Roadmap
This page lists features we're planning to build or are actively working on. It's meant to give you visibility into what's coming next.
For detailed release notes, see the Changelog.
Priorities may shift
This roadmap reflects our current plans, but timelines and priorities may change based on user feedback and other factors. If a feature here is important to you, let us know!
Recently Shipped
Features that have been completed and are available now.
| Feature | Category | Description |
|---|---|---|
| Maintenance mode & outage detection | Operations | Planned maintenance page, automatic outage detection, advance warning banners with scheduling, runtime toggle without restarts |
| Global pool contributions | Scrape & Gather | Suggest your gather and helm sync jobs for inclusion in the shared global pool via admin moderation |
| Incremental GitHub sync | Performance | GitHub gather jobs only fetch new releases after the first full sync, reducing API calls |
| Alerts page redesign | UI | Status filter (Active/Resolved), inline Resolve buttons, unified activity timeline on alert detail page |
| Multi-role member management | Access Control | Assign multiple roles per member with checkbox selection. Effective permissions are the union of all assigned roles |
| EOL product management | Scrape & Gather | Curated approval system for end-of-life product tracking with approve/deny workflow |
| Loading states on buttons | UI | Spinner and disabled state on all action buttons during form submission to prevent double-clicks |
| Bulk actions | UI | Select multiple items for bulk operations (delete, resolve) on jobs, channels, rules, and alerts pages |
| Dark mode | UI | Cookie-based dark/light/system theme toggle in the sidebar with full semantic color token support |
| Alpine.js component architecture | UI | 10+ Alpine.data components for toasts, counters, sidebar, org-switcher, keyboard shortcuts, and more |
| HTMX 2.0 upgrade | UI | Upgraded to HTMX 2.0.8 with eval-free configuration using delegated event listeners |
| Toast notification system | UI | Alpine-based toast for action feedback with auto-conversion of query param messages |
| Keyboard shortcuts | UI | ? help modal, / search focus, g+d/j/s/a/r for page navigation |
| Expandable detail rows | UI | Click-to-expand table rows with session persistence across page loads |
| Auto-refresh on live pages | UI | Configurable auto-refresh intervals for dashboard and job pages |
| CSP hardening | Security | Content Security Policy middleware with strict directives, HTMX eval disabled |
| Scope filter component | UI | Reusable All/Org/Global dropdown on list pages for filtering by data scope |
| Correct summary card counts | Bug Fix | Dashboard and job page totals now show accurate counts instead of being capped at page size |
| Permission enforcement on forms | Security | Create forms are hidden server-side when the user lacks permission, preventing URL-based bypass |
| Alert action audit trail | Alerts | Full audit trail of alert lifecycle events with actor, source, and unified activity timeline |
| IAM policy documents | Access Control | AWS IAM-style JSON policy documents for role management with wildcards, deny statements, and org-scoped ARNs |
| IAM-style permissions | Access Control | Fine-grained RBAC with 5 system roles (Owner, Administrator, Editor, Viewer, Operator), custom roles, and per-endpoint authorization |
| Job queued status & queue monitoring | Jobs, Dashboard | New queued status, 6-card dashboard, status filter dropdowns on all job pages |
| Manual scrape jobs | Scrape & Gather | Enter deployed versions directly without agents |
| Pre-seeded global gather jobs | Scrape & Gather | ~173 global jobs covering common infrastructure software for immediate upstream release data |
| Dead letter queue UI | Notifications | View and retry failed notification deliveries |
| Distroless runtime images | Infrastructure | All containers switched to distroless for zero OS-package CVEs |
| GitHub Actions CI | Infrastructure | Five parallel quality checks + Trivy container scanning on PRs |
| UTC timestamp standardization | Infrastructure | All timestamps stored as TIMESTAMPTZ with local timezone display in the browser |
Access Control & Teams
| Feature | Status | Description |
|---|---|---|
| Role-based access control | Shipped | Five system roles (Owner, Administrator, Editor, Viewer, Operator) with deny-wins policy evaluation |
| Fine-grained permissions | Shipped | Per-endpoint authorization with custom roles, policy documents, and member role assignment |
| Organization audit log | In Progress | Central audit log of entity state changes. Alert audit trail is shipped. Expansion to other entity types (rules, channels, jobs) is planned |
| User invitations | Planned | Invite team members to join your organization with role selection |
| Organization invitations & SSO | Backlogged | Org invitations plus optional SSO integration (OIDC/SAML) to streamline onboarding and access management |
| Per-org configuration export/import | Backlogged | Export an organization's configuration (jobs, rules, alert configs, channels) as YAML/JSON and import into another environment |
Notifications
| Feature | Status | Description |
|---|---|---|
| PagerDuty channel | Planned | Native PagerDuty integration for alert routing |
| Telegram channel | Planned | Send alerts to Telegram chats |
| SMTP / email channel | Planned | Email notifications for alerts |
| Notification channel health checks | Planned | Periodic synthetic notifications to each active channel with automatic health status (healthy, degraded, failing) and surface on a notifications dashboard |
| Channel-level rate limiting | Planned | Per-channel rate limiting and burst control to prevent overloading downstream services and to comply with provider limits (e.g., Slack, Teams, custom webhooks) |
