Release security review

Make the release decision from the product that will ship.

Combine source review, binary analysis, and authorized staging tests in one project so release owners can see what changed, what survived validation, and what still requires action.

Source baselineShipped artifactStaging behavior

One release can have three different security truths.

The repository shows intended behavior. The artifact shows packaging and embedded content. Staging shows how identity, routing, configuration, and network controls behave together.

01

Source review

Assess the release branch or commit with notes about the changed trust boundaries and customer impact.

02

Artifact review

Inspect the APK, JAR, installer, firmware, archive, or packaged output that will be delivered.

03

Authorized staging test

Probe runtime behavior when exploitability depends on roles, tenants, gateway behavior, or deployment configuration.

04

Adversarial validation

Pressure-test consequential findings before making a release, remediation, or disclosure decision.

05

Release handoff

File accepted work, generate a candidate fix, or create an explicit accepted-risk decision with reason.

06

Evidence preservation

Tag the release, retain the assessment versions, and export a reviewed record for the decision.

A concrete path through the work.

ZeroQuarry automates investigation and coordination. Your team keeps control of authorization, risk ownership, and production changes.

STEP 01

Baseline

Review source at the release candidate and identify important changes and inherited risk.

STEP 02

Verify artifact

Assess the build output for packaging, manifest, secret, update, or decompilation-visible failures.

STEP 03

Exercise staging

Test only the live behaviors that require deployment context and explicit authorization.

STEP 04

Decide

Resolve critical and high findings, record exceptions, and preserve the evidence supporting promotion.

What the team gets back.

Useful coverage should lead to faster decisions, cleaner remediation, and evidence that holds up when someone asks for it later.

A clearer go/no-go decision

Separate validated release risk from low-confidence claims and unrelated historical noise.

Coverage across the delivery chain

Catch failures introduced by code, build, packaging, and runtime configuration.

A durable release record

Keep the report, findings, exceptions, remediation, and retest aligned to the version that shipped.

Questions that come up in evaluation.

These are the product boundaries, controls, and operating details teams usually want to understand first.

Do we need all three scan surfaces for every release?

No. Use the surfaces that can change the decision. Source is the normal baseline; add binary or live testing when packaging or runtime behavior materially affects risk.

Can a release review use changed-code scanning?

Yes, but a major release or significant architecture change may justify a broader source review. The right depth depends on change size, exposure, and prior baseline quality.

Can ZeroQuarry make the release decision automatically?

ZeroQuarry provides assessment evidence, review signals, and traceable decisions. Your organization remains responsible for business context and final release authority.

Start with one real security boundary.

Use the free trial on your own product, then decide whether the resulting security work is useful enough to keep.