Image Vulnerability Scanning Cadence

Container images age. The scanning cadence and remediation policy that catches CVEs before they ship.

Scan cadence

Container image vulnerability scanning has two dimensions: scan during build (catch issues before deploy) and scan running images on a continuous cadence (catch new CVEs disclosed after deploy). Both are necessary. The cadence is what makes the scanning produce ongoing security value rather than just point-in-time snapshots.

What good cadence looks like:

• Every image build.: The CI pipeline scans every image as it builds. Vulnerabilities found at build time prevent the image from progressing through the pipeline. The build is the cheapest place to fix; the cadence ensures every image is checked.
• Pre-deploy gate.: Before deploying to production, the image is re-checked against current vulnerability data. New CVEs disclosed since the build are caught. The gate prevents known-vulnerable images from reaching production.
• Daily re-scan of running images.: Images already in production are re-scanned daily. CVEs disclosed today are reflected in tomorrow's scan results. The cadence catches the gradual accumulation of vulnerabilities in running fleets.
• New CVEs are discovered against existing images.: A vulnerability disclosed today might affect images built months ago. Without continuous re-scanning, the team would not know. The daily re-scan closes the gap.
• Trigger-based scans.: Major events (new CVE in widely-used library, security advisory from a vendor) can trigger ad-hoc scans. The team does not have to wait for the next daily run; urgent issues get urgent attention.

The cadence is the foundation. A scanning program with one of these dimensions but not the others has gaps; the gaps become incidents.

Remediation policy

Detection without remediation is wasted work. The remediation policy specifies how fast each severity tier must be addressed. The policy is a contract between security and engineering; it is bounded and defensible.

• Critical CVEs: 7-day remediation window.: Critical vulnerabilities are remediated within 7 days. The window covers analysis, patch, test, deploy. Critical CVEs are typically actively exploited; faster remediation reduces exposure.
• High CVEs: 30-day window.: High-severity vulnerabilities are remediated within 30 days. The window allows for more deliberate testing and rollout. The 30-day target is industry-standard.
• Medium and below: best-effort with quarterly cleanup.: Medium and lower severities are addressed in regular cycles. A quarterly cleanup sweep handles accumulated medium-tier findings. The pace matches the risk; medium tier does not warrant the same urgency as critical.
• SLAs are documented.: The remediation SLA is published. Auditors, customers, and the board all see the same numbers. The SLA is reviewed annually and tightened as the program matures.
• Tracked through completion.: Each finding is tracked: when discovered, when triaged, when remediated. The metric "mean time to remediation" measures the program's effectiveness. Improvements compound over time.

The remediation policy is what turns scan results into security outcomes. Without it, scan results accumulate without action.

Track

Tracking is the visibility layer. The team knows which images have which CVEs, which are overdue for remediation, which teams own which images. The visibility supports both day-to-day operations and program-level review.

• Per-image: list of open CVEs and their ages.: Each image has an associated CVE list. The age of each CVE relative to its severity SLA is visible. Overdue CVEs surface as red on the dashboard; on-track CVEs are green.
• Aging surfaces overdue items.: The age dimension is what catches stalled remediation. CVEs that pass their SLA windows are escalated; the team reviews why and addresses them.
• Aggregate by team.: The dashboard groups findings by team. Each team sees their own backlog; security operations sees the cross-team picture. The aggregation drives accountability at the team level.
• Which teams have remediation backlogs?: Teams with consistent backlogs need attention. The cause might be capacity; might be tooling; might be process. The visibility supports the conversation about what to fix.
• Trend over time.: The total CVE count, the count by severity, the mean time to remediation all trend over time. Improving trends mean the program is working; deteriorating trends warrant investigation.

Image vulnerability scanning cadence is one of the highest-leverage security disciplines for container-based environments. Nova AI Ops integrates with image registries and scanners, surfaces overdue findings, attributes them to teams, and produces the per-team remediation queue that drives action.