The customer is requesting to get a flag added for container images with cves that are provided by redhat as part of openshift and certified operators. that way there is a clear differentiation between container images that are specific to users only versus platform/node/k8s/operator bits that are required to keep the cluster functional.

The customer wants to be able to quickly identify if an image is part of openshift or a redhat certified operator(s), versus a user workload. They claim that this would enable better processing and identify once a vulnerability appears – ie is redhat on the hook for this cve or is a user?