CVE remediation shouldn’t feel like a never-ending game of whack-a-mole, but for a lot of teams, it still does.

New vulnerabilities are published every week, and according to data by The Cyentia Institute, this trend is accelerating. In fact, they expect 500 new CVEs to be published in a typical week in 2025, growing 10 percent year over year. Some are critical. Some are already being exploited. Most need to be addressed across dozens of applications and environments. 

It’s a lot for any DevSecOps team to handle, and for many it’s becoming a full-time job on top of everything else. 

That’s why so many teams are making the shift to secure container images that minimize risk upfront. With low-to-no CVE containers rebuilt often and backed by signed SBOMs, DevSecOps teams are beginning to reduce the number of issues they need to chase and eliminating the noise that slows everything down. Instead, they’re building on a clean, documented, and secure foundation from day one.

Here’s what you need to know about CVE remediation, and why modern DevSecOps teams are turning to automation when it comes to responding to open source vulnerabilities.

Before we dive in: What is CVE remediation? 

CVE (otherwise known as Common Vulnerabilities and Exposures) remediation is what happens after a vulnerability is announced and discovered in your software

It’s the process of identifying a CVE in your code or dependencies and figuring out how risky it is before applying the right fix, testing it, and deploying it safely into production.

Sounds straightforward, right? It rarely is.

Remediation can involve dozens of steps across multiple teams. Your cybersecurity team might find the issue; your engineering teams might need to research, verify it, and apply the patch; your DevSecOps team has to test the patch; and your release management team ensures it doesn’t break anything. 

All of that takes time, and if you’re still relying on manual tools and spreadsheets, it takes even longer.

There’s also a big difference between detecting a vulnerability and actually fixing it. Scanners and SBOMs are great at surfacing issues. But that’s just the start. True remediation means acting fast, fixing precisely, and deploying safely, all before an attacker beats you to it.

Why traditional CVE remediation falls short

If your current CVE process feels like duct tape and late nights, you’re not alone. The traditional approach is messy, slow, and disconnected from how modern teams actually work. 

Why? Keep reading. 

  1. It’s reactive, not proactive

Most teams wait for scanners or threat alerts to tell them there’s a problem. By that time, the CVE may already be exploitable in production. 

This attitude of responding to issues instead of preventing them is cause for concern. Let’s say a known vulnerability in a popular library was published two weeks before your scanner flagged it. In that time, your application might have shipped three new builds, all with the vulnerable code still inside.

  1. Too many tools, not enough integration

Security teams use scanners. Devs use package managers. DevSecOps runs CI/CD…

Chances are, these tools don’t talk to each other. That means the full picture of what’s actually vulnerable gets lost in translation. One team might flag a risky Python package, only for developers to spend hours trying to track it down until they realize it’s buried in a legacy container image built by another team. Worse, this might happen with no documentation in sight.

  1. Patching is repetitive and low-value

Manually patching the same CVE across multiple services is a real time sink. You fix the same issue in one container, then move to the next, then the next. 

Case in point: an OpenSSL patch shows up, and suddenly your team is spending half a sprint updating and rebuilding 15 different microservices that all rely on slightly different base images. It’s necessary work, but it’s also deeply inefficient.

  1. Dependencies make everything harder

Vulnerabilities can live deep in the dependency tree, making it hard to know whether something is actually being used or if it’s just along for the ride. 

Take a medium-severity CVE in a Node.js module. It might sound urgent, until you dig in and find out it’s buried inside a sub-dependency that your app never even calls. That’s hours lost on something that never posed real risk. 

  1. Breakage is a real risk

The fear with every patch is simple: will this fix break something else? 

Without build provenance or automated testing, there’s no easy way to tell. Your team patches a CVE in a database driver, only to watch integration tests fail because the fix changed a minor method signature. Five downstream services crash, and now you’ve traded one incident for another.

Automation: The answer to inefficient CVE remediation

The fact of the matter is this: manual CVE remediation is unsustainable. 

The volume of vulnerabilities, the complexity of dependencies, and the need for speed have outgrown “patch-by-hand” workflows. If you’re still trying to stay ahead of thousands of CVEs on a wing and a prayer, it’s time for a smarter system.

