The Red Hat Vulnerability Scanning Certification is a collaboration with security partners to deliver more accurate and reliable vulnerability scanning results for Red Hat-published images and packages. Wiz’s focus on cloud-native risk includes our commitment to accurate and insightful vulnerability analysis on all workloads Wiz scans. That is why we are excited to receive the Red Hat Vulnerability Scanning Certification, meaning Wiz’s vulnerability scan report for Red Hat products meets the requirements set by Red Hat.
Traditional vulnerability scanning solutions on the market leave security teams overwhelmed with large numbers of false positives. To enhance trust in vulnerability findings and reduce incidents of false positives and negatives, it's crucial for solutions like Wiz to provide meaningful remediation context. We are proud to have worked in collaboration with the Security Engineering team at Red Hat to refine the Wiz Vulnerability engine to reliably and accurately identify vulnerabilities found on Red Hat official packages and products.
Certification Process
From the outset, the Wiz vulnerability scanner was designed with distribution and build context in mind. For example, a container image running Debian would not report vulnerabilities sourced from Ubuntu or Red Hat package vulnerability streams. Supported by the Wiz Vulnerability Catalog, which ingests vulnerability streams from over 30 upstream open-source and proprietary feeds, Wiz supports detection of over 110k vulnerability across numerous operating systems. This includes the integration of the Red Hat OVAL v2 security data feed, which provides specific details about vulnerabilities affecting Red Hat-supported packages, operating systems, and container images.
As the definitive source, Red Hat’s vulnerability data applies exclusively to Red Hat shipped products. Red Hat Product Security assesses the validity, severity, and CVSS score of vulnerabilities within the specific context of Red Hat's builds. To minimize false positives, Red Hat encourages the use of its vulnerability data to avoid discrepancies that distribution-agnostic scanning can cause.
With this alignment, Wiz now exclusively sources vulnerabilities for Red Hat container images and products from Red Hat security feeds. This means the following:
All vulnerabilities will be enriched with Red Hat specific severities, mapped to the Wiz severity normalization. This allows customers to appropriately prioritize findings according to how Red Hat standards and severities.
If available, Wiz shows Red Hat released patches according to the Red Hat Security Advisory that patches a specific CVE.
Vulnerabilities deemed by Red Hat to be “Not affected” will not be listed in CVE scan results. Despite OSS vulnerability streams reporting vulnerabilities on packages shipped by Red Hat, Red Hat builds of these packages may not be affected.
Wiz is committed to a continue collaboration with Red Hat to ensure that mutual customer receive prioritized and verified insights into their workload risks. With the help of the Red Hat Product Security team, feedback on Wiz’s vulnerability findings and updates from Red Hat security advisories will be exchanged regularly. Additionally, Wiz’s Vulnerability Catalog will consistently integrate updates from Red Hat’s vulnerability feeds to enhance accuracy and relevance.
With this certification, customers can ensure they have accurate and consistent reporting for Red Hat vulnerabilities and effectively remediate most critical vulnerabilities. Get started now with Wiz for vulnerability management, you can learn more in the Wiz Docs (login needed). If you prefer a live demo, we would love to connect with you.
