Red Hat extracts metadata and information regarding certain packages included in images from Red Hat and certified images from partners. For each image listed in the Red Hat Ecosystem Catalog, the packages that are scanned and not scanned are listed in the Security Tab. Red Hat then compares that information to both internal and public advisory and vulnerability sources to calculate an initial image grade. As new advisories become publicly available, Red Hat will scan the images in its ecosystem inventory to see if any are affected. If an affected image is found, Red Hat will update the image grade according to the heath index framework and will continue to lower the grade over time. Because container images are immutable, an image can only be fixed by a new version of that image.