The request arrives with a simple audit question, usually linked to SOC 2 or PCI DSS: what changed, when did it change, and in which artifact.
Head of Product
Camila Bedretchuk
Responding consistently is not always simple in modern infrastructures. The difficulty lies not only in patching vulnerabilities (CVEs), but in correlating evidence across the history of changes.
When this correlation relies on manual steps, spreadsheets, and handovers between teams, the trail becomes slower to build and increases the risk of inconsistencies and operational errors.
It is exactly this friction that the Quor Changelog was created to reduce.
Quor Changelog
The Quor Changelog was designed to centralize the technical history of catalog images into a searchable view, focusing on events relevant to operation (digest), security (CVEs), and compliance routines (SLA).
Instead of manually rebuilding an image's timeline, the team consults in a single place the evolution of vulnerabilities, fixes, and digest publications, linked to the artifact and the corresponding version.
In day-to-day operations, this helps answer more clearly:
when a CVE was detected.
when a fix was applied.
which digest replaced the previous one.
whether the fix SLA was met.
Why this matters
-> Operational clarity (digest and version)
With frequent image rebuilds, accumulation of variants, and tag changes, the reference can become ambiguous. The Changelog helps the team consult the history linked to the digest and the corresponding version.
-> Evidence of remediation timeframe (SLA)
The Changelog records and displays when a CVE was detected and when the fix was applied, allowing the team to consult evidence of deadlines in audits and compliance routines, such as in PCI DSS scenarios.
-> Agility and provenance of information
The log is organized in the interface, reducing dependency on spreadsheets, ITSM, and manual correlation between teams. This reduces rework and improves trust in the source of information used in operation, security, and auditing.
How it works in Quor
The Changelog organizes this trail in three areas: analysis scope, event timeline, and link to the artifact and version.
1) Scope (Events + Period)
The first step in the Changelog is to define the scope of the analysis.
In Events, you choose the event type: All, Digest, or Vulnerability.
In Period, you select the query interval, from the current month up to the last 6 months.
2) Timeline (Vulnerabilities and fixes)
Here lies the evidence that usually ends up scattered across spreadsheets.
The tab organizes vulnerability detection and remediation events with temporal reference and technical details for auditing: severity, CVE identifier, affected package, and versions involved.
3) Artifact and version (Digest)
This is the record that eliminates ambiguity.
The tab records each published digest with date and time, allowing you to track exactly which version of the artifact was in production at any given moment. Each digest is immutable.
How to get started with the Changelog on Quor
To access the Changelog, the first step is to start using Quor in the trial. After creating an account, generating a token, and subscribing an image, the Changelog tab becomes available on the image's page in the catalog.
For configuration and usage details, please refer to the Quor documentation.
Operating Kubernetes in production for more than 13 years. With Quor, this experience extends to software supply chain security as well.
GET UP
© Getup · 2026
