VersionOps User Guide

This comprehensive guide will help you get the most out of VersionOps. Learn how to set up your organization, manage hosts, track software versions, and stay on top of security vulnerabilities.

Getting Started

Welcome to VersionOps! This section will guide you through setting up your account and organization to start tracking your infrastructure.

Creating Your Account

Sign Up

Visit app.versionops.com/register and enter your email address and create a password. You can also sign up using your Google or GitHub account.

Verify Your Email

Check your inbox for a verification email and click the confirmation link. This ensures secure access to your account.

Complete Your Profile

Add your name and other optional details. This information helps your team identify you within the organization.

Account registration form

Organization Setup

An organization is the container for all your infrastructure data. When you first sign up, you'll be prompted to create an organization or join an existing one.

Name Your Organization

Choose a name that represents your company or team. This will be visible to all members of your organization.

Select Your Plan

Choose a subscription plan that fits your needs. You can start with the Free plan and upgrade later as your infrastructure grows.

Generate a Service Token

Create your first service token to authenticate agents on your servers. Go to Settings → Service Tokens and click "Create Token".

Pro Tip

Keep your service token secure. It provides access to report data to your organization. You can create multiple tokens for different environments (production, staging, development).

Inviting Team Members

Collaboration is key to effective infrastructure management. Invite your team members to join your organization:

Navigate to Settings → Team Members
Click the "Invite Member" button
Enter their email address and select a role:
- Admin - Full access including settings and billing
- Member - Can view and manage hosts and applications
- Viewer - Read-only access to dashboards and reports
Click "Send Invitation"

Team member invitation dialog

Dashboard Overview

The dashboard is your command center for monitoring your infrastructure. Here's what you'll find when you log in.

Main dashboard view

Key Metrics

At the top of the dashboard, you'll see important metrics at a glance:

Total Servers

The number of servers and machines being monitored

Applications

Unique software packages detected across your infrastructure

Vulnerabilities

Known CVEs affecting your installed software

Outdated

Applications with available updates

Quick Actions

The dashboard provides quick access to common tasks:

View All Servers - Jump directly to your server inventory
Check Vulnerabilities - See the latest CVE scan results
Add Service Token - Create a new token for agent authentication
Export Report - Download inventory data in various formats

Navigation

The main navigation menu on the left provides access to all features:

Menu Item	Description
Dashboard	Overview of your infrastructure with key metrics
Servers	List and manage all monitored servers
Applications	Software inventory across all servers
Dependencies	npm and Docker dependency tracking
Security	Security Hub — container scanning, IaC scanning, CVE detection, and private registry management
Notifications	Alert configuration and notification history
Version History	Audit trail of version changes over time
Settings	Organization settings, team management, billing

Managing Servers

Servers are the VMs or machines that run your applications. VersionOps automatically discovers servers when agents report data.

Viewing Server List

Navigate to Servers in the main menu to see all your monitored servers. The server list displays:

Hostname - The server's name as reported by the agent
IP Address - Primary network address
Operating System - OS distribution and version
Applications - Count of detected software packages
Last Seen - When the agent last reported data
Status - Online, offline, or warning indicators

Server list view

Server Details Page

Click on any server to view detailed information:

System Information

Detailed OS info, kernel version, architecture, and hardware specs

Installed Applications

Complete list of software with versions, organized by category

Version History

Timeline of application updates and changes on this server

Vulnerabilities

CVEs affecting applications on this specific server

Filtering and Searching

Use the search and filter options to quickly find servers:

Search - Type to search by hostname, IP, or application name
OS Filter - Filter by operating system (Ubuntu, CentOS, etc.)
Status Filter - Show only online, offline, or warning servers
Tag Filter - Filter by custom tags you've assigned

Search Tip

Use the search bar to find servers running specific applications. For example, searching "nginx" will show all servers with nginx installed.

Server Status Indicators

Status	Indicator	Meaning
Online	Green	Agent reported within the last 10 minutes
Warning	Yellow	Agent hasn't reported in 10-60 minutes
Offline	Red	Agent hasn't reported in over 1 hour
New	Blue	Server registered within the last 24 hours

Applications & Software

The Applications section provides a complete inventory of all software detected across your infrastructure.

Application Inventory

Navigate to Applications to see all detected software. Each application shows:

Name - Application name (e.g., nginx, postgresql, redis)
Installed Versions - All versions found across your servers
Latest Version - The most recent release available
Server Count - Number of servers running this application
CVE Count - Known vulnerabilities affecting installed versions

Application inventory list

Version Information

Click on any application to see detailed version information:

Version Distribution

Visual breakdown of which versions are installed and on how many servers

Version Comparison

Compare your installed versions with the latest stable release

Update Recommendations

Smart suggestions for patch, minor, and major version upgrades

Filtering by Type

Use the category filters to focus on specific types of software:

Databases

Web Servers

Runtimes

Message Queues

Caching

Other

Outdated Software

Applications highlighted in yellow have updates available. Applications in red have known security vulnerabilities (CVEs).

