Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 1. Introduction to Vulnerability Management Certification policies
The Vulnerability Management Certification Policy Guide outlines the technical and operational requirements for certifying third-party security scanning products with Red Hat.
Use this guide to certify your scanning solutions in alignment with Red Hat security best practices in jointly supported customer environments.
1.1. Audience
Red Hat offers Vulnerability Management Certification to commercial security vendors that provide container image vulnerability scanning solutions intended for use with Red Hat platforms.
1.2. Overview of the program
The Red Hat Vulnerability Management Certification Program provides a formal process to verify that partner security solutions correctly use Red Hat-provided security data for Red Hat products. This includes CVE metadata, severity ratings, exploitability information (CSAF-VEX), and remediation advisories (RHSA).
Vulnerability management certification is distinct from Red Hat Container Certification. The Container Certification program focuses on verifying container images for supportability and compliance with Red Hat base image requirements.
Red Hat works directly with partners during the certification process to review scanner behavior, metadata handling, and report formatting. Certified products are listed in the Red Hat Ecosystem Catalog, helping establish technical alignment and assurance within the Red Hat ecosystem.
1.3. Create value for customers
The certification process enables partners to confirm that their vulnerability scanning solutions meet Red Hat standards for accuracy, compatibility, and security when assessing Red Hat-published container images and packages.
Red Hat customers benefit from trusted security tools that are tested and jointly supported by Red Hat and the partner, helping them maintain a secure and compliant container environment.
1.4. Vulnerability report format for certification
To conduct a certification review, submit the vulnerability scan results in a standardized CSV format with the following required fields:
- CVE ID
- Package
- Package version
- RH Severity
- RH CVSS (if reported separately from the CVSS field)
- Link or resource or fix information (Use this field to report RHSA)
In addition, the following fields are optional, but will greatly help with the Certification review :
- Container Name
- Container Version Tag
- PURL
The following example illustrates the recommended CSV format:
| Registry | Repository | Container Tag | Image Digest | CVE ID | Package | Red Hat Severity | Red Hat CVSS | Red Hat RHSA Information | Fix Package Information |
|---|---|---|---|---|---|---|---|---|---|
| registry.access.redhat.com | ubi8/python-27 | 2.7-218 | sha256:ef9b8ef384fbb5faf0985914c40839b5b26cb9dd82740ff1255c12a249143534 | CVE-2023-30630 | dmidecode 3.3-4.el8 | Moderate | 7.1 | RHSA-2023:5252 | dmidecode-3.3-4.el8_8.1 |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}