Container Health Index grades as used inside the Red Hat Container Catalog

Updated -

Red Hat uses the Container Health Index to identify security risk with containers that Red Hat provides through the Red Hat Ecosystem Catalog. These containers consume software provided by Red Hat and our errata process, so old, stale container images are much more likely to contain security risks, while new, fresh containers are less likely.

To illustrate this, we use a grading system. The criteria for determining the grade is based on the age and the criticality (rated Critical or Important) of the oldest flaw that is applicable to the container image. Applicable Moderate or Low severity flaws, of any age, do not influence the Container Health Index.

The following grades and icons are used with a brief explanation of how they are calculated.

Grade A icon Grade A: This image does not contain known unapplied errata that fix Critical or Important flaws.

Grade B icon Grade B: This image may be missing Critical or Important security errata, but no missing Critical flaw is older than 7 days and no missing Important flaw is older than 30 days.

Grade C icon Grade C: This image may be missing Critical or Important security errata, but no missing Critical flaw is older than 30 days and no missing Important flaw is older than 90 days.

Grade D icon Grade D: This image may be missing Critical or Important security errata, but no missing Critical flaw is older than 90 days and no missing Important flaw is older than 365 days.

Grade E icon Grade E: This image may be missing Critical or Important security errata, but no missing Critical or Important flaw is older than 365 days.

Grade F icon Grade F: This image may be missing Critical or Important security errata, and they are older than 365 days. Or the container is out of its lifecycle.

Grade Unknoiwn icon Grade Unknown: This image cannot be scanned as it is missing metadata required to perform the Container Health Index calculation.

For information on the impact ratings, please visit https://access.redhat.com/security/updates/classification . For a more in-depth explanation of the grades used in the Container Health Index, please read Security Scoring and Grading for Containers and Images on the Product Security blog.

Comments