Red Hat Container Image Security Guidelines

Purpose

These guidelines detail Red Hat's mandatory security policy for container image usage within your ecosystem, specifically addressing images with old build dates. Since container images rely on content and code maintained in upstream projects, their security is contingent upon timely upstream fixes for Common Vulnerabilities and Exposures (CVEs). Older images inherently carry a significantly higher, unacceptable security risk.

Policy and recommended best practices

To mandate the minimization of risk and exposure to known vulnerabilities, Red Hat Product Security issues the following directives for all consumers of container images:

Current Grade Current Content Status Red Hat Security Mandate
A/B Current, fixed CVEs REQUIRED USE. Only deploy images with an A/B rating. These images contain current, validated content and reflect all available security fixes.
C/D/E Increasingly out-of-date HIGHLY DISCOURAGED. The deployment of images with a C, D, or E rating significantly elevates the risk of malware and vulnerabilities in production environments. These should be considered legacy and phased out immediately. We do not recommend using these containers if a new container is available.
F Severely out-of-date, critical vulnerabilities DO NOT USE IN PRODUCTION. Do not use container images with a security grade of F for any purpose. These images contain a substantial and unaddressed number of vulnerabilities that have been fixed elsewhere and represent a major security liability. Containers with this grade are retained solely for customer compliance purposes and must not be used.

To consistently avoid security exposure and maintain a secure environment, we strongly recommend following the guidance provided by the Red Hat Container Health Index.