ProGet 2024 introduces several noteworthy enhancements, especially for Basic or Enterprise users. One of the main areas of change is Software Composition Analysis (SCA). Basic users now get a more automated SCA experience, while Enterprise users unlock unlimited scanning and deeper customization. For organizations getting more serious about managing vulnerabilities and license risks, this release makes an even stronger case for Enterprise. 

Beyond SCA, ProGet 2024 brings meaningful updates across the board: improved vulnerability assessments, more reliable container scanning, refined compliance policies, and a stronger webhook system for notifications. There are also some changes to usage limits in the Basic edition which will be important to know, especially for teams with more complex workflows. 

In this article, we’ll walk through each of these changes in detail. You’ll get a breakdown of what’s new with vulnerability scanning, build and policy restrictions, compliance automation, container security, and licensing implications.  

• Vulnerability Assessments
• Software Composition Analysis (SCA) and Build Restrictions
• Package Compliance Policies
• Container Vulnerability Scanning
• Notifications, Webhooks, and Email Notifications
• Licensing Implications for Basic Edition

Vulnerability Assessments

ProGet 2023 offered support for vulnerability assessments using a “Block Packages” option. This let users define a global assessment per vulnerability, but without the ability to scope them by project or policy. For teams that needed more control, they would have to manually create vulnerability records and block specific packages. The scanning relied on PGVC (ProGet Vulnerability Catalog) and OSS Index to identify known CVEs. 

With ProGet 2024, the Basic edition continues to support global vulnerability assessments — meaning each vulnerability can have only one assessment applied system-wide, without policy or project-level scoping. ProGet introduces Policies and Compliance Rules as a more automated way to manage vulnerabilities. This simplifies configuration and brings greater consistency, especially for teams that want a straightforward way to enforce vulnerability policies. Severity settings remain globally applied in the Basic edition, so a vulnerability like PGV-ABC123 will be treated the same across all feeds. While this simplifies decision-making and ensures uniform enforcement, it doesn’t offer the per-feed granularity available in Enterprise. 

Vulnerability scanning has also been upgraded. ProGet 2024 now uses Inedo Security Labs instead of OSS Index, delivering broader and more reliable detection out of the box. This improved scanning experience will particularly benefit Enterprise users, offering more flexibility for teams that need deeper control and customization. 

Software Composition Analysis (SCA) and Build Restrictions

In ProGet 2023, Software Composition Analysis (SCA) offered tools for tracking dependencies and licenses, with integration into CI/CD pipelines. The “Projects & Builds” preview feature let users connect feeds to specific policies, giving users a flexible way to organize software components within projects. 

ProGet 2024 builds on this with enhanced SCA capabilities, introducing Policies and Compliance Rules that help users better identify and track vulnerabilities and licenses. To keep things manageable for smaller teams or those just starting out, the Basic Edition now sets a limit of 1,000. Once this limit is reached, new builds will not be analyzed. During upgrade, some older builds may be archived to help reduce usage. For most users, this provides enough room to work efficiently, though teams with very high build volumes should look to using the Enterprise Edition, else they may need to adjust their workflows to make the most of this setup. 

Users now work with a global policy for projects, which offers a more centralized way to manage compliance. Enterprise Edition in ProGet 2024 offers unlimited active builds, letting users handle high-volume workflows without any restrictions. Enterprise retains the ability to link projects to specific feeds and policies, making it great for organizations that need advanced SCA tools and scalable, customizable project management for complex software portfolios. 

Package Compliance Policies

In ProGet 2023, the Basic edition supported both global and feed-specific compliance rules with no hard limits. This allowed teams to create highly customized policies, like blocking packages based on CVSS scores for specific languages or ecosystems and automate workflows freely using any compliance related API actions, with no limits. 

