Security content is included as container images that the
ProfileBundle objects refer to. To accurately track updates to
ProfileBundles and the custom resources parsed from the bundles such as rules or profiles, identify the container image with the compliance content using a digest instead of a tag:
$ oc -n openshift-compliance get profilebundles rhcos4 -oyaml
contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:900e... (1)
- lastTransitionTime: "2022-10-19T12:07:51Z"
message: Profile bundle successfully parsed
||Security container image.
ProfileBundle is backed by a deployment. When the Compliance Operator detects that the container image digest has changed, the deployment is updated to reflect the change and parse the content again. Using the digest instead of a tag ensures that you use a stable and predictable set of profiles.