Build.One Framework is during development checked for security issues through static code analysis and CVE catalog, we have setup SonarQube as part of the CI. Delivery of new releases are held back when 3rd party critical security issues are found and upgrades are needed.
Customer environments are monitored in regard to version of Build.One used and for managed environments updated according to customer needs, quality and security updates available in newer framework versions.
Our container registry is checked against known security issues as a managed service by CloudSmith