• Unified navigation across all pages
• Better mobile responsiveness
• Improved loading states with skeleton screens
• Enhanced error messages with actionable guidance

Bug Fixes

• Fixed session timeout issues
• Resolved email verification race condition
• Fixed notification delivery to multiple recipients

Highlights

• Stripe integration for payments
• Plan upgrades and downgrades
• Usage-based billing

New Features

• Stripe Checkout integration for seamless payments
• Support for monthly and annual billing cycles
• Plan comparison with feature matrix
• Automatic plan limit enforcement
• Invoice history and download
• Customer portal for payment method management

Improvements

• Clearer pricing display on landing page
• Better trial period handling
• Improved billing page design

Bug Fixes

• Fixed proration calculation for mid-cycle upgrades
• Resolved webhook duplicate processing

Highlights

• More reliable Slack/webhook delivery
• Better notification caching and retries

Improvements

• Improved notification caching and retry logic for Slack and webhooks
• Better error handling for notification delivery failures

Bug Fixes

• Fixed TLS negotiation issues for SMTP
• Resolved notification deduplication edge cases

Highlights

• Slack integration
• Webhook notifications
• Custom notification rules

New Features

• Slack channel integration with rich message formatting
• Custom webhook delivery with configurable payloads
• Multiple notification rule types: CVE, Outdated Version, Version Drift
• Notification scheduling and batching
• Delivery status tracking and retry logic
• Test notification functionality

Improvements

• Email templates redesigned for better readability
• Notification history with filtering
• Better error reporting for failed deliveries

Bug Fixes

• Fixed SMTP TLS negotiation issues
• Resolved notification deduplication bug

Highlights

• Stabler NVD syncing
• Fewer false positives

Improvements

• Improved CVE data caching and synchronization timing
• Better handling of version format variations for matching

Bug Fixes

• Fixed false positive CVE matches
• Resolved scanning interval issues

Highlights

• Automated CVE detection
• Severity-based filtering
• Vulnerability dashboard

New Features

• Automated CVE scanning for detected applications
• Integration with NVD (National Vulnerability Database)
• Severity filtering: Critical, High, Medium, Low
• Vulnerability status tracking: Open, Acknowledged, Resolved
• CVE details with remediation guidance
• Security dashboard with vulnerability trends

Improvements

• Faster application version matching
• Better handling of version format variations
• Improved CVE data caching

Bug Fixes

• Fixed false positive CVE matches
• Resolved scanning interval issues

Highlights

• Version tracking across infrastructure
• Linux agent with auto-discovery
• Web dashboard

New Features

• Linux agent for version collection
• Auto-discovery of installed packages (apt, yum, dnf)
• Application configuration with custom detection methods
• Version history tracking with change timeline
• Host inventory management
• Service token authentication for agents
• User authentication with email/password
• Basic email notifications
• REST API for integrations