Module 02: Vulnerability management and risk

This module covers how RHACS 4.10 surfaces and prioritizes vulnerabilities across containerized workloads, nodes, and VM-based workloads, then extends that analysis into a full risk picture that accounts for deployment configuration and runtime activity.

Estimated time: 15-20 minutes

Part 1: Vulnerability results overview

Know

Context: Container vulnerability management requires a different mental model from traditional VM scanning. Images are immutable, layered artifacts — and the fix is almost always an image rebuild, not a patch applied in place.

Why vulnerability management in containers is different:

  • Traditional scanners were built for long-lived VMs where you patch in place. Container workloads are rebuilt and replaced, so the response to a CVE is fundamentally different.

  • A single base image vulnerability can propagate to hundreds of running containers simultaneously. Fixing one base image can eliminate that CVE across the entire fleet.

  • Not all CVEs are created equal. A vulnerability in a library that is never called is categorically different from one in an actively exercised code path.

How RHACS organizes vulnerability data:

  • User workloads — application containers your teams deploy and own

  • Platform — OpenShift platform components (control plane, operators, infrastructure services)

  • Nodes — the RHEL CoreOS operating system running on each node

This separation matters because each layer has a different owner and a different remediation path. Misattributing a platform CVE to an application team wastes time and creates friction.

The fixable filter:

By default, RHACS surfaces only Important and Critical CVEs that are "Fixable" — meaning the upstream maintainer has published a patch. Asking teams to resolve vulnerabilities with no fix available is not a productive use of time. The fixable filter ensures every CVE in the default view has a clear remediation path.

Show

What I say:

"Vulnerability management is where most security teams start with RHACS. Let me show you how the Results page is organized and how the platform helps you separate signal from noise."

What I do:

  1. From the left side menu, expand Vulnerability Management and click Results.

  2. Point to the workload tabs at the top of the page:

    "The page separates CVEs into three categories: user workloads, platform components, and nodes. That separation is important because remediation responsibility is different for each layer. Your application teams own user workloads; your platform team owns the platform layer and nodes."

  3. Point to the active filters:

    "By default, RHACS filters to Important and Critical CVEs that are fixable. This is deliberate. We think it’s reasonable to ask your teams to pick up fixes published by upstream communities, but it’s not practical to ask them to remediate vulnerabilities with no patch available."

  4. In the User Workloads view, click the <#> Deployments button:

    "You can view vulnerability data organized by CVE, by Image, or by Deployment. This gives you multiple angles into the same data set depending on what question you’re trying to answer."

  5. Click Nodes from the top menu:

    "RHACS also scans the RHEL CoreOS nodes for CVEs. Each node is listed with its OS version and container engine. Drill down into any node to see the CVE list and the affected components."

  6. Click into a node, scroll down the CVE list, and expand a CVE entry:

    "Expanding a CVE shows the affected component, the version present, the fixed version, and the source — whether it came from the NVD feed or from Red Hat’s own RHSA advisory feed."

  7. Navigate back to Vulnerability Management > Results.

What they should notice:

  • Vulnerability data is automatically collected across all cluster layers with no manual configuration

  • The workload separation makes it clear which team owns each finding

  • The fixable filter makes the default view immediately actionable

Presenter tip: If the environment has no results with the default filters enabled, remove the Fixable filter to show the full CVE landscape. Explain that the filtered view is the recommended starting point for teams that want to work through vulnerabilities systematically.
Vulnerability Management Results page showing CVEs filtered to Critical and Important fixable findings across user workloads
Figure 1. Vulnerability Results page with default filters

Part 2: Image details and CVE triage

Know

Context: Container image age is one of the most reliable leading indicators of accumulated security debt. An image that has not been rebuilt in years will accumulate CVEs continuously as new vulnerabilities are disclosed against its dependencies.

The image age problem:

  • Container images capture a snapshot of their dependencies at build time

  • Vulnerabilities disclosed after the build date accumulate silently

  • An image with a base OS that has reached end-of-life no longer receives security advisories, meaning the vulnerability count is likely understated

How RHACS approaches CVE triage:

  • RHACS ingests both NVD (National Vulnerability Database) and Red Hat RHSA (Red Hat Security Advisory) feeds, providing two perspectives on each CVE

  • For Red Hat-based images, the RHSA feed provides context about which CVEs Red Hat considers exploitable in practice, reducing false positives

  • The scanner identifies the exact layer in the container image where a vulnerable component was introduced, which points directly to the fix location

Show

What I say:

"Let me show you what a specific image looks like in detail. This visa-processor image is a good example of the kind of security debt that accumulates when images are not regularly rebuilt."

What I do:

  1. From Vulnerability Management > Results, click the <#> CVEs button under the filter controls to switch to the CVE view.

  2. Locate and click the image rhacs-demo/visa-processor:latest-v2.

  3. Point to the Image Summary at the top:

    "At the top, you can see the OS, when it was last scanned, and which scanner was used. Notice the warning that CVE data is stale — this image’s base OS has reached end-of-life and the distribution has stopped publishing security fixes. That means this CVE count is actually understated. New vulnerabilities are being discovered, but no patches will be issued."