With ProGet 2024, the Basic edition introduces more structured limits to help streamline usage. Users can now define one global and one feed-specific policy, with up to three exceptions per policy. Any additional exceptions beyond that are ignored, which can limit complex compliance scenarios. That said, existing setups for licenses or vulnerabilities rules will continue to work as long as they follow these new changes. 

Compliance API usage in Basic is now capped at ten actions per hour, affecting tasks like automated build promotion. For teams with lightweight automation needs, this should still offer enough flexibility. For those with high-volume or deeply integrated CI/CD pipelines, Enterprise offers unlimited compliance rules, exceptions, and API actions, making it a better fit for advanced or growing environments. 

Container Vulnerability Scanning 

ProGet 2023 integrated with Clair v2 for container vulnerability scanning. This setup allowed users to scan container image layers and view results directly in the Packages tab, providing a straightforward way to identify vulnerabilities. However, the integration came with challenges, including a complex setup process and occasional reliability issues due to bugs in Clair, which could limit its effectiveness for some users. 

ProGet 2024 brings a significant upgrade by replacing Clair with native container vulnerability scanning. This shift simplifies the setup process, making it easier for users to get started without wrestling with complicated configurations. The new scanning system, powered by Inedo Security Labs, is triggered automatically upon image upload or queued for larger images, delivering improved reliability and performance. For Enterprise Edition users, this native scanning capability scales seamlessly, supporting larger and more complex container workflows with the same enhanced performance and ease of use.

Notifications, Webhooks, and Email Notifications 

ProGet 2023 included email notifications for vulnerabilities as a preview feature, allowing users to stay informed about potential issues directly through their inbox. Additionally, webhooks were introduced as a preview in version 2023.29, offering a way to integrate with external systems, though they sometimes faced performance challenges that could affect reliability. 

ProGet 2024 shifts its focus to webhooks, with email notifications no longer available. While this change may affect users who depended on email alerts for vulnerability updates, the move to webhooks brings better reliability and new event triggers, such as “New Vulnerability Detected,” enabling more dynamic integrations with external tools and workflows, allowing users to stay informed and automate processes effectively.

For Enterprise Edition users, the enhanced webhook functionality is complemented by additional flexibility and scalability, making it ideal for organizations needing robust, customized notification systems to support complex operations. 

Licensing Implications for Basic Edition

ProGet 2023 offered users a flexible experience with minimal restrictions, providing full access to features like Software Composition Analysis (SCA), container vulnerability scanning, and notifications. Preview features, like Projects & Builds, were available without clearly defined limits, allowing users to explore a wide range of functionality to suit their needs. 

ProGet 2024 introduces new licensing restrictions for the Basic Edition to better align with its intended use for smaller teams or simpler workflows. These include a cap of 1,000 active builds, a limit of three rule exceptions, a maximum of ten API actions per hour, and the use of webhooks as the sole notification method, with email notifications removed. These changes may impact users with complex, build-heavy, or notification-dependent workflows, requiring them to streamline processes to stay within these boundaries.  

Existing configurations from 2023 are preserved, so current setups will continue to function, but new customizations are restricted under these limits. For users finding these constraints too restrictive, consolidating workflows or upgrading to the Enterprise Edition. It offers unlimited builds, unrestricted rule exceptions, higher API action limits, and more flexible notification options, making it better suited for organizations with more demanding or intricate software management needs. 

Enhanced Security and Compliance with ProGet 2024

ProGet 2024 delivers a mix of enhancements and refinements that make it easier to manage open source risk, enforce security policies, and scale software governance. These provide a stronger foundation for securing your software supply chain. 

The new usage limits in ProGet 2024 help define its role for teams with simpler workflow. These changes support project management for smaller setups. Teams needing more capacity or customization can transition to Enterprise for unlimited builds, flexible policies, and enhanced scalability. 

If you’re considering moving to Enterprise to take advantage of the benefits we covered in this article, take a look at our Enterprise Edition page to learn more about what it has on offer. For a deeper dive into what’s changed in this release, check out the full ProGet 2024 update notes