Replicated: Delivering Trusted, Vulnerability-Free Software for Enterprises
Replicated is on a mission to help software companies deliver their applications into the world’s most demanding enterprise environments. For over a decade, Replicated’s platform has enabled open-source and SaaS firms like Travis CI, Writer, KNIME, H2O.ai, and DataStax to ship enterprise-ready, self-hosted versions of their software to customers who need on-premises or VPC deployments. This “enterprise distribution” model allowed developers to reach regulated or security-conscious organizations – but it also introduced new challenges. Lately, the biggest challenge is security: enterprises now scrutinize every container for known vulnerabilities before they’ll deploy it. In fact, the number of reported CVEs (Common Vulnerabilities and Exposures) has exploded – over 40,000 CVEs were published in 2024, a 38% jump from the prior year. This surge means even widely-used base images often contain dozens of known security issues. For enterprise buyers, these CVEs aren’t just annoyances – they’re liabilities.
Replicated heard from its customers (independent software vendors, or ISVs) that they were under growing pressure to prove their software supply chain is secure. Scanning tools flag any vulnerabilities in an app’s container image, and corporate security teams now demand “clean” images with zero known CVEs. However, continuously monitoring and patching all the open-source components inside each release is not the core competency of most ISVs – they’re focused on building features, not chasing the latest OpenSSL patch. Replicated recognized a gap: its customers needed a way to ship software with zero known vulnerabilities, without diverting their own engineers to become full-time security admins. This set the stage for SecureBuild, Replicated’s new solution to deliver Zero-CVE container images for any software.
The Challenge: Securing a Complex Software Supply Chain
Building SecureBuild was no trivial task. The goal was to take a given software project – along with all its dependencies and OS libraries – and produce a container image with “0 CVEs” (no known vulnerabilities). In practice, this meant solving several hard problems:
- Explosion of Dependencies: Modern applications pull in dozens of dependencies (OS packages, libraries, runtimes). Each dependency can itself depend on others, forming a deep tree up to 15–16 layers thick in some cases. A project like TimescaleDB, for example, is not a single static binary; it relies on many underlying libraries and packages that must be tracked and kept in sync. To eliminate vulnerabilities, every component down to the lowest level must be kept updated or replaced with a secure variant.
- Constant Vulnerability Disclosures: With ~100+ new CVEs disclosed per day industry-wide, there’s a steady stream of patches emerging for various packages. A “secure” image can quickly become insecure as new CVEs are disclosed. Replicated needed to continuously monitor upstream CVE feeds and updates so that the moment a fix is available for, say, OpenSSL or glibc, they can rebuild all images that include it.
- Ephemeral, Trusted Build Environment: Security can be compromised if the build process itself is not locked down. Replicated wanted each build to run in an isolated, ephemeral clean room environment to prevent any persistent malware or tampering. This approach would ensure each image is built from source with a verified toolchain on trusted hardware, leaving no chance for hidden threats to creep in from previous builds or shared systems.
- Enterprise-Grade SLAs: To meet enterprise expectations, SecureBuild set clear timelines for vulnerability remediation. The service committed to a 6-day SLA for patching critical CVEs and 13 days for high/medium/low issues. Hitting these SLAs requires significant automation – a fully manual patch-and-release process would be too slow when dozens of issues appear each week.
- Maintainer Collaboration and Sustainability: Replicated also chose a unique business model: partnering directly with open-source maintainers as the official provider of their secure images. This meant any solution had to integrate with many open-source projects’ release processes and ensure maintainers could validate and trust the output. In return, Replicated would share 70% of the subscription revenue for an image with its open-source maintainers. This creator-first model is designed to financially sustain the projects that enterprises depend on – but it also added a coordination challenge on top of the technical ones.
In short, SecureBuild needed to deliver an automated, scalable “factory” for rebuilding software from source, eliminating vulnerabilities continuously, and doing so in a way that earned the trust of both enterprises and open-source communities.
Solution: Ephemeral Builds and Zero‑CVE Images with SecureBuild
Replicated’s answer was to build a secure supply chain pipeline grounded in modern DevOps tooling and open-source innovation. Key components of the SecureBuild solution include:
- Ephemeral “Clean Room” Builds At Scale: SecureBuild leverages Replicated’s Compatibility Matrix platform (originally built for testing across 60,000+ Kubernetes/OS combos) to spin up trusted ephemeral build environments for each package. In the last 30 days alone, SecureBuild created more than 40,000 of these ephemeral VMs while maintaining 60+ concurrent build environments. Each build occurs in a fresh VM/container with a minimal OS, so there’s no state or malware persistence between runs. Once the build completes, the environment is torn down. This guarantees a high level of build provenance: if an image is labeled Zero-CVE, customers can trust it wasn’t built on a compromised machine.
- Full Dependency Mapping and Rebuilds: SecureBuild maps the entire dependency graph of each supported image and continuously watches for upstream vulnerability fixes. When a component anywhere in the stack gets a security update, SecureBuild’s pipeline automatically rebuilds all downstream packages and ultimately the final container image to incorporate the fix. As an example, the largest dependency graph SecureBuild has today, takes 17 hours to rebuild end-to-end. While they are always working on bringing this number down, it showcases the scale of the problem. This transitive rebuild approach is complex (often involving thousands of packages), but it’s the only way to truly achieve a “Zero-CVE” result across tens of thousands of package versions.
- Continuous Scanning & Validation: Both the SecureBuild images and the corresponding “canonical” official images are continuously scanned for vulnerabilities. Today the pipeline executes roughly 10,000 automated scans every 24 hours, ensuring that any newly disclosed CVE is detected and queued for remediation immediately. Each SecureBuild image is tested as a drop-in replacement to ensure it runs the software correctly, just with a cleaned bill of health. Before release, an image must show 0 known CVEs in the scan; if a critical CVE is still unfixed (perhaps waiting on an upstream patch), that image will continue to show as vulnerable and would not be offered as “secure” until the issue is resolved.
- Hardened Registry & Delivery: Once built and verified, images are pushed to a private, hardened registry managed by Replicated. Enterprises consume the images from this registry (with pull credentials tied to their subscription), or vendors can integrate the SecureBuild images into the software bundles they distribute via Replicated’s platform. Either way, delivery is secured and integrated with Replicated’s Enterprise Portal and tooling, so adopting a SecureBuild image is seamless for end customers.
- Open-Source Partnerships & Revenue Share: Unlike other providers of hardened images, Replicated doesn’t go it alone – they partner directly with open-source projects to be the official source of secure images. At launch, projects like Weaviate (vector search engine), TimescaleDB (time-series database), Coder, and Rclone (file sync) are among those with SecureBuild images available. Each project gets a custom landing page and can inform their community that a Zero-CVE edition of their software is available for enterprise use. In return, maintainers receive 70% of the revenue from any subscriptions to their images. This model turns security from a cost into a funding mechanism for open source. It’s a win-win: enterprises get safer software, and maintainers get paid to keep it that way.
Through this combination of ephemeral trusted builds, minimal OS, automated rebuilds, and collaborative delivery, SecureBuild can take a container that might normally have dozens of known vulnerabilities and reduce it to zero.
Data at Scale: How TigerData (Creators of TimescaleDB) Powers SecureBuild
Behind the scenes, all of SecureBuild’s automation generates an immense stream of data. Every time a package or image is built and scanned, results are recorded. Each time a customer’s on-prem app instance pings Replicated, that event is logged. Handling this as time-series data – efficiently and reliably – is crucial for both internal operations and customer-facing reporting. This is where TigerData, creators of TimescaleDB, comes into play.
Replicated uses Tiger Cloud to store and analyze the two key categories of time-series data in its architecture:
- Vulnerability Scan Metadata: SecureBuild continuously rescans its images (and upstream images) for new CVEs. These scan results, which include timestamps, image identifiers (hashes), and counts or lists of CVEs, are stored as time-series records. By retaining a history, Replicated can answer questions like: Did image X ever have any CVEs in the past? How quickly were they patched? It also allows trend analysis (e.g., number of new vulnerabilities detected each week) to demonstrate the value of SecureBuild over time. This dataset grows rapidly – a thousand images scanned daily with results over years means millions of data points. TimescaleDB is purpose-built for this kind of volume: it automatically partitions data by time into hypertables, so queries can skip over irrelevant chunks and scan only the time range of interest. Moreover, as data “cools” with age, TimescaleDB can compress old chunks by over 90%, using a columnar format that both saves storage and speeds up analytical scans.
