Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Establishing software supply chain security: Jenkins with Red Hat Trusted Artifact Signer and Red Hat Trusted Profile Analyzer

September 26, 2024
Akshar Kottuvada
Related topics:
SecuritySecure Coding
Related products:
Red Hat Trusted Application PipelineRed Hat Trusted Artifact SignerRed Hat Trusted Profile AnalyzerRed Hat Trusted Software Supply Chain

Share:

    The application development world is evolving rapidly and it is critical that your software supply chain maintains a level of security that is up to date with modern practices. Cybersecurity threats are becoming increasingly complex by the day, so organizations need robust, integrated solutions/frameworks in place to support the integrity and security of their software workloads in each phase of the software development lifecycle. To help answer this need, here comes the powerful combination of Jenkins (CI/CD Pipeline), Red Hat Trusted Artifact Signer, and Red Hat Trusted Profile Analyzer – an end-end combination that offers a new way to look at software supply chain security.

    The Challenge: A Vulnerable Supply Chain

    An organisation’s software supply chain has become the main target for cybercriminals. From exploiting vulnerabilities in open source components to tampering with artifacts in build systems, there are many potential attack vectors and it's very difficult to detect, usually only after the system has been compromised. Traditional security practices, while still relevant, are no longer enough on their own. Organizations  need a more comprehensive, tightly integrated framework to address security guardrails at each and every stage of the software development lifecycle.

    The Solution: Jenkins + Red Hat Trusted Artifact Signer + Red Hat Trusted Profile Analyzer

    By combining Red Hat's latest innovative security tools Red Hat Trusted Artifact Signer and Red Hat Trusted Profile Analyzer with Jenkins, one of the world’s most popular CI/CD pipeline, we can create a software supply chain that maintains higher levels of security and transparency. Let's break down why this combination is so powerful and why you should take it seriously:

    1. Automation and Flexibility with Jenkins

    Jenkins as a tool for Continuous Integration and Continuous Delivery (CI/CD) has a high customer reputation, community and brand. It offers flexibility and an extensive plugin marketplace making it an ideal tool for building pipelines with stronger security postures. With Jenkins, you can:

    • Scale your CI/CD pipeline and resource as the project grows
    • Integrate a wide range of tools and services
    • Automate build, test, and deployment process
    • Customize your pipeline to meet specific/industry standard security requirements

    2. Ensuring Artifact Integrity with Red Hat Trusted Artifact Signer

    Red Hat Trusted Artifact Signer enhances software supply chain security by simplifying cryptographic signing and verifying of software artifacts, such as container images, binaries and documents. Based on the open-source Sigstore project, the solution provides:

    • Greater authenticity and integrity by increasing trust on artifacts through auditable logs, secure signing mechanisms, and user identity verifications that enhance the transparency and accountability of the software supply chain. Cryptographic signing provides integrity, non-repudiation and authentication of artifacts.
    • Reduced complexity by eliminating the need for maintaining a key management system that mitigates potential tampering with artifacts and containers. We provide identity-based signing through our integration with OpenID Connect (OIDC). This provides easy integration with existing key management systems to authenticate and verify artifacts and containers.
    • Improved compliance by meeting signing-related criteria for achieving Supply Chain Levels for Software Artifacts (SLSA) standards. Provenance is generated automatically as part of the build process in Red Hat Trusted Application Pipeline, for enterprise contracts integrated with cryptographic signatures to establish a non-repudiable chain of custody, and verify pipeline compliance to industry requirements (SLSA) are met.

    By incorporating Red Hat Trusted Artifact Signer into your Jenkins pipeline, you can have greater confidence that every artifact produced is cryptographically signed and verifiable. 

    3. Vulnerability Management with Red Hat Trusted Profile Analyzer

    Red Hat Trusted Profile Analyzer, part of Red Hat Trusted Software Supply Chain, manages your organization’s SBOMs, vendor VEX and CVE providing developers and DevSecOps teams with analysis of the organization’s risk profile. This analysis includes custom, third party, and open source software, or software components—for a shared system of record without slowing down development or increasing operational complexity. As a productized version of Red Hat's open-source Trustification project, the offering enables you to:

    • Build greater trust in your application’s codebase: More quickly access vulnerability fixes and trusted, verified content without deviating your attention from building code. Choose the right dependencies for your source code and verify that possible threats are not left unchecked.
    • Get valuable insights and recommendations: Simply identify direct and transitive dependencies, monitor exploitable vulnerabilities, and create an incident response framework to limit security incidents from appearing in your production workloads.
    • Save and retrieve your security documentation: More easily share security documentation (SBOM, VEX) for your source code, artifacts, and container images across the organization to help confirm that the right, verified components are used in your application codebase.

    By integrating Red Hat Trusted Profile Analyzer into your Jenkins pipeline, you can gain real-time insights into the vulnerabilities in your open source packages and components. 

    Real-World Impact

    The impact of implementing this integrated solution can be significant:

    • Reduced Risk: By enhancing the security of your entire supply chain, you can dramatically reduce the risk of successful attacks, protecting your organization's reputation and bottom line.
    • Faster Time-to-Market: With stronger security integrated into your CI/CD pipeline, you can catch and address issues earlier, potentially avoiding costly delays later in the development cycle.
    • Improved Compliance: The transparency and auditability provided by this solution make it easier to demonstrate compliance with various regulatory standards.
    • Enhanced Trust: Customers and partners can verify the integrity and provenance of your software, building trust in your products and services.
    • Cost Savings: By catching vulnerabilities early and automating security processes, you can significantly reduce the cost of addressing security issues.

    Don't wait for a security breach to highlight the vulnerabilities in your software supply chain. Take steps now to improve the security stance of your software development cycle and  better protect your organization while also building trust with your customer base. 

    For more details on this, follow this learning exercise. 

    Last updated: October 30, 2024
    Disclaimer: Please note the content in this blog post has not been thoroughly reviewed by the Red Hat Developer editorial team. Any opinions expressed in this post are the author's own and do not necessarily reflect the policies or positions of Red Hat.

    Recent Posts

    • Splitting OpenShift machine config pool without node reboots

    • Node.js 20+ memory management in containers

    • Integrate incident detection with OpenShift Lightspeed via MCP

    • One model is not enough, too many models is hard: Technical deep dive

    • What's new in Ansible Automation Platform 2.6

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Platforms

    • Red Hat AI
    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    • See all products

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue