The Red Hat Ecosystem Catalog currently publishes a container health index for container images published by Red Hat. By the end of October 2020, we plan for the Red Hat Ecosystem Catalog to publish the container health index for certified container and Operator images published by Red Hat Partner Connect members.
The container health index and accompanying security and errata information associated with a container image are meant as helpful customer resources. Each user needs to determine risk based on the Container Health Index, their use-case and any other information available to them. Read more about how Red Hat Product Security rates the impact of security issues found in Red Hat products.
Certified partner images and container health index
As part of the Red Hat Container Certification and Red Hat OpenShift Operator certification submission process, partner container images are scanned to extract metadata and information regarding Red Hat RPMs included. The scanned RPM information is compared with both Red Hat and public security advisory and vulnerability sources (Red Hat OVAL v2 streams).
These container images are then graded based on Red Hat published security updates that have or have not been applied and the length of time the software in the container images is exposed to those flaws. The grading system used is called Container Health Index for Red Hat Content. In order to certify a new container image, the image must have a health index grade “A”.
Grade A: This image does not contain known unapplied errata that fix Critical or Important flaws.
The Health Index grade for certified partner container images is temporal. As new software package vulnerabilities are discovered it is important to rebuild these container images to keep them up-to-date to maintain the health index grade “A”.
Certified containers imply a commitment from Red Hat partners to keep their images up-to-date to maintain the health index grade “A”. A health index grade other than “A” reflects negatively on the product. Organizations frequently run vulnerable software but few want to download those with known vulnerabilities.
Know and Maintain your health index grade
To assist you with maintaining an up-to-date container image, the certification workflow interface embeds these features for those individuals responsible for container submissions. All certified container images are rescanned for Red Hat RPM content and assigned a health index grade upon release of new Red Hat Security Advisories (RHSA).
- Grades can be viewed via the same interface, within a certification project web user interface that’s used for viewing and publishing partner container images in the Red Hat Partner Connect web UI.
- A change in the health index grade triggers a Container Image Maintenance Notice email from email@example.com to the certification project owners. Along with the change in grade the email also includes the list of security vulnerabilities affecting the partner image.
- The health index grade and the list of security vulnerabilities affecting the partner image is also made available through Red Hat Partner Connect API . The Partner Connect API provides Red Hat partners with a REST interface for automating functions such as keeping certified container images up-to-date.
- Partners have an option to use the Automated Build Service (ABS). The Automated Build Service automatically builds and publishes a new container image in response to new Red Hat Security Advisories (RHSA). The Automated Build Service leverages the “auto-rebuild” feature of the Build Service. The only requirement to take advantage of the Automated Build Service is that the partner container image source code be accessible via a git repository which is internet-accessible. If the git repository is protected, an SSH key to access the source code is required.
Stay tuned for the end of October release of container health index for certified container images from Red Hat partners in the Red Hat Ecosystem catalog.