Dependencies

In addition to server-based inventory, VersionOps can track npm package dependencies for your Node.js projects. Create dependency projects to monitor package.json files, scan for vulnerabilities, and get update recommendations.

Creating a Dependency Project

Navigate to Dependencies in the main menu to manage npm projects:

Click "New Project" button
Enter a name (typically matching your repository name)
Add an optional description
Click "Create"

Create new dependency project dialog

Importing Dependencies

After creating a project, import your dependencies. You can upload either:

package-lock.json (Recommended)

Provides exact versions and all transitive dependencies for accurate CVE scanning

package.json Only

Versions are resolved via npm registry API within your semver constraints

Important: Use Lock Files for Accurate Results

When you upload only package.json, VersionOps resolves versions through the npm registry API. This means the resolved versions may be newer than what is actually installed in your project.

For example, if your package.json specifies "react": "^18.2.0", VersionOps might resolve it to 18.3.1 (the latest within that range), even if you actually have 18.2.0 installed locally.

Result: CVE scan results may differ from your actual installed packages. Always upload package-lock.json for exact matches.

Import Methods

Manual Upload

Upload your package.json and/or package-lock.json files directly through the dashboard interface

API Import

Use the Projects API to sync dependencies programmatically

CI/CD Integration

Automatically scan on every commit using GitHub Actions, GitLab CI, or Jenkins

Background Processing

All dependency imports run in the background. You will see a progress indicator while the import is processing. For large projects with hundreds of dependencies, this may take a few moments. You can navigate away and return later to see results.

Dependency Dashboard

Each dependency project has its own dashboard showing:

Package Count — Total number of dependencies (direct + transitive)
Vulnerability Summary — Count by severity level (Critical, High, Medium, Low)
Outdated Packages — Dependencies with available updates
Last Scan Time — When the project was last scanned for CVEs

Dependency dashboard with vulnerability summary

Dependency Actions

The dependency view provides two main actions:

Button	What it does	When to use
Scan Now	Re-scans existing dependencies for new CVEs	Check for newly published vulnerabilities without changing dependencies
Update Dependencies	Re-imports package files and refreshes the dependency list	After running `npm update` or `npm install` locally

Scan Now and Update Dependencies buttons

Vulnerability Sources

VersionOps scans npm dependencies against multiple vulnerability databases:

Source	Description
OSV	Open Source Vulnerabilities database by Google
GitHub Advisory	Security advisories from GitHub Security Lab

Update Recommendations

Get intelligent update recommendations that respect semantic versioning:

Patch Updates

Bug fixes only (1.2.3 to 1.2.4) — Safe to apply

Minor Updates

New features, backward compatible (1.2.3 to 1.3.0)

Major Updates

Breaking changes possible (1.2.3 to 2.0.0) — Review changelog

CI/CD Integration

Integrate npm scanning into your build pipelines to catch vulnerabilities before they reach production:

GitHub Actions — Scan on push and pull requests
GitLab CI — Add security stage to your pipeline
Jenkins — Include in your Jenkinsfile

See CI/CD Integration Guide for detailed configuration examples.

CI/CD Security Gate

Configure your pipeline to fail when vulnerabilities above a certain severity are detected. Use the fail_on_severity parameter to set your threshold (LOW, MEDIUM, HIGH, CRITICAL).

Notifications & Alerts

Stay informed about important events in your infrastructure with configurable notifications delivered via email or webhooks.

Setting Up Notifications

Navigate to Settings → Notifications to configure your alert preferences:

Click "Add Notification Rule"
Choose the trigger event:
- New CVE detected
- Server goes offline
- New application version available
- Agent hasn't reported (configurable threshold)
Select the delivery channel (email, Slack, webhook)
Configure recipients and save the rule

Notification rule configuration

Alert Rules

Create sophisticated alert rules to filter notifications:

Rule Type	Description	Example
CVE Severity	Alert only for specific severity levels	Only Critical and High severity CVEs
Application Filter	Alert for specific applications only	Only nginx and postgresql updates
Server Filter	Alert for specific servers or server groups	Only production environment servers
Time Window	Suppress alerts during specific hours	No alerts between 2-4 AM (maintenance)

Email and Webhook Delivery

Email

Receive formatted emails with all relevant details including affected hosts, CVE information, and recommended actions.

