Container Health Index for Red Hat Content

Container images listed in the Red Hat Ecosystem Catalog are rated based on published security updates that have not been applied and the length of time the software in the container images is exposed to those flaws. Because container trust is temporal, Red Hat grades container images with a simple time-based rating system rather than just a vulnerability-based one. This rating system is called the Container Health Index.

How grades are calculated

Red Hat extracts metadata and information regarding certain packages included in images from Red Hat and certified images from partners. For each image listed in the Red Hat Ecosystem Catalog, the packages that are scanned and not scanned are listed in the Security Tab. Red Hat then compares that information to both internal and public advisory and vulnerability sources to calculate an initial image grade. As new advisories become publicly available, Red Hat will scan the images in its ecosystem inventory to see if any are affected. If an affected image is found, Red Hat will update the image grade according to the heath index framework and will continue to lower the grade over time. Because container images are immutable, an image can only be fixed by a new version of that image.

Using the Container Health Index

‌A container image's health index and accompanying security and errata information are meant as helpful references. Each user needs to determine risk based on the Container Health Index, their use-case and any other information available to them. Read more about how Red Hat Product Security rates the impact of security issues found in Red Hat products.

Index grades

The following grades are accompanied with a brief explanation of how they are calculated.

PreviousContainer security NextContainer image details

Last updated 4 years ago