Your database of known vulnerabilities must be updated regularly to ensure adequate vulnerability detection. By default, Puppet will check every Puppet run if the database is up-to-date and if it is not up-to-date, fetch a new version from the specified url. (See here for more details.)

Although this is the best way security-wise, it can introduce dynamic changes to your Puppet run’s that you don’t want. If you want more controlled updates, set this value to false and make sure that the vulnerability::update class is scheduled in some other way.