Container security

When it comes to security, what’s inside a container matters. The following topics and questions address how the Red Hat Ecosystem Catalog handles container security and how Red Hat’s container ecosystem is built for security.

Image providers

The Red Hat Ecosystem Catalog lists images from Red Hat as well as certified images from our software partners. Red Hat certified container images and operators from Red Hat partners and certified through one of our container-based certification programs. These container images come from a trusted source and have been assessed by Red Hat for adherence to certain standards before publishing. Software vendors are responsible for maintaining their containers and keeping them current.

Vulnerability assessment

All container images in the Red Hat Ecosystem Catalog, whether from Red Hat or third-party providers, undergo a constant, multi-directional process of scanning and assessment. Each time a new or updated image is prepared for publication, metadata and image content is extracted, stored, and compared against known vulnerabilities regardless of impact rating. This information is transparently displayed in the catalog in the image's Security section, including:

• what packages are included in an image

• which (if any) are impacted by publicly available security advisories

• advisory information and impact, including links to those advisories and related CVEs

In addition, each image is graded according to the Container Health Index for Red Hat Content framework that incorporates vulnerability information within a simple time-based rating system.

When a new version of an image is readied, it is not only scanned but also compared to the metadata of previous image versions. Security information for these new image versions will also include:

• which packages were added or updated from the previous version

• which updated packages were updated to address a security advisory

• advisory information and impact, including links to those advisories and related CVEs

In this way, customers can follow what, how, and why image content changes with each version.

Furthermore, when a new security advisory is published, the entire inventory of images available in the catalog is compared against the advisory; and any images found to be impacted by the new advisory will have their security assessment and health index grade updated. In this way, Red Hat provides a constant security assessment loop, enabling customers to see how image changes and recent security advisories apply.

Image update frequency

Red Hat container images are updated at a regular cadence to reflect both software releases and security updates. Red Hat's approach and process for updating container image is documented in the Red Hat Container Image Updates knowledge base article.

Third-party providers may have their own approach and process but are required to keep their product images up to date if/when their images are impacted by security advisories or otherwise defined through certification programs.

Platform security

In Red Hat Enterprise Linux systems, namespaces isolate features from host systems such as IPC, file systems, network interfaces, process tables, user accounts, and hostname. To manage and restrict running containers, Red Hat leverages operating system features including cgroups, SELinux, systemd, and system call filtering (seccomp). To scan images for security vulnerabilities yourself, you can use the atomic scan command. Introducing atomic scan and the Atomic CLI Reference are good resources to start. You can even create atomic scan plugins.

Learn more

Visit the Red Hat Product Security space in the Customer Portal to learn more about backporting policies, security notifications and advisories, and how vulnerabilities are rated.