Red Hat SummitRed Hat Vulnerability Management Certification Workflow Guide
For Use with Red Hat Software Certification
Abstract
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code and documentation. We are beginning with these four terms: master, slave, blacklist, and whitelist. Due to the enormity of this endeavor, these changes will be gradually implemented over upcoming releases. For more details on making our language more inclusive, see our CTO Chris Wright’s message.
Chapter 1. Introduction to Vulnerability Management Certification Program
Use this guide to certify and distribute your vulnerability scanning solution for compatibility with Red Hat published container images and packages, as part of the Red Hat Vulnerability Management Certification program.
1.1. Vulnerability Management certification overview
Red Hat Vulnerability Management Certification is a collaboration with security partners to deliver more accurate and reliable vulnerability scanning results for Red Hat products and packages, particularly container images, including those built from Red Hat Universal Base Images (UBI).
By leveraging Red Hat’s comprehensive and evolving security data, certified partner solutions can reduce false positives and other discrepancies, providing customers with clearer insights into vulnerability risks and a more reliable security assessment process.
Certified products are listed in the Red Hat Ecosystem Catalog and promoted as Red Hat Certified Technologies.
1.2. Certification workflow
Red Hat recommends that you are a Red Hat Certified Engineer or hold equivalent experience before starting the certification process.
The following diagram gives an overview of the Vulnerability Management certification process.
Figure 1.1. The Vulnerability Management Certification workflow
1.3. Getting help and giving feedback
For any questions related to the Red Hat certification toolset, certification process, or procedure described in this documentation, refer to the KB Articles, Red Hat Customer Portal, and Red Hat Partner Connect.
To receive Red Hat product assistance, it is necessary to have the required product entitlements or subscriptions, which may be separate from the partner program and certification program memberships.
Opening a support case
To open a support case, see How do I open and manage a support case?
To open a support case for any certification issue, complete the Support Case Form for Partner Acceleration Desk with special attention to the following fields:
- From the Issue Category, select Product Certification.
- From the Product field, select the required product.
- From the Product Version field, select the version on which your product or application is being certified.
- In the Problem Statement field, type a problem statement or issue or feedback using the following format:
{Partner Certification} (The Issue/Problem or Feedback)
Replace
(The Issue/Problem or Feedback)with either the issue or problem faced in the certification process or Red Hat product or feedback on the certification toolset or documentation.For example: {Partner Certification} Error occurred while submitting certification test results using the Red Hat Certification application.
Red Hat recommends that you are a Red Hat Certified Engineer or hold equivalent experience before starting the certification process.
Chapter 2. Onboarding certification partners
Use the Red Hat Partner Connect Portal to create a new account if you are a new partner, or use your existing Red Hat account if you are a current partner, to onboard with Red Hat for certifying your products.
2.1. Onboarding existing certification partners
Prerequisites
You have an existing Red Hat account.
Procedure
- Log in to Red Hat Partner Connect.
Enter your Red Hat login or email address and click Next.
Then, use either of the following options:
- Log in with company single sign-on
- Log in with Red Hat account
From the menu bar on the header, click your avatar to view the account details.
- If an account number is associated with your account, then log in to the Red Hat Partner Connect, to proceed with the certification process.
If an account number is not associated with your account, then first contact the Red Hat global customer service team to raise a request for creating a new account number.
After that, log in to the Red Hat Partner Connect to proceed with the certification process.
2.2. Onboarding new certification partners
Creating a new Red Hat account is the first step in onboarding new certification partners.
- Access Red Hat Partner Connect and click Log in.
- Click Register for a Red Hat account.
Enter the following details to create a new Red Hat account:
- Choose a Red Hat login and password.
If your login ID is associated with multiple accounts, then do not use your contact email as the login ID as this can cause issues during login. Also, you cannot change your login ID once created.
- Enter your Personal information and Company information.
Select Corporate for the Account Type field.
If you have created a Corporate type account and require an account number, contact the Red Hat global customer service team.
Ensure that you create a company account and not a personal account. The account created during this step is also used to sign in to the Red Hat Ecosystem Catalog when working with certification requests.
- Enter your Contact information.
Click Create My Account.
A new Red Hat account is created. Log in to the Red Hat Partner Connect, to proceed with the certification process.
Chapter 3. Opening a Vulnerability Management certification case
Prerequisites
- Join the Red Hat Partner Connect program.