Add multiple recipients per rule
Digest mode available (hourly/daily summary)
Customizable subject line templates

Webhook

Send JSON payloads to your own endpoints for custom integrations.

POST requests with JSON body
Custom headers supported
Retry on failure (3 attempts)

Slack

Get alerts directly in your Slack channels.

Rich message formatting
Direct links to VersionOps dashboard
Configure per-channel notifications

Severity Levels

Notifications are categorized by severity to help you prioritize:

Critical

Requires immediate attention (e.g., critical CVE, server down)

High

Important issues requiring prompt action

Medium

Issues to address during normal operations

Low

Informational alerts for awareness

CVE Scanning

VersionOps automatically scans your software inventory for known security vulnerabilities (CVEs) and provides actionable remediation guidance.

How CVE Scanning Works

Inventory Collection - The agent reports installed software and versions
CVE Database Matching - VersionOps compares versions against known CVE data
Severity Assessment - Each vulnerability is rated by CVSS score
Notification - Alerts are sent based on your notification rules

CVE scanning results

Viewing Vulnerabilities

Navigate to CVE Scanning to see all detected vulnerabilities:

CVE ID - Unique identifier (e.g., CVE-2024-12345)
Affected Application - Software with the vulnerability
Affected Servers - Servers running vulnerable versions
Severity - Critical, High, Medium, or Low
CVSS Score - Numeric severity rating (0-10)
Fixed In - Version that addresses the vulnerability

Severity Levels

Severity	CVSS Score	Description	Recommended Action
Critical	9.0 - 10.0	Easily exploitable, severe impact	Patch immediately
High	7.0 - 8.9	Significant risk of exploitation	Patch within 24-48 hours
Medium	4.0 - 6.9	Moderate risk, may require specific conditions	Patch within 1 week
Low	0.1 - 3.9	Limited impact or difficult to exploit	Patch during regular maintenance

Remediation Guidance

Click on any CVE to see detailed remediation guidance:

Vulnerability Details

Full description, attack vectors, and impact assessment

Affected Versions

List of vulnerable version ranges

Fixed Version

The minimum version that patches the vulnerability

References

Links to official advisories and documentation

Automatic Scanning

CVE scans run automatically every hour. You can also trigger a manual scan from the CVE Scanning page by clicking "Scan Now".

Security Hub

The Security Hub is your unified security dashboard. It aggregates vulnerabilities from container images, Infrastructure as Code files, Kubernetes manifests, and npm dependencies into a single view — powered by Trivy.

Navigating the Security Hub

Go to Security in the main menu. The Security Hub has several tabs:

Tab	Description
Overview	Aggregated vulnerability counts, severity breakdown, and trend charts
Container Images	Add, scan, and track Docker container images
Scan History	Past scan results with filtering by type, severity, and date
Registries	Manage private container registry credentials

Scanning Container Images

Add a Container Image

Go to Security → Container Images and click "Add Image". Enter an image reference (e.g., nginx:1.25, node:20-alpine).

Run a Scan

Click "Scan" on any tracked image. Trivy analyzes every layer — OS packages, language dependencies, and standalone binaries.

Review Results

View the severity breakdown (Critical, High, Medium, Low), individual CVE details with CVSS scores, affected packages, and fixed versions.

Enable Auto-Scan

Turn on auto-scanning with a configurable interval (1–168 hours). VersionOps will re-scan automatically and alert you when new vulnerabilities are found.

Container image scan results with severity breakdown

Infrastructure as Code Scanning

Scan your IaC files for misconfigurations before they reach production:

Upload IaC Files

Go to Security and select "IaC Scan". Upload your Terraform, CloudFormation, Dockerfile, or Kubernetes manifests.

Review Findings

Each finding shows the file path, line number, severity, and a specific resolution with remediation guidance.

What IaC Scanning Detects

Common findings include S3 buckets without encryption, security groups with overly permissive rules, containers running as root, missing resource limits in Kubernetes pods, and hardcoded secrets in configuration files.

Kubernetes Security Analysis

Upload your Kubernetes manifests to check against CIS Kubernetes Benchmarks, Pod Security Standards, network policy gaps, and RBAC configuration issues.

Security Notifications

Configure alerts for scan results through your existing notification channels:

Slack — Get instant alerts in your security channel
Email — Receive scan summaries with actionable details
Telegram / Discord / MS Teams — Use your team's preferred platform
PagerDuty — Trigger incidents for critical vulnerabilities

Severity Thresholds

Configure your notification rules to alert only above a specific severity threshold. This prevents alert fatigue while ensuring critical issues are never missed.

Private Container Registries

Connect your private container registries to scan images for vulnerabilities without exposing credentials or deploying additional agents. VersionOps stores credentials securely (AES-256 encryption) and applies them automatically during scans.

