Re: BOSH Stemcells and vulnerability scanning

Daniel Jones

Just to chip in, we've helped folks consume updates for their CF
deployments that averaged out at a new *thing* (stemcell, release) every 4
days. Having your entire platform pipelined with something like Concourse
makes a massive difference - if you're not used to this pace of change and
are trying to do things manually, you'll never keep up. It shouldn't take
more than hours to get a new stemcell tested and into production.

Daniel Jones - CTO
+44 (0)79 8000 9153
@DanielJonesEB <>
*EngineerBetter* Ltd <> - UK Cloud Foundry

On 2 March 2017 at 06:02, James Bayer <jbayer(a)> wrote:

pivotal deploys updated stemcells regularly to PWS. high and critical CVEs
have a 48hr goal. we catch up on lows and mediums generally approximately
once per month.

On Wed, Mar 1, 2017 at 5:48 PM, Jonathan Stockley <jstockle(a)>

Hi, before deploying/upgrading a stemcell in production our security
group runs vulnerability scans on our staging deployments.
The problem is that by the time we get the stemcell into staging (about a
4-6 weeks), they have updated the vulnerability database and then there
scan find new issues.

How often are people upgrading stemcells in production?
How do you handle vulnerability scanning of BOSH deployed apps?
How about How do they address this?


Thank you,

James Bayer

Join to automatically receive all group messages.