Summary

With this update, users will now have the ability to disable the requirement to consider the enabled yum updated repositories before proceeding to package version checks to determine vulnerability status for Red Hat Local Security Checks plugins.

This option can now be toggled on/off via the scan policy.To toggle this new feature in your scan policy, navigate to Settings > Advanced > Vulnerability Options and toggle "Disable RedHat repository correlations and strictly use package version checks" on/off as desired.

Background

To understand how Tenable's Red Hat Local Security Checks plugins currently work, please refer to the following document: How Red Hat Local Vulnerability Checks Use Repositories To Determine Scope.

Expected Impact

Users should potentially expect to see more Vulnerability findings in their scans when this option is enabled. This is expected because the plugins will no longer consider whether or not the target machine has the specified repository enabled to receive the fixed package(s). Instead, the plugins will only check that any version of the affected package is installed, and proceed straight to version comparison. Tenable's RPM package parsing libraries have extensive functionality to ensure package version checks are as accurate as possible, but due to the potential differences in epoch versions and package naming and versioning discrepancies between the different repositories, potential false positives are possible when this feature is enabled.

Affected Plugins

Red Hat Local Security Checks

Targeted Release Date

Thursday, February 5, 2026

Note, not all Red Hat Local Security Check plugins can avail of the this feature yet. Only plugins that have include("rpm2.inc") can use this new feature. There is work ongoing to bring all of these plugins up to date.