A new CleanStart study reveals a widening gap between the speed of modern software delivery and the maturity of enterprise software supply chain security. Despite rapid CI/CD adoption and pressure to ship code faster, only a small fraction of organisations have automated the controls needed to keep pace with escalating software risks.
The analysis, based on telemetry gathered from thousands of pipeline executions, shows that while development velocity has increased dramatically over the past three years, many security processes remain slow, manual, or inconsistently implemented — leaving production environments exposed to well-known vulnerabilities.
Automation Adoption Far Below Industry Requirements
CleanStart’s most striking finding: only 1 in 3 enterprises have fully automated, policy-driven validation for container images.
This means that a majority of organisations still rely on manual approvals or partial scripts to validate container integrity before deployment. The study notes that enterprises with fully automated pipelines enjoy:
60% fewer manual review cycles
Patch-to-deploy timelines more than twice as fast
Significantly reduced mean-time-to-remediate (MTTR)
Despite these clear benefits, adoption remains slow, contributing to systemic supply chain risk.
Exposure Window: Nearly 26 Days on Average
Across all analysed CI/CD environments, CleanStart found that the average time from vulnerability discovery to policy-compliant remediation is 26 days. This means enterprises are knowingly exposed to known CVEs for almost a month on average.
The report also highlights weak adoption of essential supply chain controls:
Fewer than 50% of pipelines generate or attach an SBOM (Software Bill of Materials).
25% of validated container images lacked signature verification or complete provenance metadata.
Many images failed to include dependency-level visibility that regulators and customers increasingly expect.
This inconsistent governance makes it difficult for security teams to trace component origins or verify that published software matches approved builds.
The Average Container Image Has 450 Known CVEs
Perhaps the most concerning statistic is the high vulnerability density uncovered in enterprise container registries. The study found:
~450 known CVEs per container image, on average
~40% of those vulnerabilities rated high or critical
Many production-bound images still include outdated base layers and unpatched libraries
This illustrates how the gap between secure build processes and fast deployment continues to widen, with development teams pushing updates faster than security teams can validate them.
Supply Chain Security Is Becoming a Business Risk
CleanStart notes that while enterprises have excelled at speeding up code releases, security has not kept pace due to fragmented tooling, inconsistent policies, and over-reliance on manual approval workflows.
The study concludes that the industry must accelerate adoption of:
Automated policy enforcement across CI/CD stages
Standardised SBOM generation and validation
Provenance tracking and signature verification
Continuous vulnerability monitoring and runtime protection
Unified governance frameworks tailored for high-velocity development
Without these foundational controls, organisations risk accumulating hidden technical debt that can be exploited at scale — especially as attackers increasingly target software build pipelines.
A Critical Moment for Enterprise Security Maturity
The report frames this as a pivotal moment: development velocity is no longer the limiting factor in digital transformation. Security velocity is.
Enterprises that do not standardise automated supply chain controls in the next 12–24 months will face growing exposure windows, mounting compliance pressure, and higher breach likelihood — especially with new AI-powered tooling enabling attackers to exploit software flaws faster than ever.
