The Problem: Widespread Vulnerabilities
According to Datadog's State of DevSecOps 2026 report, 87% of organizations are running at least one exploitable vulnerability in their production services. The issue stems from poor dependency management. The median dependency in production is 278 days behind its latest major version, leaving a nine-month window for known vulnerabilities to be exploited. Additionally, 71% of organizations do not pin the hash for any of their GitHub Actions, exposing their build pipelines to supply chain attacks.
This isn't an isolated incident but a widespread issue affecting most cloud-native environments.
Understanding the Exposure Timeline
This vulnerability is ongoing. The 278-day lag is the median, meaning half of all dependencies are even further behind. Here's how the exposure develops:
Day 0: A new major version releases with security patches
Day 90: Your team identifies the outdated dependency
Day 180: The update is deprioritized in favor of feature work
Day 278: Your dependency reaches the median lag
Day 279+: Exploits for the vulnerabilities are publicly available
Your pipeline controls remain unchanged, continually pulling the latest version of unpinned GitHub Actions, assuming no malicious changes have been introduced.
Missing Controls and Failures
Dependency Version Management: Many organizations lack a systematic process for updating dependencies. The 278-day lag shows that updates are reactive and that security patches are not prioritized.
Pipeline Integrity Controls: With 71% of organizations not pinning GitHub Actions hashes, there's no assurance that the action running today is the same one tested previously. This opens the door for attackers to inject malicious code.
Vulnerability Scanning: Simply running a scanner isn't enough. The 87% figure suggests teams aren't effectively filtering for exploitability or acting on scan results.
Change Approval Processes: Dependencies are executable code and should be treated as such. Many organizations incorrectly view dependency updates as low-risk maintenance.
Compliance Requirements
PCI DSS v4.0.1 requires managing all applicable vulnerabilities with severity rankings. A dependency 278 days out of date fails this requirement.
NIST 800-53 Rev 5 Control SI-2 mandates systematic vulnerability remediation, including software updates. The 278-day lag would not meet "timely" remediation standards.
ISO/IEC 27001:2022 Control 8.8 requires a process to identify and address vulnerabilities. A nine-month delay indicates a broken process.
OWASP Top 10 2021 A06:2021 warns against using components with known vulnerabilities and recommends continuous monitoring.
For pipeline integrity, NIST 800-53 Control SA-10 requires securing the development environment. Unpinned actions violate verified software integrity principles.
SLSA Level 2 requires version-controlled build scripts and configuration to ensure build process integrity. Unpinned GitHub Actions fail this requirement.
Action Items for Your Team
Separate Security from Feature Updates: Establish a dedicated process for security patches. If a dependency is over 30 days behind, require an exception approval.
Implement Hash Pinning: Pin every GitHub Action to a specific commit hash. This requires conscious updates to pipeline components.
# Wrong
uses: actions/checkout@v4
# Correct
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Focus on Exploitability: Configure your scanner to prioritize vulnerabilities that are actually exploitable in your code.
Set SLA Targets by Severity: Define maximum ages for dependencies based on vulnerability severity:
- Critical: remediate within 7 days
- High: remediate within 30 days
- Medium: remediate within 90 days
- No known vulnerabilities: review quarterly
Automate Dependency Updates: Use tools like Dependabot or Renovate to create pull requests for updates. Review these updates consciously.
Require Security Sign-off for Pipeline Changes: Treat CI/CD configurations as security-critical. Require security review for changes.
Measure Your Lag: Track the median age of your dependencies monthly. Aim to reduce the lag to 90 days within six months.
The gap between the 87% of organizations running exploitable vulnerabilities and the security requirements in every major standard is not technical—it's organizational. Your team already has the tools and knowledge. The failure is in prioritization and process. Address these, and the 278-day lag will resolve itself.
