VersionOps Documentation
VersionOps is a version-aware infrastructure inventory platform that helps DevOps teams track software versions, detect vulnerabilities, and manage updates across their infrastructure.
Quick Start
Get started with VersionOps in just a few minutes:
Create an Account
Sign up at app.versionops.com to create your organization.
Get a Service Token
Go to Dashboard → Settings → Service Tokens to create a token for your agents.
Install the Agent
See the Agent Installation section below.
View Your Inventory
Access your dashboard to see all hosts, applications, and version information.
Key Concepts
Hosts
Servers, VMs, or containers where your software runs. Each host runs an agent that reports its inventory.
Applications
Software packages installed on your hosts. VersionOps tracks versions and detects updates.
Alerts
Notifications about outdated software, security vulnerabilities (CVEs), and recommended updates.
Organizations
Multi-tenant isolation for your team. Each organization has its own hosts, users, and settings.
VersionOps Agent
The VersionOps Agent is a lightweight daemon that runs on your Linux servers to automatically discover installed applications and report their versions.
Auto-discovery
Detects installed applications using multiple methods
Version Tracking
Reports versions to your VersionOps dashboard
Secure
Token-based authentication, minimal permissions
Lightweight
Single binary (~8MB), minimal resource usage
Agent Installation
# Download the binary
wget https://github.com/versionops-platform/versionops-agent/releases/latest/download/versionops-agent-linux-amd64
# Install
sudo mv versionops-agent-linux-amd64 /usr/local/bin/versionops-agent
sudo chmod +x /usr/local/bin/versionops-agent
# Configure
sudo versionops-agent config --backend=https://api.versionops.com --token=YOUR_SERVICE_TOKEN
# Install systemd service
sudo versionops-agent install
# Start the agent
sudo systemctl enable --now versionops-agentAgent Configuration
Configuration is stored in /etc/versionops/agent.conf (JSON format):
{
"backend_url": "https://api.versionops.com",
"token": "your-service-token",
"interval": 300,
"log_level": "INFO"
}| Option | Description | Default |
|---|---|---|
backend_url | VersionOps backend URL | https://api.versionops.com |
token | Service token for authentication | (required) |
interval | Reporting interval in seconds | 300 (5 min) |
log_level | Logging level | INFO |
# Set backend URL
sudo versionops-agent config --backend=https://api.versionops.com
# Set service token
sudo versionops-agent config --token=YOUR_TOKEN
# Set reporting interval (seconds)
sudo versionops-agent config --interval=300
# View current configuration
sudo versionops-agent config --showSystemd Service
After running versionops-agent install, the service is managed via systemd:
# Start the agent
sudo systemctl start versionops-agent
# Stop the agent
sudo systemctl stop versionops-agent
# Restart the agent
sudo systemctl restart versionops-agent
# View status
sudo systemctl status versionops-agent
# View logs
sudo journalctl -u versionops-agent -fSystem Requirements
Supported Operating Systems
Ubuntu
- Ubuntu 20.04 LTS (Focal Fossa)
- Ubuntu 22.04 LTS (Jammy Jellyfish)
- Ubuntu 24.04 LTS (Noble Numbat)
Debian
- Debian 11 (Bullseye)
- Debian 12 (Bookworm)
RHEL / CentOS
- CentOS 8, 9, Stream
- RHEL 8, 9
- Rocky Linux 8, 9
- AlmaLinux 8, 9
Amazon Linux
- Amazon Linux 2
- Amazon Linux 2023
Supported Architectures
- x86_64 (amd64) — Standard 64-bit Intel/AMD processors
- ARM64 (aarch64) — AWS Graviton, Apple Silicon (via Linux VMs), Raspberry Pi 4+
Windows Support
VersionOps agent is designed for Linux systems. For Windows environments:
- WSL2 — Run the agent inside Windows Subsystem for Linux (Ubuntu or Debian recommended)
- Remote Proxy — Use a Linux proxy agent to monitor Windows-only environments via remote protocols
Minimum Requirements
| Resource | Requirement |
|---|---|
| Disk Space | 50 MB |
| RAM | 32 MB (agent only) |
| Network | Outbound HTTPS (port 443) |
| Python | 3.8+ (bundled with agent binary) |
| Permissions | Root or sudo access for installation |
Agent Commands
versionops-agent configConfigure the agent settings
versionops-agent installInstall systemd service
versionops-agent run --onceRun once (for testing)
versionops-agent run --daemonRun as daemon (foreground)
versionops-agent statusShow agent status
versionops-agent versionShow version info
Inventory Management
VersionOps automatically discovers and tracks all software installed on your hosts. The dashboard provides a centralized view of your entire infrastructure.