That’s where automated vulnerability management and secure, custom container images come in. With automated remediation, you’re no longer simply finding issues faster. Instead, you’re fixing them as part of your normal development flow, before any vulnerabilities ever enter your production environment. .

Here’s what that looks like in practice:

Step 1: Detect and prioritize with context

Smart automation starts with smart prioritization, because at the end of the day, not every CVE needs to be fixed immediately. 

With a curated, low-to-no CVE base and full provenance for every component, platforms like ActiveState reduce the noise before it even hits your scanner. From there, smart automation filters for severity, exploitability, and real-world usage so your team can focus on what matters most.

For example, instead of chasing every medium-risk CVE in your SBOM, your system flags the critical issue that’s actually running in a public-facing service, with known exploits in the wild. It’s these CVEs that get fixed first.

  • Use SBOMs and vulnerability scanners to surface CVEs
  • Prioritize by severity, exploitability, and usage
  • Filter out the noise (ex: “Is this component even in use?”)
  • ActiveState helps by giving you clean, fully documented containers upfront

Step 2: Automate secure rebuilds

Once a CVE is identified, the ActiveState platform rebuilds the affected components from source using trusted and “secured-from-source” packages. ActiveState takes on the entire remediation process for your team. Our automated and secure SLSA-3 build system springs into action, rebuilding the affected open-source components from source using our industry-leading catalog of over 40M+ secure components. This comprehensive approach means there’s no manual patching for your team, no complex dependency guesswork, and the process fully offloads the overhead of managing custom images.

What’s more, these secure container images are rebuilt nightly and delivered to you pre-loaded with signed SBOMs, providing full provenance and auditability. This entire process ensures you receive continuously updated, low-to-no CVE container images without your team needing to lift a finger.

What’s more, these rebuilds happen on the daily, and they come pre-loaded with SBOMs, signed attestations, and a clear audit trail. This gives you updated, low-to-no CVE container images without lifting a finger.

  • Skip the hunt for patches and version updates
  • ActiveState rebuilds container images from source with vetted components
  • Over 40 million secure packages to pull from
  • Rebuilds include signed attestations and clean dependency trees

Step 3: Test and deploy without fear

Automated remediation fits directly into your CI/CD pipeline. This way, any patches get tested just like any other build and your application can stay secure, all without breaking what works.

Pro tip:

Teams using ActiveState containers benefit from a 7-day SLA on critical CVE remediation. That means you’re not waiting weeks for upstream fixes or patch rollouts.

  • Plug secure containers into your CI/CD
  • No broken builds, no last-minute fire drills
  • Daily image rebuilds ensure everything stays fresh and compliant

How ActiveState helps with CVE remediation

Think of your software like a high-rise building. Most teams spend their time fixing cracks after the structure is already built. They’re patching, sealing, and re-engineering floors on the fly. 

ActiveState flips this blueprint. Instead of retrofitting security after the fact, it helps you pour concrete with reinforced steel. Every container, every dependency, every build layer is structurally sound before it even goes up. 

Here’s what sets ActiveState apart:

  • We offer built-from-source containers, which are crafted from a catalog of 40+ million secure components.
  • We deliver targeted, component-level fixes, not sledgehammer upgrades.
  • We run nightly rebuilds and speculative fixes so you’re ready before CVEs become headlines.
  • We integrate directly into your CI/CD pipeline, turning remediation into a natural extension of your existing development workflow.
  • We live and breathe signed SBOMs and full provenance so you know the origin of every piece of code.

From daily firefighting to finding flow

The days of chasing CVEs across spreadsheets and staging environments are numbered. As software complexity grows and vulnerabilities multiply, manual remediation just can’t keep up. And in today’s vulnerability landscape, that’s a real problem. This is especially true for mid-to-large enterprises. In fact, these organizations are leaving nearly 45.4 percent of discovered vulnerabilities unaddressed for 12 months or more. 

Teams that automate CVE remediation not only respond faster, but also shift their entire security posture from reactive to resilient. And ActiveState gives you the tools to make that shift happen so you can secure containers, automated rebuilds, prioritize vulnerabilities, and focus on finding flow rather than constantly fighting fires.
If you’re ready to accelerate your vulnerability response, explore the ActiveState platform and learn how we’re helping DevSecOps teams automate CVE remediation across their production environments.