Adding Registry Credentials

Navigate to Registries

Go to Security → Registries tab and click "Add Registry".

Select Your Provider

Choose from the preset list: Docker Hub, AWS ECR, Google Artifact Registry, Azure ACR, GitHub GHCR, GitLab, Harbor, JFrog, or Custom. The preset auto-fills the registry URL and shows only the fields you need.

Enter Credentials

Fill in the required fields for your provider. For most registries, this is just a username and password or token. For cloud providers (AWS, GCP, Azure), enter your cloud credentials.

Test Connection

Click "Test Connection" to verify your credentials work. VersionOps authenticates against the registry's Docker V2 API.

Save and Scan

Save the registry, then add your private image references in Security → Container Images. VersionOps automatically matches image URLs to configured registries and applies credentials.

Add registry dialog with provider presets

Supported Registries

Registry	Auth Type	Setup Details
Docker Hub	Username + Password	Enter your Docker Hub credentials
AWS ECR	Access Key + Secret	VersionOps auto-refreshes temporary tokens (12h)
Google Artifact Registry	Service Account JSON	Upload your GCP service account key
Azure ACR	Service Principal	Enter tenant ID, client ID, and client secret
GitHub GHCR	Personal Access Token	Use a PAT with `read:packages` scope
GitLab Registry	Username + Token	Use a deploy token or personal access token
Harbor / JFrog / Nexus / Quay	Username + Password	Standard Docker V2 authentication
Any Docker V2 Registry	Username + Password or Token	Works with any Docker V2 compatible registry

Automatic Credential Resolution

When you scan a private image, VersionOps automatically finds the matching registry credentials based on the image URL. This works for both manual scans and scheduled auto-scans — no extra configuration needed.

Security

Encrypted at rest — All credentials use Fernet (AES-256) encryption
Masked in API responses — Raw credentials are never exposed in the UI or API
Full audit trail — Every create, update, delete, and connection test is logged
SSRF protection — Connection tests block requests to internal network addresses

Cloud Token Refresh

For AWS ECR, GCP, and Azure ACR, the access tokens are short-lived and expire regularly. VersionOps handles token refresh automatically — you provide your cloud credentials once, and VersionOps manages the lifecycle.

Version History

Track all software changes across your infrastructure with a complete audit trail.

Tracking Changes Over Time

The Version History page shows all version changes detected by VersionOps:

Timestamp - When the change was detected
Server - Which server had the change
Application - Software that was updated
Previous Version - Version before the change
New Version - Current installed version
Change Type - Upgrade, downgrade, or new installation

Version history timeline

Audit Trail

Use the version history for compliance and troubleshooting:

Compliance Reporting

Demonstrate when patches were applied for security audits

Incident Investigation

Correlate software changes with production issues

Change Tracking

Monitor which applications are being updated regularly

Export Options

Export version history data for external analysis or reporting:

CSV - Spreadsheet-compatible format
JSON - For programmatic processing
PDF Report - Formatted report for stakeholders

Date Range Filter

Use the date range filter to focus on specific time periods. This is especially useful for compliance audits that require documentation of changes within a specific timeframe.

Settings & Organization

Manage your profile, organization settings, team members, and billing information.

Profile Settings

Update your personal account settings in Settings → Profile:

Name - Your display name visible to team members
Email - Your login email address
Password - Change your account password
Timezone - For accurate timestamp display
Notification Preferences - Email digest settings

Organization Settings

Organization administrators can manage settings in Settings → Organization:

Organization Name - Update your organization's display name
Default Timezone - Timezone for reports and dashboards
Data Retention - How long to keep historical data
API Access - Enable or disable API access

Team Management

Manage team members and their access levels:

Role	Permissions
Owner	Full access including billing, can delete organization
Admin	Full access to settings, team management, and features
Member	View and manage hosts, applications, and notifications
Viewer	Read-only access to dashboards and reports

Billing

Manage your subscription and billing information in Settings → Billing:

Current Plan - View your active subscription tier
Usage - Monitor host count and feature usage
Payment Method - Update credit card or payment info
Invoices - Download past invoices for accounting
Upgrade/Downgrade - Change your subscription plan

Plan Limits

If you exceed your plan's server limit, new agents will not be able to register. Upgrade your plan to add more servers.

Billing and subscription page

Account & Privacy

Export your personal data, delete your account with a 30-day grace period, and cancel a scheduled deletion. Sole-member organizations and their subscriptions are handled automatically.

Read the full Account Management guide →

Ready to Get Started?

Create your free account and start monitoring your infrastructure today.

Get Started Free View Documentation