Container Health Index for Red Hat Content

Container images listed in the Red Hat Ecosystem Catalog are rated based on published security updates that have not been applied and the length of time the software in the container images is exposed to those flaws. Because container trust is temporal, Red Hat grades container images with a simple time-based rating system rather than just a vulnerability-based one. This rating system is called the Container Health Index.

How grades are calculated

Red Hat extracts metadata and information regarding certain packages included in images from Red Hat and certified images from partners. For each image listed in the Red Hat Ecosystem Catalog, the packages that are scanned and not scanned are listed in the Security Tab. Red Hat then compares that information to both internal and public advisory and vulnerability sources to calculate an initial image grade. As new advisories become publicly available, Red Hat will scan the images in its ecosystem inventory to see if any are affected. If an affected image is found, Red Hat will update the image grade according to the heath index framework and will continue to lower the grade over time. Because container images are immutable, an image can only be fixed by a new version of that image.

Using the Container Health Index

‌A container image's health index and accompanying security and errata information are meant as helpful references. Each user needs to determine risk based on the Container Health Index, their use-case and any other information available to them. Read more about how Red Hat Product Security rates the impact of security issues found in Red Hat products.

Index grades

The following grades are accompanied with a brief explanation of how they are calculated.

Grade	Description
	This image does not contain any known unapplied errata that fix Critical or Important flaws.
	This image may be missing Critical or Important security errata. No missing Critical security errata is older than 7 days. No missing Important security errata is older than 30 days.
	This image may be missing Critical or Important security errata. No missing Critical security errata is older than 30 days. No missing Important security errata is older than 90 days.
	This image may be missing Critical or Important security errata. No missing Critical security errata is older than 90 days. No missing Important security errata is older than 365 days.
	This image may be missing Critical or Important security errata. No missing Critical or Important security errata is older than 365 days.
	This image may be missing Critical or Important security errata older than 365 days or the product to which this image belongs is beyond its lifecycle.
Unknown	This image is missing metadata required to accurately calculate a grade.