Abstract image of container cubes and scales with a city skyline background

Technical resources

Container certification health index grade walkthrough

October 3, 2023
3 minute read
Related products: Red Hat Container storage

The Red Hat Container Certification lets you build, certify, and distribute your containerized application. In order to meet the security and support requirements from enterprise customers, the container testing and validation is broken into two main parts:

  • The preflight tool, which does static analysis of the container to ensure the container conforms to the certification policies.
  • CVE Vulnerability Scanning, which checks for vulnerabilities in Red Hat content within the container and gives the image a grade.

Since this process consists of two parts, and the CVE scanning happens in an async fashion, we will walk through the steps to retrieve the grade of the image.


  • Register as a technology partner here [in order to complete certification] if not already a partner.
  • Review the container certification workflow documentation
  • A Container application project within the Partner Connect Portal
  • A container tool ie Podman/Docker
  • Latest release of Preflight Certification tool
  • Binary can be downloaded here
  • Container can be pulled from podman pull –  quay.io/opedev/preflight:stable
  • A CI system that can make curl request (OpenShift Pipelines, Github Actions, Jenkins, etc

Build and certify your application container

  • To follow along with the below steps, all the prerequisites should have been completed.

Pre-step: Export environment variables

Below are some environment variables that will be used across multiple steps.

NOTE: Documentation on how to obtain a Pyxis API Token or Certification Project ID can be found in the Red Hat Software Certification Workflow Guide.

export PYXIS_API_TOKEN=abcdefghijklmnopqrstuvwxyz123456
export IMAGE_TAG=registry.example.org/your-namespace/your-image:sometag
export CERTIFICATION_PROJECT_ID=1234567890a987654321bcde

Step 1: Building the container

podman login registry.example.org -u=user --authfile=./temp-auth.json
podman build -t $(IMAGE_TAG) . && podman push $(IMAGE_TAG) --authfile=./temp-auth.json

Step 2: Running preflight certification tool

preflight check container registry.example.org/your-namespace/your-image:sometag \
--submit \
--pyxis-api-token=$(PYXIS_API_TOKEN) \
--certification-project-id=$(CERTIFICATION_PROJECT_ID) \

Querying Red Hat API for health index

After the image is submitted by preflight, an async process kicks off to grade the image. Since the grade won't be returned instantly, we will have to poll for it. In the below script we wait 5 seconds between calls, but your workflow may want to poll at some other interval, or in some other fashion that fits your use case better.

Call Red Hat API until a grade is returned

NOTE: Below we use skopeo inspect instead of podman inspect due a bug in podman's Digest field.

export CONTAINER_SHA=$(skopeo inspect docker://registry.example.org/your-namespace/your-image:sometag | jq '.["Digest"]')

until [$grade != ""]
  echo "checking for Health Index Grade"
  grade="$(curl -s -X 'GET' 'https://catalog.redhat.com/api/containers/v1/images?filter=docker_image_digest=='"${CONTAINER_SHA}"'&page_size=100&page=0' \
    -H 'accept: application/json' \
    -H 'X-API-KEY: '"${PYXIS_API_TOKEN}"'' | jq -r '{id: .data[0]._id, freshness_grades: .data[0].freshness_grades[] | {grade, creation_date}}')"
  sleep 5
echo "Health Index Grade: $grade"

Getting help

Any issues related specifically to the certification steps can be directed to our Partner Acceleration Desk (PAD).

Further reading

If you are interested in exploring what other API's Red Hat Certification has to offer, please check out our public API Specifications.

If you are interested in learning how you could automate Container Certification using OpenShift Pipelines and Quay, please check out this related article.


adam cornett
Adam Cornett
Senior Software Engineer
Adam is a Senior Software Engineer who specializes in software certification tooling for Linux containers, Kubernetes, OpenShift, and Operators. Their passion for open-source software, aids them in developing high-quality solutions that meet the needs of partners and stakeholders alike. Adam has a proven track record of success in designing, developing, and delivering innovative software solutions that help partners to succeed.