- Deployment Telemetry and Events: Replicated’s original platform, which manages license keys and updates for on-prem installs, also generates time-stamped telemetry. Each deployed instance can periodically report its version, status, and environment back to Replicated (for example, to a “Report” service). Storing these heartbeats and events in a time-series database lets Replicated and its clients monitor the health and upgrade progress of many installations at once. For instance, an ISV can query how many of its customers have upgraded to the latest patch over the last week, or when was the last time a particular instance checked in. By using TigerData (TimescaleDB) for this operational data, Replicated ensures that aggregating and querying event streams is efficient – even if some of their vendors have hundreds or thousands of endpoints reporting in.
By choosing TigerData’s managed cloud service, Replicated offloads the operational burden of maintaining this critical database. TigerData ensures high availability and handles replication, backups, and updates, which is invaluable for a lean team delivering a security-critical service. As Grant Miller (Replicated’s CEO) noted, the company has used TigerData’s cloud in production for years without incident – giving them the confidence to focus on SecureBuild’s features rather than babysitting database servers.
Results: Secure, Scalable, and Sustainable Software Distribution
With SecureBuild, Replicated has transformed a daunting problem into a turnkey solution for their customers and the open-source community. The impact is already significant:
- Zero-CVE Software Delivery: Enterprise buyers can now obtain critical infrastructure components – from databases to CI tools – in a hardened form with zero known vulnerabilities. In essence, SecureBuild answers the tough questions enterprises are now asking about supply chain security. This capability not only accelerates sales cycles for software vendors, but it also markedly reduces the risk of running third-party software behind the firewall.
- 100 % Uptime: Since entering general availability, SecureBuild has delivered uninterrupted service.
- Faster Patching, Less Disruption: Thanks to the automated rebuild pipeline, vulnerabilities in dependencies are often patched and available in a new image within days (or even hours for urgent issues). This means vendors and their customers spend less time scrambling to apply out-of-band hotfixes or workarounds. SecureBuild meets its 6-day critical SLA consistently, turning security response into a proactive, managed process instead of a fire drill. The result is a more stable experience for end-users – they can plan regular updates with confidence that each update improves security.
- Speed without sacrifice: Even with all the extra security layers, the developer experience and application performance remain excellent. SecureBuild’s images are slimmed down (no bloat from unused packages), and TigerData’s high-performance database ensures that all the supporting data and analytics run smoothly behind the scenes. The combination of TigerData + SecureBuild’s architecture proves that you can introduce robust security and data transparency without slowing down development or deployment.
- Open-Source Sustainability and Trust: Perhaps one of the most noteworthy outcomes is the establishment of a new sustainable model for open-source software. SecureBuild demonstrates that enterprises will pay for open-source software packaged with security guarantees – and by funneling 70% of that revenue to maintainers, it provides a real revenue stream to projects that often struggle for funding.
- A New Chapter for Replicated: Internally, SecureBuild represents a major evolution of Replicated’s business. “It’s built on core Replicated technologies, and it represents our next chapter as a company: not just enabling enterprise distribution, but actively securing the supply chain that powers it,” Grant Miller says. By leveraging modern cloud infrastructure and data platforms like TigerData, Replicated was able to launch this new venture quickly and reliably.
SecureBuild serves as an excellent case study in balancing innovation with practical execution. Replicated thoughtfully adopted cutting-edge technologies—ephemeral Kubernetes builds, minimal OS layers, and robust time-series data infrastructure—to address critical security challenges facing modern enterprises. The outcome is a performant, reliable solution delivering tangible value through enhanced software supply chain security. With TigerData's proven scalability and performance at its core, Replicated ensures that even as SecureBuild continues to grow, enterprises and developers alike will benefit from fast, dependable insights and hardened software delivery. SecureBuild exemplifies how the right architecture enables rapid innovation without compromising reliability, making software supply chains safer and more sustainable for everyone involved.
