P Planekeeper Docs
Planekeeper is currently in alpha development. Features and APIs may change. Feedback is welcome! Request early access to get started.

What is Planekeeper?

What Planekeeper does, who it's for, and how it catches forgotten software and outdated software across your infrastructure.

Planekeeper is an automated version staleness detection system. It compares the software you have deployed against the latest upstream releases and tells you when you fall behind.

Every team eventually faces the same problem: you deploy a Helm chart, a container image, or a library, and months later you discover you are running a version with known vulnerabilities or missing critical features. Planekeeper catches that lag before it becomes a problem.

The problem

Forgotten software is invisible until it hurts. Consider a typical infrastructure team managing dozens of applications across multiple clusters:

  • Helm charts pinned to a version six months ago
  • Container images locked to a tag that stopped receiving patches
  • Configuration files referencing dependencies no one has checked since initial setup

Without active visibility, these versions silently fall behind. Security patches go unnoticed. Breaking changes stack up. When you finally upgrade, the gap is so large that the migration becomes a project in itself.

How Planekeeper solves it

Planekeeper automates the entire detection pipeline:

  1. Gather the latest upstream releases from sources like GitHub, Helm repositories, and OCI container registries
  2. Scrape your deployed versions from Git repositories by parsing configuration files
  3. Evaluate rules that measure how far behind you are (days, major versions, minor versions)
  4. Generate alerts with severity levels (moderate, high, critical) based on your thresholds
  5. Notify your team through webhooks to Slack, Discord, Microsoft Teams, PagerDuty, or any HTTP endpoint

Each stage runs on a schedule you control, and the entire system is event-driven: when a scrape discovers a new version, rules re-evaluate automatically and alerts update in place.

Key features

Automated version tracking. Define gather jobs that poll GitHub releases or Helm chart repositories on a cron schedule. Planekeeper stores every release it discovers, building a complete version history for each artifact.

Flexible version extraction. Scrape jobs clone your Git repositories and parse version strings from YAML, JSON, or any text file using YQ, JQ, or regex expressions. Support for private repositories via SSH keys and HTTPS tokens.

Configurable rules. Create rules that measure staleness in three ways: days behind the latest release, major versions behind, or minor versions behind. Each rule defines three severity thresholds (moderate, high, critical) so alerts escalate as lag increases.

Alert configs that tie it together. An alert config links a scrape job (your deployed version), a gather job (the latest upstream version), and a rule (how to measure). When a violation is detected, Planekeeper creates or updates a single alert for that config.

Multi-channel notifications. Route alert events to webhook endpoints with full customization. Use event-specific templates for Discord, Slack, Teams, or PagerDuty formatting. Notifications include one-click acknowledgment URLs.

Multi-tenant by design. Every resource belongs to an organization. A shared Global organization provides common release data that all tenants can reference. Scope filters let you view your organization’s resources, global resources, or both.

Distributed execution. Agents execute gather and scrape tasks. Deploy the server agent alongside your API server, or deploy client agents at remote sites. Agents poll for work, so no inbound firewall rules are needed at remote locations.

The pipeline at a glance

+-----------+     +-----------+     +-----------+     +-----------+     +-----------+
|  Gather   |     |  Scrape   |     |   Rules   |     |  Alerts   |     |  Notify   |
|           |     |           |     |           |     |           |     |           |
| "What's   |---->| "What do  |---->| "How far  |---->| "Create   |---->| "Tell the |
|  the      |     |  we have  |     |  behind   |     |  or       |     |  team"    |
|  latest?" |     |  deployed?"|    |  are we?" |     |  update"  |     |           |
+-----------+     +-----------+     +-----------+     +-----------+     +-----------+
  • Gather polls upstream sources on a schedule and stores every release it finds.
  • Scrape clones your repos and parses version strings from config files.
  • Rules compare the two and calculate a behind-by value with severity thresholds.
  • Alerts track the current state of each violation, updating in place as things change.
  • Notify delivers webhook notifications to your channels with retry logic and acknowledgment URLs.

Each stage triggers the next automatically. When a gather or scrape job completes, rules re-evaluate within seconds. When an alert is created or escalates, notifications fire immediately.

Who it’s for

  • DevOps teams tracking Helm chart versions across clusters
  • Platform engineers monitoring infrastructure dependencies
  • SREs enforcing version currency policies across services
  • Security teams ensuring timely adoption of patched releases

How Planekeeper compares

Unlike general-purpose dependency scanners, Planekeeper focuses specifically on version currency – how far behind you are from the latest release. It does not scan for CVEs directly. Instead, it gives you continuous visibility into how far behind you are so you can adopt patches and updates before they become a liability.

Planekeeper is also infrastructure-aware. It reads version information from your actual deployment repositories (Helm charts, Kubernetes manifests, Dockerfiles), not from a lockfile or package manager. This means it monitors what is actually deployed, not what a CI pipeline last built.

What’s next