Red Hat Trusted Application Pipeline

Shift security left in the software supply chain

Get started with Red Hat Trusted Application Pipeline Contact us

Catch vulnerabilities early with a self-serve developer experience imbued with the organization’s security practices, for distributed teams to comply with security and compliance requirements. Development teams leverage solution templates with integrated security checks to standardize and expedite security-focused golden paths with Red Hat Trusted Application Pipeline. Remove toil in finding and fixing vulnerabilities early. Increase security posture in the CI/CD pipeline with an automated chain of trust that verifies compliance is met.

Red Hat Trusted Application Pipeline validates artifacts signatures, provenance, and attestations to stop suspicious build activity from being promoted.

Start curating your own trusted content and increase the security posture in your pipelines. With Red Hat Trusted Application Pipeline, increase transparency and trust early in code-time while safeguarding the build systems from a self-serve developer hub:

Red Hat Trusted Application Pipeline documentation

Developer confidence

Standardized security-focused golden paths that remove cognitive load to increase developer confidence for ever-evolving security threats.

Fix your issues

Simplify vulnerability management for teams to find and fix issues early without the rework at production and increase service reliability.

Increase trust

Increase trustworthiness of artifacts to tamper-proof code in software delivery for a chain of custody that ensures software supply chain integrity.

Verify compliance

Verify pipeline compliance with automated provenance and attestation that prevents suspicious activity from being promoted to improve resiliency.

Index images

Automatically index and analyze newly pushed images against vulnerability databases, to report on the latest CVEs in real time and minimize operational risk.

Kubernetes-native security

Employ Kubernetes-native security controls to enforce security policies for declarative and continuous security that provides for more predictable delivery.

Red Hat Trusted Application Pipeline features

Red Hat Trusted Application Pipeline performs numerous checks on your software artifacts and predefined dependencies for CVEs just as code is written. We also prevent source code injection and image poisoning in your build system each time when pull requests are triggered to merge code for new builds. This means you can:

Save time

Save developer time and reduce cognitive load using customizable, validated templates with integrated safeguards to stay compliant with security requirements. Expedite onboarding of security workflows from a centralized, self-managed software catalog backed by an extensive ecosystem of plugins, modular extensions to stay focused on building and shipping code faster.

Prevent malicious code

Prevent and identify malicious code early with dependency analytics that scans software components for vulnerabilities directly from the IDE, to map and evaluate the impact radius of security threats. Generate and manage SBOMs and VEXs stored in a system of record, to index and query security documentation for actionable insights and recommendations.

Safeguard systems

Safeguard build systems from poisoned pipelines with an automated chain of trust for each pull request that validates artifact signatures, attestations, and confirms on the expected build process. Enterprise contracts integrated with cryptographic verification tools, enforce security policies based on SLSA requirements, to continuously deploy to an auditable, immutable state.

Tamper-proof artifacts

Use tamper-proof software artifacts with digital signatures at every step of the CI/CD workflow through a keyless management system. Enhance transparency and accountability with OpenID Connect integrations for identity-based signing backed by auditable transparency logs from an immutable ledger that’s shared for stronger software supply chain integrity and authenticity.

Analyze images

Constantly analyze images in storage for the latest vulnerabilities to mitigate security risks before releasing images into production. Securely store and share the use of containerized software to development and production from a container registry platform that’s seamlessly integrated into the build system. Distribute Open Container Initiative content including application signatures, SLSA attestations and software bill of materials (ie .sig, .att, .sbom) - all from a trusted image registry.

Monitor your build

Continuously monitor the build environment with vulnerability scanning and policy checking directly from the CI/CD pipeline - no package managers, no wget required. Deliver a robust supply chain security with comprehensive monitoring and threat detection capabilities that proactively identify and mitigate vulnerabilities to ensure the integrity and security of containerized application workload and their Kubernetes environments.

Integrations

Red Hat Trusted Application Pipeline offers flexibility and choice to customers for these self managed, on-premise capabilities to be easily layered onto application platforms like Red Hat OpenShift, or be consumed in parts to meet their developers where they are. Parts such as Red Hat Developer Hub, Red Hat Trusted Profile Analyzer, Red Hat Trusted Artifact Signer that can be sold separately.