Security Alerts in digest form

[begunfx]

I ran a security scan this morning. I ended up with like 40+ emails for each container security alert. My idea is to add an option to deliver the alerts as a digest when the scan completes so I only get one email with all the alerts vs each container. Not sure if it makes sense to have the option to select individual email alerts vs. digest OR just send a digest email with the results of the scan only. I'm thinking the latter. Thoughts?

[s-b-e-n-s-o-n]

Good request — this isn't currently possible. The existing digest mode (DD_TRIGGER_*_MODE=digest) batches container update notifications, but security scan alerts go through a separate path and don't respect that setting. 40+ emails from one scan run is exactly the kind of thing digest mode exists to solve.

Adding this to the roadmap as a standalone item — a "scan-complete digest" that emits one email summarizing all vulnerabilities found in a scan cycle, instead of one per container. The per-container alerts would stay opt-in for anyone who wants them.

Tracked for v1.6.0 under the Notifications & Release Intel phase.

[s-b-e-n-s-o-n]

Update: this actually shipped earlier than planned — pulled forward into v1.5.0-rc.10 (releasing shortly). Configure DD_TRIGGER_SMTP_{name}_SECURITYMODE=digest on your email trigger to get one summary per scan cycle instead of one per container. batch+digest is also supported if you want both per-container alerts and a cycle summary. Heads up: for scheduled scans (on-demand scans always emit), you will also need DD_SECURITY_SCAN_NOTIFICATIONS=true — that flag defaults off in rc.10 to preserve existing users’ behavior. Full details: Security Hardening Guide → Quiet scan notifications with digest mode.

[begunfx]

Just a quick clarification. Shouldn't DD_TRIGGER_SMTP_{name}_SECURITYMODE=digest be DD_NOTIFICATION_SMTP_{name}_SECURITYMODE=digest due to deprecation? Thanks!

[s-b-e-n-s-o-n]

Great catch — you're absolutely right, my bad for giving you the legacy form.

DD_TRIGGER_* was deprecated in v1.5.0 (scheduled for removal in v1.7.0) in favor of DD_ACTION_* / DD_NOTIFICATION_*. Since SMTP is a notification trigger, the canonical form is:

DD_NOTIFICATION_SMTP_{name}_SECURITYMODE=digest

DD_TRIGGER_SMTP_* still works as a compatibility alias until v1.7.0 so your existing config won't break, but new configs should use DD_NOTIFICATION_*. I've pushed a fix to the Security Hardening Guide and the rest of the current docs so the examples match the canonical prefix. Thanks for flagging it!