Goal Summary:

Project Hummingbird images are built to be minimal, often lacking shells or package managers (e.g., rpm). This feature enables Clair and RHACS to scan these images and cross-reference them with Red Hat's VEX metadata.

Goals and expected user outcomes:

Implement integrated scanning in RHACS and Clair to validate the "Zero-CVE" status of Project Hummingbird images and provide continuous monitoring against new vulnerability discoveries.

Acceptance Criteria:

A list of specific needs or objectives that a feature must deliver in order to be considered complete. Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc. Initial completion during {}Refinement{} status.

[enter _general_ Feature acceptance here]

Success Criteria or KPIs measured:

A list of specific, measurable criteria that will be used to determine if the feature is successful. Include key performance indicators (KPIs) or other metrics., etc. Initial completion during __Refinement_ status._

[enter success criteria and/or KPIs here]

Out of Scope:

• Third-Party Distroless: This feature does not provide "Zero-CVE" certification for Google Distroless or Chainguard images (though they are scanned via standard SBOM logic).
• Remediation Suggestion: RHACS will identify the need for a patch, but it will not automatically rebuild the container image.
• Legacy Scanners: This feature is only supported on {_}RHACS Scanner V4 (ClairCore-based){*}.