Technical resources
Container certification health index grade walkthrough
The Red Hat Container Certification lets you build, certify, and distribute your containerized application. In order to meet the security and support requirements from enterprise customers, the container testing and validation is broken into two main parts:
- The preflight tool, which does static analysis of the container to ensure the container conforms to the certification policies.
- CVE Vulnerability Scanning, which checks for vulnerabilities in Red Hat content within the container and gives the image a grade.
Since this process consists of two parts, and the CVE scanning happens in an async fashion, we will walk through the steps to retrieve the grade of the image.
Prerequisites
- Register as a technology partner here [in order to complete certification] if not already a partner.
- Review the container certification workflow documentation
- A Container application project within the Partner Connect Portal
- A container tool ie Podman/Docker
- Latest release of Preflight Certification tool
- Binary can be downloaded here
- Container can be pulled from podman pull – quay.io/opedev/preflight:stable
- A CI system that can make curl request (OpenShift Pipelines, Github Actions, Jenkins, etc
Build and certify your application container
- To follow along with the below steps, all the prerequisites should have been completed.
Pre-step: Export environment variables
Below are some environment variables that will be used across multiple steps.
NOTE: Documentation on how to obtain a Pyxis API Token or Certification Project ID can be found in the Red Hat Software Certification Workflow Guide.
export PYXIS_API_TOKEN=abcdefghijklmnopqrstuvwxyz123456
export IMAGE_TAG=registry.example.org/your-namespace/your-image:sometag
export CERTIFICATION_PROJECT_ID=1234567890a987654321bcdeStep 1: Building the container
podman login registry.example.org -u=user --authfile=./temp-auth.json
podman build -t $(IMAGE_TAG) . && podman push $(IMAGE_TAG) --authfile=./temp-auth.json
Step 2: Running preflight certification tool
preflight check container registry.example.org/your-namespace/your-image:sometag \
--submit \
--pyxis-api-token=$(PYXIS_API_TOKEN) \
--certification-project-id=$(CERTIFICATION_PROJECT_ID) \
--docker-config=./temp-auth.json
Querying Red Hat API for health index
After the image is submitted by preflight, an async process kicks off to grade the image. Since the grade won't be returned instantly, we will have to poll for it. In the below script we wait 5 seconds between calls, but your workflow may want to poll at some other interval, or in some other fashion that fits your use case better.
Call Red Hat API until a grade is returned
NOTE: Below we use skopeo inspect instead of podman inspect due a bug in podman's Digest field.
export CONTAINER_SHA=$(skopeo inspect docker://registry.example.org/your-namespace/your-image:sometag | jq '.["Digest"]')
grade=""
until [$grade != ""]
do
echo "checking for Health Index Grade"
grade="$(curl -s -X 'GET' 'https://catalog.redhat.com/api/containers/v1/images?filter=docker_image_digest=='"${CONTAINER_SHA}"'&page_size=100&page=0' \
-H 'accept: application/json' \
-H 'X-API-KEY: '"${PYXIS_API_TOKEN}"'' | jq -r '{id: .data[0]._id, freshness_grades: .data[0].freshness_grades[] | {grade, creation_date}}')"
sleep 5
done
echo "Health Index Grade: $grade"Getting help
Any issues related specifically to the certification steps can be directed to our Partner Acceleration Desk (PAD).
Further reading
If you are interested in exploring what other API's Red Hat Certification has to offer, please check out our public API Specifications.
If you are interested in learning how you could automate Container Certification using OpenShift Pipelines and Quay, please check out this related article.
