Security is our middle name. Even though Zenable was not affected by any of the recent supply chain attacks (axios, litellm, trivy, kics), we decided it would still be smart to run yet another dedicated security sprint.
We've been automatically updating and hash-pinning all of our dependencies for the past two years, covering not just software packages but also base images, parent images, and infrastructure components. This keeps us current, reproducible, and eliminates maintenance drift. But "current" isn't enough if a compromised release lands in the first few hours.
Now we've added a variable cooldown period to all dependency updates. New releases aren't consumed immediately. They sit in a holding window that gives the security community time to detect compromises before we pull them in. If a critical vulnerability is discovered, we skip the cooldown and patch immediately. Otherwise, updates flow through on an intentionally delayed but stable cadence, always applied within 14 days and usually much sooner.
We also added release verification that confirms tag-to-commit integrity against the expected upstream repository. This matters because it's exactly how the trivy attack worked: even if you hash-pin something like aquasecurity/trivy@abcdef, GitHub may resolve a commit SHA from elsewhere in the same fork network, so there's no guarantee that abcdef is actually reachable from the upstream trivy repo. This is particularly an issue with GitHub repos that have forks, which is part of how GitHub is designed, and means most open source software is affected. Now, our system verifies this for every automatic update.