| Notification routing policies | Backlogged | Rules-based routing that can direct alerts to different channels based on severity, organization, artifact tags, or time-of-day windows |
| Notification quiet hours | Planned | Time window configuration to suppress non-critical notifications during off-hours while still delivering critical alerts |
| Escalation chains | Planned | Multi-step escalation policies (e.g., notify channel A, then B, then PagerDuty) when alerts remain unacknowledged for a configurable duration |
| Combination alerts | Backlogged | Combine multiple related alerts into a single notification to reduce noise (e.g., "5 services are 2 major versions behind") |
| Multiple alert configs | Planned | Allow time and version alerts to be configured as a single alert with multiple conditions, reducing duplication and enabling more complex policies (e.g., alert if >180 days OR >2 major versions behind) or ( e.g. alert if >180 days behind AND >1 major version behind) |
Alerting & Rules
| Feature | Status | Description |
|---|---|---|
| CVE monitoring & vuln alerts | Backlogged | Track known vulnerabilities in monitored versions and surface CVEs alongside version staleness alerts |
| Reporting and analytics | Planned | Dashboard with metrics on alert counts, notification deliveries, etc. |
| Composite rules | Backlogged | Rules that combine multiple underlying rules (e.g., daysbehind AND majorsbehind) into a single policy with Boolean logic, reducing config duplication |
| Rule simulation / dry run | Backlogged | Simulate rule changes against historical data to preview how many alerts would have fired before enabling in production |
| Rule templates library | Backlogged | Curated library of common rules (e.g., "Quarterly patch policy", "Critical infra must be < 1 major behind") that can be cloned and customized |
| Per-artifact rule overrides | Backlogged | Allow specific artifacts to override global rule thresholds for exceptional cases, while keeping most artifacts on shared org-wide standards |
Scrape & Gather Jobs
| Feature | Status | Description |
|---|---|---|
| Template-based scrape configs | Planned | Reusable scrape job templates (for common repo layouts like Helm charts, Kustomize, Dockerfiles) that can be instantiated with minimal parameters |
| Discovery of new artifacts | Backlogged | Optional discovery mode that scans repos for version-like patterns and suggests new scrape jobs to create |
| Global job opt-in/opt-out | Backlogged | Per-organization controls to hide or show specific global gather jobs, reducing noise from pre-seeded upstream tracking that isn't relevant to your stack |
| Scrape job test harness | Planned | "Test scrape" mode that runs extractors against a chosen commit/path and shows parsed versions without saving results, to simplify parser debugging |
| OCI registry full tag sync | Planned | Remove the default 100-tag limit for OCI registries, fetch all available tags, and skip expensive per-tag manifest lookups for tags already stored |
| Global gather job coverage | Backlogged | Expand coverage for more popular projects and upstream sources |
| EOL version support | Backlogged | Better tracking of end-of-life releases through additional data sources and user-contributed data |
| Application ownership & tagging | Backlogged | Allow users to tag scrape jobs and releases with ownership/team information to enable team-level reporting and alert routing |
Version Currency & Analytics
| Feature | Status | Description |
|---|---|---|
| Version currency dashboards | Backlogged | High-level dashboards summarizing percentage of artifacts within policy, average days behind, and majors/minors behind by team or tag |
| SLO-style compliance tracking | Backlogged | Define SLOs for version freshness (e.g., 95% of services < 180 days behind) and track compliance over time |
| Exportable reports | Backlogged | Scheduled CSV/JSON exports or emailed reports summarizing alert volume, notification outcomes, and rule violations over a period |
Agent Logging & Observability
| Feature | Status | Description |
|---|---|---|
| Agent error tracing in UI | Planned | Store agent execution logs in database and display in Admin UI, searchable by organization |
| 24h configurable log retention | Planned | Default 24h retention per agent, configurable per organization (1h to 7d) |
| Structured database logging | Planned | Update logging interface to write structured logs (JSON) to PostgreSQL with agent ID, org ID, timestamp, level |
| Log aggregation dashboard | Planned | Organization-level dashboard showing recent agent logs across all agents, with filtering by agent/job/error type |
| Log forwarding to external systems | Backlogged | Optional forwarding of agent logs to external systems (Loki, Splunk, ELK, Datadog) for advanced observability |
Automation & Extensibility
| Feature | Status | Description |
|---|---|---|
| Automatic PR generation for scrape job updates | Backlogged | Opens a PR or branch with updated version information allowing CI/CD to evaluate any problems while your team reviews release notes |
UI Enhancements
| Feature | Status | Description |
|---|---|---|
| Table column sorting | Backlogged | Click column headers to sort tables by any column |
| Accessibility audit (WCAG) | Backlogged | Comprehensive WCAG 2.1 AA audit including keyboard navigation, screen reader support, and ARIA attributes |
| Breadcrumb navigation | Backlogged | Hierarchical breadcrumbs for detail pages to improve wayfinding |
| On-demand data export | Backlogged | Export current table view as CSV or JSON for ad-hoc reporting |
Miscellaneous
| Feature | Status | Description |
|---|---|---|
| Self-hosted agent auto-updates | Backlogged | Automatic update mechanism for self-hosted agents to pull latest version without manual intervention |
| Improved onboarding experience | Planned | Guided setup wizards and tutorials for new users |