Upcoming Change to Red Hat Repository Detection and Vulnerability Coverage

Saeed Abbasi
Saeed Abbasi
- 3 min read

Update – This change is now live and available. The updated Red Hat repository detection is included in vulnerability signatures release VULNSIGS-2.6.476-2.

We are updating our Red Hat detection libraries to improve coverage on systems that use custom or non-standard repositories. This change may result in an increase in reported Red Hat vulnerabilities on some assets where custom repos are in use.

What is changing?
As part of our Red Hat scanner certification, we recently aligned our detection logic to rely primarily on standard Red Hat repository identifiers and naming conventions. While this works well for environments that strictly follow Red Hat’s standards, we have observed that customers with custom repository configurations can experience under-reporting of vulnerabilities.

To address this, we are introducing a fallback mechanism:

  1. The scanner will first look for standard Red Hat repositories as defined in Red Hat’s official documentations and guidelines.
  2. If no standard repos are found, the scanner will automatically fall back to the Qualys custom logic that inspects repository details to identifies special channel (such as EUS/E4S/AUS/TUS)
  3. If no special channel can be inferred, treats the system as a main/base channel and applies regular Red Hat advisories.

Impact you may see:

On Red Hat systems using custom or non-standard repos, you may observe:

  • A bump in vulnerability detections
  • In some edge cases, the fallback logic may fail to accurately distinguish between special subscription channels (EUS, E4S, AUS, TUS) and user-defined repository configurations, resulting in the system being mapped to the main or base channel.

Recommended Actions for Accurate Detections

To ensure accurate scans, the scanner must be able to identify the official vendor repository ID.

Use Official Repo IDs

  • When mirroring, keep the original repo configuration

Or:

Use Both IDs

  • If you use a custom repo configuration, you must add a second .repo file or entry with the original/ official repo configuration

Example: Official vs. Custom repo

Official Repo example:

[rhel-8-for-x86_64-baseos-rpms]
name = Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
baseurl = https://cdn.redhat.com/content/dist/rhel8/$releasever/x86_64/baseos/os
enabled = 1

Custom repo example — detection logic currently non-functional due to customization:

[repo-custom-BaseOs]
name= Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
baseurl=https://<custom-url>/test-repo-base
enabled=1

Timeline

  • The notification is being shared now so you can prepare.
  • The change is planned to be released in the week of November 21, 2025 (exact date will be published).
Share your Comments

Comments

Your email address will not be published. Required fields are marked *