Alert rules and events
A "rule" is the pairing of a channel with an event. A channel that subscribes to critical_cve will receive every critical_cve event the platform emits. Severity, digest mode, and any provider-specific filtering happen on top of that subscription.
Event catalog
| Event | Typical severity | Description |
|---|---|---|
critical_cve | CRITICAL | A new CVE with severity Critical was detected on a scanned image. Fires once per (image, CVE) pair. |
high_cve | HIGH | A new High-severity CVE was detected. Same dedupe semantics as above. |
sla_breach | HIGH | An open vulnerability passed its SLA deadline. Fires once when the deadline elapses. |
scan_complete | INFO | A scan finished. Useful for low-traffic CI dashboards; noisy at scale. |
scan_failed | HIGH | A scan errored — registry auth failure, sensor crash, image too large, etc. |
agent_disconnected | HIGH | A sensor stopped heartbeating. Fires after the configured grace window. |
coverage_gap | MEDIUM | An image has no scan within the freshness window. |
exception_expiring | MEDIUM | A risk-accepted exception is approaching its expiration date. |
regression | HIGH | A previously fixed CVE re-appeared on the same image. |
new_image | INFO | A new tag was discovered in a watched registry. |
cve_watch_new | varies | A CVE on your CVE Watch list was added to NVD or another upstream feed. Severity is the CVE's own severity. |
cve_watch_kev | CRITICAL | A CVE you are tracking was added to the CISA Known Exploited Vulnerabilities catalog. |
Severity in this table is the typical level — the exact severity is set per-event by the producer and may vary (e.g. cve_watch_new reflects the upstream CVE's severity).
Digest modes
Each channel-event subscription sets a digest mode:
- Realtime — deliver as the event happens.
- Daily — batch into a single message at the channel's daily summary time.
- Weekly — batch into a Monday-morning summary.
Digest batches are rendered as a table or attachment list, never a wall of pings.
Routing recipes
Three patterns cover the majority of teams. Pick whichever shape matches your on-call posture.
Recipe 1 — Page on critical, slack the rest
For teams with a real on-call rotation. Pages must be load-bearing.
| Channel | Type | Subscribed events | Mode |
|---|---|---|---|
pd-security-oncall | PagerDuty | critical_cve, cve_watch_kev, regression | realtime |
slack-security | Slack | high_cve, sla_breach, scan_failed, agent_disconnected | realtime |
slack-platform | Slack | coverage_gap, exception_expiring, new_image | daily |
Recipe 2 — Slack-only, severity-graded
For teams without 24/7 on-call. Everyone watches #security-alerts; broader hygiene goes to a quieter channel.
| Channel | Type | Subscribed events | Mode |
|---|---|---|---|
slack-security-alerts | Slack | critical_cve, high_cve, sla_breach, cve_watch_kev, regression, scan_failed | realtime |
slack-security-hygiene | Slack | coverage_gap, exception_expiring, agent_disconnected, new_image, scan_complete, cve_watch_new | daily |
Recipe 3 — Webhook to a SIEM, email digest to compliance
For regulated workloads where every event must land in a SIEM and compliance wants a weekly rollup.
| Channel | Type | Subscribed events | Mode |
|---|---|---|---|
webhook-siem | Webhook | all 12 events | realtime |
email-compliance | sla_breach, exception_expiring, cve_watch_kev, regression | weekly | |
pd-prod-criticals | PagerDuty | critical_cve, cve_watch_kev (filtered to production registries) | realtime |
Event filtering
In addition to event type, channels can be scoped to specific registries or images so a CI registry's noise does not page your production on-call. Configure scope in Settings -> Notifications -> [channel] -> Scope.
PagerDuty channels automatically drop events below HIGH severity even when subscribed to noisier events like scan_complete. This is intentional — pages must be actionable.