Goal Summary:

Enhance Red Hat ACS's ability to provide accurate and actionable vulnerability insights by incorporating deep runtime execution analysis.

Background:

Currently, ACS alerts about "thousands of vulnerabilities every scan". Traditional security scanning tools identify vulnerabilities based on libraries that are installed or loaded into memory.  Customers still face "many false positives" and have to "go one by one manually" through these alerts. Only a subset of loaded libraries are actually executed during runtime.

This feature proposes implementing a mechanism, likely leveraging eBPF-based kernel-level tracing to gain visibility into which specific functions, libraries, or pieces of code are actually executed within a running workload. By correlating vulnerability findings (from static scans) with this real-time execution data, ACS can distinguish between vulnerabilities in code that is merely installed or loaded versus code that is actively being run.

Goals and expected user outcomes:

• As a Developer, Security Analyst, Platform Engineer, or CISO, I want Red Hat ACS to accurately identify and prioritize vulnerabilities based on whether the vulnerable code is actively executed at runtime, so that I can reduce alert fatigue, eliminate false positives, and efficiently focus on the most impactful and exploitable security risks, leading to improved security posture and more effective resource allocation.