Å·²©ÌåÓýƽ̨

Å·²©ÌåÓýƽ̨ Red Hat Container Certification lets you build, certify, and distribute your containerized application. In order to meet the security and support requirements from enterprise customers, the container testing and validation is broken into two main parts:

• Å·²©ÌåÓýƽ̨ preflight tool, which does static analysis of the container to ensure the container conforms to the .
• CVE Vulnerability Scanning, which checks for vulnerabilities in Red Hat content within the container and gives the image a grade.

Since this process consists of two parts, and the CVE scanning happens in an async fashion, we will walk through the steps to retrieve the grade of the image.

Prerequisites

• Register as a technology partner [in order to complete certification] if not already a partner.
• Review the container certification workflow
• A Container application within the Partner Connect Portal
• A container tool ie Podman/Docker
• Latest release of Preflight Certification tool
• Binary can be downloaded
• Container can be pulled from podman pull â€�  quay.io/opedev/preflight:stable
• A CI system that can make curl request (OpenShift Pipelines, Github Actions, Jenkins, etc

Build and certify your application container

• To follow along with the below steps, all the prerequisites should have been completed.

Pre-step: Export environment variables

Below are some environment variables that will be used across multiple steps.

NOTE: Documentation on how to obtain a Pyxis API Token or Certification Project ID can be found in the .

export PYXIS_API_TOKEN=abcdefghijklmnopqrstuvwxyz123456
export IMAGE_TAG=registry.example.org/your-namespace/your-image:sometag
export CERTIFICATION_PROJECT_ID=1234567890a987654321bcde

Step 1: Building the container

podman login registry.example.org -u=user --authfile=./temp-auth.json
podman build -t $(IMAGE_TAG) . && podman push $(IMAGE_TAG) --authfile=./temp-auth.json

Step 2: Running preflight certification tool

preflight check container registry.example.org/your-namespace/your-image:sometag \
--submit \
--pyxis-api-token=$(PYXIS_API_TOKEN) \
--certification-project-id=$(CERTIFICATION_PROJECT_ID) \
--docker-config=./temp-auth.json

Querying Red Hat API for health index

After the image is submitted by preflight, an async process kicks off to grade the image. Since the grade won't be returned instantly, we will have to poll for it. In the below script we wait 5 seconds between calls, but your workflow may want to poll at some other interval, or in some other fashion that fits your use case better.

Call Red Hat API until a grade is returned

NOTE: Below we use skopeo inspect instead of podman inspect due ain podman's Digest field.

export CONTAINER_SHA=$(skopeo inspect docker://registry.example.org/your-namespace/your-image:sometag | jq '.["Digest"]')

grade=""
until [$grade != ""]
do
  echo "checking for Health Index Grade"
  grade="$(curl -s -X 'GET' 'https://catalog.redhat.com/api/containers/v1/images?filter=docker_image_digest=='"${CONTAINER_SHA}"'&page_size=100&page=0' \
    -H 'accept: application/json' \
    -H 'X-API-KEY: '"${PYXIS_API_TOKEN}"'' | jq -r '{id: .data[0]._id, freshness_grades: .data[0].freshness_grades[] | {grade, creation_date}}')"
  sleep 5
done
echo "Health Index Grade: $grade"

Getting help

Any issues related specifically to the certification steps can be directed to our .

Further reading

If you are interested in exploring what other API's Red Hat Certification has to offer, please check out our public .

If you are interested in learning how you could automate Container Certification using OpenShift Pipelines and Quay, please check out this related article.