Hi, before deploying/upgrading a stemcell in production our security group runs vulnerability scans on our staging deployments. The problem is that by the time we get the stemcell into staging (about a 4-6 weeks), they have updated the vulnerability database and then there scan find new issues.
How often are people upgrading stemcells in production? How do you handle vulnerability scanning of BOSH deployed apps? How about run.pivotal.io? How do they address this?
