Red Hat container health index

Technology certification

Red Hat to publish Container Health Index for certified partner images

October 13, 2020
3 minute read

The Red Hat Ecosystem Catalog currently publishes a container health index for container images published by Red Hat. By the end of October 2020, we plan for the Red Hat Ecosystem Catalog to publish the container health index for certified container and Operator images published by Red Hat Partner Connect members.

The container health index and accompanying security and errata information associated with a container image are meant as helpful customer resources. Each user needs to determine risk based on the Container Health Index, their use-case and any other information available to them. Read more about how Red Hat Product Security rates the impact of security issues found in Red Hat products.

Certified partner images and container health index

Background

As part of the Red Hat Container Certification and Red Hat OpenShift Operator certification submission process, partner container images are scanned to extract metadata and information regarding Red Hat RPMs included. The scanned RPM information is compared with both Red Hat and public security advisory and vulnerability sources (Red Hat OVAL v2 streams).

These container images are then graded based on Red Hat published security updates that have or have not been applied and the length of time the software in the container images is exposed to those flaws. The grading system used is called Container Health Index for Red Hat Content. In order to certify a new container image, the image must have a health index grade “A”.

Image
container health index

Grade A: This image does not contain known unapplied errata that fix Critical or Important flaws.

Image
CHI1

The Health Index grade for certified partner container images is temporal. As new software package vulnerabilities are discovered it is important to rebuild these container images to keep them up-to-date to maintain the health index grade “A”.

Certified containers imply a commitment from Red Hat partners to keep their images up-to-date to maintain the health index grade “A”. A health index grade other than “A” reflects negatively on the product. Organizations frequently run vulnerable software but few want to download those with known vulnerabilities.

Know and Maintain your health index grade

To assist you with maintaining an up-to-date container image, the certification workflow interface embeds these features for those individuals responsible for container submissions. All certified container images are rescanned for Red Hat RPM content and assigned a health index grade upon release of new Red Hat Security Advisories (RHSA).

Image
CHI2
  • Grades can be viewed via the same interface, within a certification project web user interface that’s used for viewing and publishing partner container images in the Red Hat Partner Connect web UI.
  • A change in the health index grade triggers a Container Image Maintenance Notice email from connect@redhat.com to the certification project owners. Along with the change in grade the email also includes the list of security vulnerabilities affecting the partner image.
  • The health index grade and the list of security vulnerabilities affecting the partner image is also made available through Red Hat Partner Connect API . The Partner Connect API provides Red Hat partners with a REST interface for automating functions such as keeping certified container images up-to-date.
Image
CHI3
  • Partners have an option to use the Automated Build Service (ABS). The Automated Build Service automatically builds and publishes a new container image in response to new Red Hat Security Advisories (RHSA). The Automated Build Service leverages the “auto-rebuild” feature of the Build Service. The only requirement to take advantage of the Automated Build Service is that the partner container image source code be accessible via a git repository which is internet-accessible. If the git repository is protected, an SSH key to access the source code is required.

Stay tuned for the end of October release of container health index for certified container images from Red Hat partners in the Red Hat Ecosystem catalog.

Shubha Badve
Shubha Badve
Technical product manager
Shubha Badve is a technical product manager, within the Red Hat Certified Technology Ecosystem (CTE) team, for Red Hat Container Certification offering. Working closely with Red Hat Enterprise Linux (RHEL) and OpenShift Container Platform (OCP) product management teams, Shubha combines Red Hat set forth best practices (product & security) and customer & partner feedback to enhance Container Certification offering benefits for partners and customers. Shubha has worked on this team for over two years and lives in Westford, Massachusetts with her husband and two boys.