  4. Scroll to the Image Findings section:

    "The findings are sorted by severity. This image’s base was pulled more than five years ago. Time is not kind to images — as vulnerabilities are discovered in components that existed at build time, they all accumulate here."

  5. In the Vulnerabilities section, click the double arrow next to CVE to sort by most recent:

    "Sorting by CVE number brings the most recently disclosed vulnerabilities to the top. This gives you a sense of how actively new findings are being associated with old components."

  6. Click on a Fixable, Critical CVE in the list, such as CVE-2025-6965:

    "This is a memory corruption flaw in SQLite. Under specific conditions, a query can be constructed where the number of aggregate terms exceeds the number of columns available, leading to memory corruption. It is ranked Critical with a CVSS score of 9.8, and it is fixable — a patched version exists."

  7. Point to the NVD and RHSA feed indicators:

    "RHACS surfaces both the standard NVD entry and Red Hat’s RHSA advisory for the same CVE. The RHSA feed provides Red Hat’s assessment of real-world exploitability, which helps teams prioritize more accurately than NVD scores alone."

  8. Scroll to the affected images section at the bottom:

    "This lower section shows every image in your environment that contains this CVE. If the vulnerability is in a base image layer, a single base image rebuild can eliminate it from all derived images at once. That is the leverage point for container security at scale."

What they should notice:

  • Image age is surfaced visually with a clear warning when CVE data is stale

  • The scanner identifies the exact layer and file path where the vulnerable component lives

  • NVD and RHSA feeds together provide a more complete picture than either alone

Presenter tip: The stale CVE data warning is a strong talking point with security teams. It highlights that end-of-life base images are not just a vulnerability management problem — they represent a gap where no future patches will arrive. The only resolution is a base image upgrade.
Image detail page for visa-processor showing stale CVE data warning and Critical CVE findings
Figure 2. Image details with stale CVE warning

Part 3: Risk and deployment context

Know

Context: A CVE in a running production deployment is a fundamentally different risk than the same CVE in an image sitting in a registry. RHACS accounts for this distinction by combining vulnerability data with deployment context to produce a risk-prioritized view.

Why vulnerability count alone is not a priority signal:

  • A critical CVE in a deployment that is not running in any cluster is theoretical risk

  • The same CVE in a deployment exposed to the internet with a privileged container is an imminent threat

  • Security teams that rank work by CVSS score alone end up spending time on findings that will never be exploited while high-probability targets go unaddressed

What RHACS factors into risk scoring:

  • Vulnerability severity and fixability in running deployments (not just images in a registry)

  • Deployment configuration: privileged containers, host network access, exposed ports

  • Service exposure: internal-only vs. externally reachable via a Route

  • Components useful for attackers: shells, network utilities, package managers, compilers present in the container

  • Runtime activity that deviates from the established baseline

The result:

A ranked list of deployments where the top entries represent the highest probability of a successful exploit, not just the highest CVE count. Security teams can use this list to direct remediation effort where it matters.

Show

What I say:

"The CVE list tells you what vulnerabilities exist. The Risk view tells you which ones you actually need to fix first. Let me show you how RHACS connects those two data sets."

What I do:

  1. From the CVE detail page, click the <#> Deployments button in the lower section:

    "These are the deployments running right now with containers from images containing this vulnerability. Being actively deployed is itself a risk factor. A vulnerability in a running production container in the Payments namespace is materially different from one sitting in an unused image."

  2. Point to the deployment details:

    "RHACS displays which cluster, which namespace, how many images are linked, and when the vulnerability was first observed in that deployment. This context is what a security team needs to make a prioritization decision."

  3. Click the expand arrow to the left of the webgoat deployment:

    "Expanding this entry shows the specific package, the version present, the fixed version, the CVSS score, and the exact path in the container filesystem where the vulnerable library lives. This is the information a developer needs to confirm the fix."

  4. Navigate to Risk from the left side menu.

  5. Point to the ranked deployment list:

    "This is the Risk view. Every deployment in every cluster and namespace, ranked by the likelihood that it will be successfully exploited. RHACS computes this score automatically using the factors I described — vulnerability data, deployment configuration, and runtime activity."

  6. Point to any deployments with a red dot:

    "Deployments with a red dot have runtime activity that could indicate a breach in progress. Those go to the top of your investigation queue."

  7. Click on the visa-processor deployment (number one in the list) to open Risk Indicators:

    "Let me walk through why this deployment is ranked first."

  8. Walk through the Risk Indicators tab:

    "It has serious, fixable vulnerabilities — that contributes to the score. But it also has network ports exposed outside the cluster, which makes it more likely to be attacked from outside. And it is running as a privileged container, which means a successful attacker can access the underlying host network and filesystem."

  9. Scroll to the bottom of the Risk Indicators panel:

    "Service Reachability shows how exposed this service is — whether traffic can reach it from outside the cluster. Components Useful for Attackers shows what tools an attacker could use after gaining a foothold: shells, network utilities, package managers. RHACS picks these up automatically from OpenShift with no manual configuration. This Risk report is available from the moment RHACS connects to your cluster."

