Is Rocky OK to use enough on government project in terms of security ?
Yes, it is used in US government spaces already.
I heard that Rocky is CentOS’s successor.
It’s started by the same person, depending on your interpretation of CentOS history. People debate that, and to be honest it’s a waste of time because it doesn’t matter. However, Rocky Linux, Oracle Linux, and SuSE Liberty are the only distros that have retained the same goal as the original CentOS (bug-for-bug compatibility). Alma’s another option, but their goal has changed to be just ABI compatible (which CentOS Stream purportedly already is).
Has it critical security vulnerability?
Not that we’re aware of. All software has vulnerabilities, it’s just a matter of time before they’re discovered.
You guys may feel these question is a kind of abstract and vague, then Could you tell me community about Rocky Linux helping solve my question ?
You can download the source packages themselves in the neighboring repositories.
You can view all repositories at Index of /pub/rocky/ - Just pick the version you’re after (8 or 9 for example), pick a repository, and find the source directory.
On the command line on an installed Rocky Linux system, you can use dnf download.