Description of problem: We do have the security profile for RHEL RPM based content only. The scan should reflect this. Don't let the scan mark images as compliant for non RHEL based images. It needs to be obvious in CF that this scan does not make sense.
This is in regards to the OpenSCAP container scanning feature with OpenShift 3.5. I did use a centos based ruby s2i application by accident and it found no vulnerabilities as there was no OpenSCAP info available.