- Host Overview — See all your servers with OS info, IP addresses, and last seen time
- Application List — Browse all detected applications with current versions
- Search & Filter — Quickly find specific hosts or applications
- Export — Download inventory data in CSV or JSON format
Version Tracking
Track software versions across your infrastructure and get notified about available updates.
- Version History — See when versions changed on each host
- Latest Versions — Compare installed versions with latest releases from GitHub and Repology
- Update Recommendations — Get smart recommendations for patch, minor, and major updates
- Custom Sources — Configure custom version sources for internal applications
Alerts & CVE Detection
Stay informed about security vulnerabilities and outdated software with automated alerts.
- CVE Monitoring — Automatic detection of known vulnerabilities
- Notification Rules — Configure alerts via email, Slack, or webhooks
- Severity Levels — Prioritize based on CVSS scores
- Remediation Guidance — Get upgrade paths for vulnerable packages
npm Dependency Monitoring (Projects)
Monitor npm packages and Node.js dependencies across your projects. VersionOps scans your package.json and package-lock.json files to track dependencies and detect security vulnerabilities.
Dependency Tracking
Track all npm packages including transitive dependencies
CVE Scanning
Scan via OSV and GitHub Advisory databases
CI/CD Integration
GitHub Actions, GitLab CI, and Jenkins support
Semver Updates
Smart recommendations respecting semantic versioning
Key Features
- Project-based Monitoring — Create projects to track npm dependencies separately from host inventory
- package.json Import — Upload or sync package.json files directly from your repositories
- package-lock.json Support — Full transitive dependency analysis from lockfiles
- Multiple Vulnerability Sources — Scans against OSV (Open Source Vulnerabilities) and GitHub Advisory Database
- Semver-aware Recommendations — Get patch, minor, and major update suggestions following semantic versioning
- CI/CD Webhook — Trigger scans from your build pipelines with a single API call
package.json vs package-lock.json
Recommended: Always upload package-lock.json
For the most accurate CVE scanning results, always include your package-lock.json file when creating or updating a project.
| Scenario | Behavior | CVE Accuracy |
|---|---|---|
| With package-lock.json | Exact versions from lockfile, all transitive dependencies included | Exact match |
| Only package.json | Versions resolved via npm registry API within semver constraints | May differ (resolved versions may be newer) |
Why it matters: Without a lockfile, VersionOps resolves the latest versions within your semver ranges (e.g., ^18.2.0 might resolve to 18.3.1). This can result in different CVE results than what is actually installed in your project.
Getting Started with npm Monitoring
Create a Project
Go to Projects in your dashboard and click “New Project”. Give it a name that matches your repository.
[Screenshot: Projects page with New Project button]
Import Dependencies
Upload your package.json file (and package-lock.json for best results). The import runs in the background with progress indication.
[Screenshot: Import dialog with file upload]
Scan for Vulnerabilities
VersionOps automatically scans your dependencies against OSV and GitHub Advisory databases. Use the “Scan Now” button to trigger a manual scan at any time.
[Screenshot: Project dashboard with Scan Now button]
Update Dependencies
Use the “Update Dependencies” button to re-import your package files and refresh the dependency list. This is useful after running npm update locally.
[Screenshot: Update Dependencies button in project view]
Set Up CI/CD Integration
Add the CI/CD webhook to your pipeline to scan on every build. See CI/CD Integration for details.
