Red Hat Partner Connect program is announcing Red Hat Vulnerability Scanner Certification - a collaboration with security partners to deliver more accurate and more reliable container vulnerability scanning results of Red Hat-published images and packages. Security partners can now consume and defer to Red Hat’s extensive and evolving set of published security data to save customers time and by minimizing false positives and other discrepancies.
Red Hat has been transparently publishing CVE data since 2006, but customers are still seeing false positives and other discrepancies when they obtain vulnerability scanning reports from their respective security management providers.
With this certification, Red Hat has taken a leadership role by 1) formally collaborating with our security partners, 2) simplifying the use of Red Hat published CVE data and standardizing on OVAL v2 and 3) simplifying a customers’ vulnerability management effort with fewer false positives.
Certified security partners will be able to deliver vulnerability scanning reports that incorporate Red Hat-published security data, recommended by Red Hat Product Security, in a standardized fashion. Security partners that are not certified will continue as they have been operating and will continue to make their own determination as to which Red Hat security data to incorporate.
No, this certification is only for security partners that have a vulnerability scanning solution.
By sending an email to certification team at [email protected].
Visit the Red Hat product page.
Visit the Red Hat Ecosystem Catalog page.
Yes. See Dave Meurer’s “Shakespearean” article.
No. The current scope of this certification is for Red Hat packages that are in a container only (whether that container image is Red Hat-developed or non-Red Hat-developed).
Certified scanner solutions will display Red Hat Severity Impact Rating [Critical, Important, Moderate and Low] for each CVE as determined by Red Hat Product Security, and based on the specific Red Hat product-version that package belongs to.
Certified scanners will be able to display CVEs for which Red Hat already has a fix (RHSA) for as well as those CVEs which Red Hat has yet to provide a fix for.
Discrepancies still may occur, but we believe there will be significantly fewer with certified partners. We have also integrated support processes with certified partners, so when discrepancies happen with Red Hat managed packages in containers, you are welcome to contact Red Hat Support.