How do Convox users keep their Docker images up-to-date with OS security patches?

I saw this post on the /r/devops subreddit, and was wondering if Convox provides any solution for this?

It would be nice if there was a way to monitor security updates with a scheduled task, then automatically rebuild the base images, then run a test suite to make sure that nothing is broken. (But I think this also might be outside the scope of Convox.)

How are other Convox users solving the problem of regular security updates for your base images?