Only 1 in 3 Enterprises Fully Automates Software Security, CleanStart Data Reveals
Dec, 2:- CleanStart, a platform that helps build secure and safe software, has recently conducted a study that highlights significant gaps in enterprise software supply chain security. The study reveals that most organizations have yet to adopt the level of automation required to secure modern CI/CD pipelines. Based on aggregated telemetry across thousands of pipeline executions, the findings show that while development velocity has increased dramatically in recent years, security practices have not kept pace.
According to the study, only about one-third of the CI/CD environments observed have implemented fully automated, policy-based validation for container images. Despite clear performance advantages such as nearly 60 percent fewer manual review cycles and patch-to-deploy timelines that are more than twice as fast in automated pipelines, the majority of organizations continue to rely on partial automation or manual approvals. This limited adoption creates a widening gap between the speed at which software is built and the rigor with which it is validated.
The report also finds that the average time from vulnerability detection to achieving policy compliance is approximately 26 days, suggesting that many organizations remain exposed to known risks for nearly a month before remediations are fully enforced. At the same time, foundational practices such as visibility and provenance remain inconsistent. Fewer than half of all analysed pipelines generate or attach a Software Bill of Materials (SBOM) during the build process, and roughly one in four validated container images lacked signature verification or complete provenance metadata at the point of analysis.
Perhaps the most striking finding is the density of known vulnerabilities within container images. Across the registries studied, the average container image contained around 450 known CVEs, with roughly 40 percent classified as high or critical severity. This indicates that even widely deployed and production-bound images often carry significant, unresolved security risks, further emphasizing the need for more standardized and automated validation practices across industries.
CleanStart’s study concludes that while enterprises have made considerable progress in accelerating software delivery, the underlying security processes embedded in their pipelines remain fragmented and inconsistent. The report underscores the urgent need for greater adoption of automated validation mechanisms and stronger enforcement of policy-driven controls to reduce systemic exposure across the software supply chain.