Re: BOSH Stemcells and vulnerability scanning

James Bayer

pivotal deploys updated stemcells regularly to PWS. high and critical CVEs
have a 48hr goal. we catch up on lows and mediums generally approximately
once per month.

On Wed, Mar 1, 2017 at 5:48 PM, Jonathan Stockley <jstockle(a)>

Hi, before deploying/upgrading a stemcell in production our security group
runs vulnerability scans on our staging deployments.
The problem is that by the time we get the stemcell into staging (about a
4-6 weeks), they have updated the vulnerability database and then there
scan find new issues.

How often are people upgrading stemcells in production?
How do you handle vulnerability scanning of BOSH deployed apps?
How about How do they address this?


Thank you,

James Bayer

Join { to automatically receive all group messages.