Vulnerability update cadence

How often Sekrd's detection layer refreshes, and the mechanism behind each channel. This page exists because every enterprise RFP asks how fresh your scanner's intelligence is — and we wanted one authoritative answer instead of five slightly different ones across docs, sales decks, and audits.

Bottom line

Our worst-case staleness on any detection channel is 7 days. Most channels update continuously or within hours. The CVE-dependency channel is real-time — every single scan queries OSV directly, not a cached snapshot.

Known-CVE dependency checks (OSV)

Real-time per scan

Every scan queries api.osv.dev/v1/querybatch for the versions of the JavaScript / Python / Go / Ruby packages discovered in the target's bundle. OSV ingests from NVD, GitHub Advisory Database, PyPI Safety DB, Go vuln DB, and language-specific feeds and updates continuously.

Evidence

internal/provider/deps/scanner.go — osvQueryBatchURL

Max staleness

Zero. No cache. If OSV published a CVE 30 seconds ago, the next scan catches it.

Secret-pattern rules (GitLeaks upstream)

Weekly — Sunday 03:00 UTC

Automated workflow pulls upstream GitLeaks ruleset, regenerates the secrets-patterns file in our repo, runs the full test suite, and opens a pull request for maintainer review. Changes merge only after tests pass and maintainer approves — no silent drift.

Evidence

.github/workflows/rule-sync.yml + cmd/sync-rules

Max staleness

≤7 days between upstream publication and our scanner picking it up.

Nuclei DAST templates

Weekly — Monday 05:00 UTC

Automated workflow runs nuclei -update-templates inside the production container over an SSM session. Templates live on a persistent volume so they survive container restarts. After refresh, the scanner worker restarts to pick up the new templates.

Evidence

.github/workflows/nuclei-templates-refresh.yml

Max staleness

≤7 days.

Sekrd rule catalog (in-house)

Continuous on feature branches; every merge ships

New rules land on feature branches, go through code review + CI gates (TestCatalog_EveryEntryHasRequiredFields asserts every rule carries CWE + OWASP + Version). Merge to main auto-deploys within 5 minutes.

Evidence

internal/findings/catalog.go — 113 rules, 44 distinct CWEs

Max staleness

Minutes from merge to production.

Our own dependencies (Go + npm + Docker + Actions)

Weekly — Monday 08:00 UTC

Dependabot opens pull requests for outdated or CVE-affected packages across go.mod, web/package.json, deploy/Dockerfile, and .github/workflows. Security advisories override the weekly cadence and open PRs immediately. Patch-level updates are grouped into one PR per ecosystem per week to keep reviewer load sane.

Evidence

.github/dependabot.yml

Max staleness

≤7 days for routine updates; same-day for advisory-driven updates.

What this means for scan freshness

When you run a scan right now, every finding it surfaces is either (a) based on a real-time OSV lookup of the CVE database, or (b) detected by rules whose upstream sources we synced within the last 7 days.

There is no "the scanner is behind by 3 months" scenario. A CVE published in OSV this morning gets matched against your site's dependencies if you scan this afternoon. A new GitLeaks secret pattern published on Friday lands on the scanner by next Sunday. A fresh Nuclei template for a novel CVE lands by the following Monday.

Honest caveats

Not every vulnerability class has an upstream feed. Business-logic bugs, IDOR patterns, custom-policy RLS bypasses, and many MCP tool-poisoning attacks are detected by rules written by us, not synced from anyone. Those get added when we find a new pattern worth detecting.
OSV covers most but not all ecosystems. Exotic language ecosystems (Haskell, Crystal, Elixir core) have thinner CVE coverage. We still run secret-pattern + header + active-DAST checks on those apps; the dependency channel just has less to say.
A rule-sync PR can be rejected.If upstream GitLeaks ships a noisy new pattern that breaks our anti-suppression tests, the weekly PR fails CI and doesn't merge. We investigate before landing. This prevents silent regressions but does mean a week of delay in edge cases.
Weekend deploys can stall.The Monday Nuclei refresh runs after the Sunday rule-sync. If Sunday's PR needs maintainer review and hasn't merged by Monday morning, the Monday refresh happens against last week's ruleset. Rare, but possible.

For enterprise diligence

If your vendor-assessment questionnaire includes questions like:

“How often is your CVE database updated?” → Real-time, via OSV.
“What is the maximum age of your detection rules?” → 7 days worst-case for upstream-synced rules. Continuous for in-house rules.
“Do you track your own software dependencies for CVEs?” → Yes, Dependabot with weekly PRs + same-day advisory overrides.
“Can you provide a list of current detection rules?” → /docs/cwe-mapping — 113 rules, auto-generated from the catalog.
“How do you prevent detection-rule regressions?” → 9 anti-suppression test gates in CI. A rule update that silences a real known leak blocks the PR from merging.

Email security@sekrd.com for a formal vendor-assessment response packet.

Vulnerability update cadence

Bottom line

Known-CVE dependency checks (OSV)

Real-time per scan

Evidence

internal/provider/deps/scanner.go — osvQueryBatchURL

Max staleness

Zero. No cache. If OSV published a CVE 30 seconds ago, the next scan catches it.

Secret-pattern rules (GitLeaks upstream)

Weekly — Sunday 03:00 UTC

Evidence

.github/workflows/rule-sync.yml + cmd/sync-rules

Max staleness

≤7 days between upstream publication and our scanner picking it up.

Nuclei DAST templates

Weekly — Monday 05:00 UTC

Evidence

.github/workflows/nuclei-templates-refresh.yml

Max staleness

≤7 days.

Sekrd rule catalog (in-house)

Continuous on feature branches; every merge ships

Evidence

internal/findings/catalog.go — 113 rules, 44 distinct CWEs

Max staleness

Minutes from merge to production.

Our own dependencies (Go + npm + Docker + Actions)

Weekly — Monday 08:00 UTC

Evidence

.github/dependabot.yml

Max staleness

≤7 days for routine updates; same-day for advisory-driven updates.

What this means for scan freshness

Honest caveats

Not every vulnerability class has an upstream feed. Business-logic bugs, IDOR patterns, custom-policy RLS bypasses, and many MCP tool-poisoning attacks are detected by rules written by us, not synced from anyone. Those get added when we find a new pattern worth detecting.
OSV covers most but not all ecosystems. Exotic language ecosystems (Haskell, Crystal, Elixir core) have thinner CVE coverage. We still run secret-pattern + header + active-DAST checks on those apps; the dependency channel just has less to say.
A rule-sync PR can be rejected.If upstream GitLeaks ships a noisy new pattern that breaks our anti-suppression tests, the weekly PR fails CI and doesn't merge. We investigate before landing. This prevents silent regressions but does mean a week of delay in edge cases.
Weekend deploys can stall.The Monday Nuclei refresh runs after the Sunday rule-sync. If Sunday's PR needs maintainer review and hasn't merged by Monday morning, the Monday refresh happens against last week's ruleset. Rare, but possible.

For enterprise diligence

If your vendor-assessment questionnaire includes questions like:

“How often is your CVE database updated?” → Real-time, via OSV.
“What is the maximum age of your detection rules?” → 7 days worst-case for upstream-synced rules. Continuous for in-house rules.
“Do you track your own software dependencies for CVEs?” → Yes, Dependabot with weekly PRs + same-day advisory overrides.
“Can you provide a list of current detection rules?” → /docs/cwe-mapping — 113 rules, auto-generated from the catalog.
“How do you prevent detection-rule regressions?” → 9 anti-suppression test gates in CI. A rule update that silences a real known leak blocks the PR from merging.

Email security@sekrd.com for a formal vendor-assessment response packet.