What they should notice:

  • Risk is a composite score, not just a CVE count

  • Deployment configuration and service exposure are weighted equally with vulnerability severity

  • The ranked list gives security teams a prioritized queue, not an undifferentiated pile of findings

Presenter tip: The "Components Useful for Attackers" section is a strong point for security architects. It highlights that RHACS understands attacker techniques, not just CVE databases. Connecting this to MITRE ATT&CK frameworks (privilege escalation, lateral movement) resonates with mature security teams.
Risk view showing deployments ranked by risk score with visa-processor at the top
Figure 3. Risk-ranked deployment list
Risk Indicators panel for visa-processor showing service reachability and attacker components
Figure 4. Risk Indicators detail for visa-processor

Part 4: Process discovery and runtime activity

Know

Context: Build and deploy time analysis catches most security problems before they reach production. Runtime monitoring catches the problems that slipped through — and detects when an attacker is actively using a compromised container.

The container runtime advantage:

  • Containers have a constrained, predictable lifecycle. A payment service should run its application process and make database connections — nothing else.

  • That predictability is a security asset. Any deviation from the expected behavior is a meaningful signal.

  • Virtual machines run dozens of background processes and services by design, making behavioral baseline analysis impractical. Containers make it tractable.

What RHACS builds at runtime:

  • A process baseline for each deployment: every executable observed running in every pod

  • A network baseline: every connection observed between deployments

  • Deviation tracking: any process or connection that falls outside the baseline is flagged as anomalous

What this enables:

  • Detecting attacker tooling in a compromised container: a shell being spawned, a package manager executing, a network scanner running

  • Turning a runtime incident into a policy: "this should never happen in production" becomes an enforcement rule, not just a one-time alert

Show

What I say:

"Even a perfectly configured deployment can be compromised at runtime. RHACS continuously monitors process activity inside your pods and builds a behavioral baseline. Let me show you what that looks like."

What I do:

  1. From the visa-processor Risk detail pane, click the Process Discovery tab.

  2. Point to the process activity list:

    "This shows every process RHACS has observed running inside this deployment since monitoring began. This is the behavioral baseline. Any new process that does not appear here will be flagged as anomalous."

  3. Click the Event Timeline header bar near the top of the section (labeled View Graph):

    "The Event Timeline is a little hard to find — it is the header bar with 'View Graph' in the label, near the top of the Process Discovery section."

  4. When the Event Timeline pop-up appears, point to the timeline:

    "This shows process activity per pod over time. Each marker represents a process execution event. A healthy container should show a brief spike at startup and then settle into a very small, stable set of processes. Anything unusual after that startup window stands out immediately."

  5. Click on the squares or circles in the timeline to show process detail:

    "Clicking an event shows the process name, the timestamp, the UID it ran as, and the container ID. This is forensic data — the who, what, when, and where that incident response needs."

  6. Close the Event Timeline pop-up by clicking outside it.

  7. Navigate to the Risk page and click in the Filters bar at the top.

  8. Start typing Process Name and select that key, then enter bash and press Enter:

    "Five deployments in production have been seen running bash. That is not necessarily a breach, but it is worth investigating. Which of those processes were interactive shells? Which were scripted? RHACS gives you the data to answer that."

  9. Point to the Create Policy button in the upper right:

    "Once you have identified criteria that matters — like bash execution in production payment services — you can create a policy directly from this filter. That policy then runs continuously. RHACS will automatically flag any new deployment that matches, and you can configure it to notify your team or enforce a block."

What they should notice:

  • Runtime monitoring requires no instrumentation — RHACS collects process data automatically via the sensor

  • The event timeline provides a forensic record, not just a current state snapshot

  • Search filters can be converted directly into enforcement policies, closing the loop between detection and prevention

Presenter tip: The policy-from-filter capability often gets a strong reaction from security engineers. It demonstrates that RHACS treats runtime incidents as a feedback mechanism for improving security posture going forward, not just a stream of alerts to manage.

Transition: Now that we have seen how RHACS surfaces and prioritizes vulnerabilities at the image, deployment, and runtime level, we will move to Compliance — how RHACS maps all of this activity to specific controls in standards like PCI-DSS, HIPAA, and CIS.
Process Discovery Event Timeline showing pod process activity with anomalous events marked
Figure 5. Event Timeline in Process Discovery tab

Assets needed

  1. content/modules/ROOT/assets/images/02-vuln-results-overview.png — Vulnerability Results page with default Critical/Important fixable filters active

  2. content/modules/ROOT/assets/images/02-image-details-visa-processor.png — visa-processor image detail showing stale CVE data warning and severity breakdown

  3. content/modules/ROOT/assets/images/02-risk-ranked-deployments.png — Risk view with deployments ranked by score, visa-processor at top

  4. content/modules/ROOT/assets/images/02-risk-indicators-visa-processor.png — Risk Indicators panel showing service reachability and attacker components

  5. content/modules/ROOT/assets/images/02-process-discovery-timeline.png — Event Timeline pop-up showing pod process activity over time