- Provide basic company information and details about the product you wish to certify, including product documentation, datasheets, and relevant resources.
- Establish a support relationship with Red Hat. You can do this through the multi-vendor support network of TSANet or through a custom support agreement.
- Ensure your product includes a valid software license that allows Red Hat to assess and certify it as part of the program.
Procedure
- Log in to the Red Hat Certification Portal.
On the home page, click Open Certification.
The system displays the Open a New Certification Case dialog.
- Click Next.
Select an option from the Partner and Product list.
If your product does not appear, create it by entering its name in the Product field. Then, select it.
- In the What kind of product is this? section, select Software.
- Click Next.
- Select Vulnerability Scanner under Which category best describes your product?
- In the Sub Category section, select Security.
- In the Product URL field, enter the partner product URL.
- Optional: Enter the Support URL and Specification URL.
Click Next.
Based on your inputs, the system creates a new product in the Partner Product list.
- Select Vulnerability Scanner from the Red Hat Certification list, and click Next.
Review the certification case information and click Open.
NoteFields marked with an asterisk (*) are mandatory.
Chapter 4. Conducting Vulnerability Scanning and verification
After your certification case is created, you must complete the vulnerability scanning and verification phase.
Prerequisites
- Establish a certification relationship with Red Hat.
- Ensure your security product is ready to scan container images.
- Confirm access to the Red Hat Container Registry.
Procedure
Pull the required certification test-harness container images from the Red Hat Container Registry.
Use the following certification test-harness images for vulnerability scanning. You are encouraged to use the latest supported versions of these images as listed in the Red Hat Container Catalog.
Image 1:
Image 2:
NoteCertification criteria are defined by Red Hat Product Security and Red Hat Partner Connect teams.
- Verify that the pulled images match the specified digests to ensure you are using the correct certified versions.
- Scan the test-harness images using the partner security product, without modifying or adjusting the scan output manually.
- Generate a vulnerability scan report in a machine-readable format, preferably CSV. The report must reflect actual product behavior and include all vulnerabilities and related component metadata.
Ensure the report includes the following information for each identified vulnerability:
- CVE identifier
- Red Hat package name and version (with backport fix information, if applicable)
- Red Hat security impact rating (Critical, Important, Moderate, Low)
- Red Hat state (Fixed, Affected, or Not-Affected) and RHSA reference with URL if fixed
- Submit the complete vulnerability scan report to the Red Hat certification team through your Certification case.
- The Red Hat certification team will review the submitted results to ensure they meet baseline accuracy and formatting requirements. The review process may take between two to six weeks from the date of submission.
- After successful verification, Red Hat grants certification for your scanner product.
Chapter 5. Finalizing and publishing the certification
After Red Hat has verified and approved your submitted vulnerability scan results, the final steps of the certification process involve completing product-specific information and publishing the certified product.
5.1. Completing product information
Procedure
- Log in to the Red Hat Certification portal.
- Click the existing certification.
- Click the product under the Partner Product section and navigate to the Properties tab.
- On the Properties tab, enter the required details, such as Detail Description, Short Description, Partner Product Logo, or Product Logo, and other details.
Click Update.
NoteAll the fields marked with an asterisk * are required and must be completed before you can proceed with the certification.
5.2. Certified product publication
You are responsible for completing and submitting the product listing information. After review, Red Hat publishes the certified product in the Red Hat Ecosystem Catalog. Red Hat also issues the Red Hat Certified Technology logo, enabling you to promote your product as a Red Hat Certified Technology for Vulnerability Scanning.
Chapter 6. Certification status maintenance
After you receive certification, you must maintain compliance with Red Hat’s certification requirements by re-certifying your product under the following conditions:
- When a new major version of the certified product is released
- When Red Hat updates the certification test-harness images (once per year)
Red Hat provides appropriate partner communication when it makes updates to the certification test-harness images.
Providing feedback on Red Hat documentation
We appreciate your feedback on our documentation. Let us know how we can improve it.
Submitting feedback through Jira (account required)
- Log in to the Jira website.
- Click Create in the top navigation bar.
- Enter a descriptive title in the Summary field.
- Enter your suggestion for improvement in the Description field. Include links to the relevant parts of the documentation.
- Click Create at the bottom of the dialogue.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}