Background Processing
All dependency imports are processed in the background. This means:
- Large projects with hundreds of dependencies import smoothly
- Progress is shown in the UI while import is running
- You can navigate away and return later to see results
- CVE scanning starts automatically after import completes
Supported Package Managers
- npm — package.json and package-lock.json
- yarn — package.json and yarn.lock (coming soon)
- pnpm — package.json and pnpm-lock.yaml (coming soon)
Security Hub & Container Scanning
The Security Hub provides a unified view of vulnerabilities across your entire stack — container images, Infrastructure as Code, Kubernetes manifests, and application dependencies. Powered by Trivy, the industry-leading open-source vulnerability scanner.
Container Scanning
Scan Docker images for OS, language, and binary vulnerabilities
IaC Scanning
Detect misconfigurations in Terraform, CloudFormation, and Dockerfiles
Kubernetes Analysis
Check manifests against CIS benchmarks and Pod Security Standards
Secret Detection
Find exposed API keys, passwords, and tokens in scanned artifacts
Key Features
- Unified Dashboard — Aggregated vulnerability overview across all scan sources in one place
- Container Image Tracking — Add images to your inventory and enable auto-scanning on a configurable schedule (1–168 hours)
- Severity Breakdown — Every scan result includes Critical, High, Medium, and Low counts with CVSS scores
- IaC Formats — Supports Terraform (.tf), CloudFormation (YAML/JSON), Dockerfiles, Kubernetes manifests, and Helm charts
- Remediation Guidance — Each finding includes the fixed version, file path, line number, and resolution steps
- Scan History & Trends — Track vulnerability counts over time with 7/30/90 day trend analytics
- Security Notifications — Get alerted via Slack, Email, Telegram, Discord, MS Teams, or PagerDuty when scans find vulnerabilities above your severity threshold
Supported IaC Formats
| Format | File Types | What It Detects |
|---|---|---|
| Terraform | .tf files | Misconfigured resources, open security groups, unencrypted storage |
| CloudFormation | YAML/JSON templates | Resource misconfigurations, missing encryption, overly permissive IAM |
| Dockerfile | Dockerfile | Running as root, hardcoded secrets, insecure base images |
| Kubernetes | YAML manifests | Missing resource limits, privileged containers, CIS benchmark violations |
| Helm | Chart templates | Template security issues after rendering |
Private Container Registries
Scan private container images from any Docker V2-compatible registry. VersionOps stores your registry credentials securely (encrypted at rest with AES-256) and automatically applies them when scanning private images.
Supported Registries
| Registry | Auth Method | Notes |
|---|---|---|
| Docker Hub | Username + Password | Standard Docker Hub credentials |
| AWS ECR | Access Key + Secret | Auto-refreshes temporary tokens every 12 hours |
| Google Artifact Registry | Service Account JSON | OAuth tokens refreshed automatically |
| Azure ACR | Service Principal | AAD tokens refreshed automatically |
| GitHub GHCR | Personal Access Token | Requires read:packages scope |
| GitLab Registry | Username + Token | Deploy token or PAT |
| Harbor / JFrog / Nexus / Quay | Username + Password | Standard Docker V2 authentication |
Key Features
- Automatic Credential Resolution — VersionOps matches image URLs to configured registries and applies credentials automatically
- Cloud-Native Token Management — For AWS ECR, GCP, and Azure, short-lived tokens are refreshed automatically
- Connection Testing — Verify credentials before saving with one-click test
- Encrypted Storage — All credentials encrypted at rest, masked in API responses
- Audit Trail — Every credential operation is logged for compliance
- SSRF Protection — Connection tests block requests to internal network addresses
Getting Started
Navigate to Security → Registries in your dashboard. Click Add Registry, select your provider from the preset list, fill in credentials, and click Test Connectionto verify. Once saved, any image from that registry will automatically use those credentials during scanning.
Troubleshooting
Agent not reporting data
- Check configuration:
sudo versionops-agent config --show - Test connectivity:
sudo versionops-agent run --once - Check logs:
sudo journalctl -u versionops-agent -f
Connection refused
Verify backend_url is correct and the server is accessible.
401 Unauthorized
Check that the service token is valid and active in your dashboard.
Ready to Get Started?
Create your free account and start tracking your infrastructure today.