Red Hat Trusted Application Pipeline
Shift security left in the software supply chain
Get started with Red Hat Trusted Application PipelineContact Us
Catch vulnerabilities early with a self-serve developer experience imbued with the organization’s security practices, for distributed teams to comply with security and compliance requirements. Development teams leverage solution templates with integrated security checks to standardize and expedite security-focused golden paths with Red Hat Trusted Application Pipeline. Remove toil in finding and fixing vulnerabilities early. Increase security posture in the CI/CD pipeline with an automated chain of trust that verifies compliance are met.
Red Hat Trusted Application Pipeline validates artifacts signatures, provenance, and attestations to stop suspicious build activity from being promoted.
Red Hat Trusted Application Pipeline is generally available now
Start curating your own trusted content and increase the security posture in your pipelines. With Red Hat Trusted Application Pipeline, increase transparency and trust early in code-time while safeguarding the build systems from a self-serve developer hub:
Standardized security-focused golden paths that removes cognitive load to increase developer confidence for ever-evolving security threats.
Simplify vulnerability management for teams to find and fix issues early without the rework at production and increase service reliability.
Increase trustworthiness of artifacts to tamper-proof code in software delivery for a chain of custody that ensures software supply chain integrity.
Verify pipeline compliance with automated provenance and attestation that prevents suspicious activity from being promoted to improve resiliency.
Automatically index and analyze newly pushed images against vulnerability databases, to report on the latest CVEs in real-time and minimize operational risk.
Employ Kubernetes-native security controls to enforce security policies for declarative and continuous security that provides for more predictable delivery.
Red Hat Trusted Application Pipeline performs numerous checks on your software artifacts and predefined dependencies for CVEs just as code is written. We also prevent source code injection and image poisoning in your build system each time when pull requests are triggered to merge code for new builds. This means, you can:
Save developer time and reduce cognitive load using customizable, validated templates with integrated safeguards to stay compliant with security requirements. Expedite onboarding of security workflows from a centralized, self-managed software catalog backed by an extensive ecosystem of plugins, modular extensions to stay focused on building and shipping code faster.
Prevent and identify malicious code early with dependency analytics that scans software components for vulnerabilities directly from the IDE, to map and evaluate the impact radius of security threats. Generate and manage SBOMs and VEXs stored in a system of record, to index and query security documentation for actionable insights and recommendations.
Safeguard build systems from poisoned pipelines with an automated chain of trust for each pull request that validates artifact signatures, attestations and confirms on the expected build process. Enterprise contracts integrated with cryptographic verification tools, enforces security policies based on SLSA requirements, to continuously deploy to an auditable, immutable state.
Tamper-proof software artifacts with digital signatures at every step of the CI/CD workflow through a keyless management system. Enhance transparency and accountability with OpenID Connect integrations for identity-based signing backed by auditable transparency logs from an immutable ledger that’s shared, for stronger software supply chain integrity, authenticity.
Constantly analyze images in storage for the latest vulnerabilities to mitigate security risks before releasing images into production. Securely store and share the use of containerized software to development and production from a container registry platform that’s seamlessly integrated into the build system. Distribute Open Container Initiative content including application signatures, SLSA attestations and software bill of materials (ie .sig, .att, .sbom) - all from a trusted image registry.
Continuously monitor the build environment with vulnerability scanning and policy checking directly from the CI/CD pipeline - no package managers, no wget required. Deliver a robust supply chain security with comprehensive monitoring and threat detection capabilities that proactively identify and mitigate vulnerabilities to ensure the integrity and security of containerized application workload and their Kubernetes environments.
Integrations
Red Hat Trusted Application Pipeline offers flexibility and choice to customers for these self managed, on-premise capabilities to be easily layered onto application platforms like Red Hat OpenShift, or be consumed in parts to meet their developers where they are. Parts such as Red Hat Developer Hub, Red Hat Trusted Profile Analyzer, Red Hat Trusted Artifact Signer that can be sold separately.
Red Hat Developer Hub enhances developer onboarding speed, productivity, and collaboration through an open platform, while reducing cognitive load and frustration for engineering organizations.
Red Hat Trusted Profile Analyzer offers actionable insights from software assets’ security documentation, helping development teams build security into their applications without increasing operational complexity.
Red Hat Trusted Artifact Signer provides tools for digital signature creation and validation to protect the authenticity and integrity of software artifacts across the software supply chain.
Red Hat OpenShift is an enterprise-ready application platform with deployment and infrastructure options that support every application and environment, for development teams to build new applications and modernize existing ones.
Featured products
Red Hat Trusted Profile Analyzer
Track source code provenance and attestations for actionable insights as code is written to avoid the rework and complexity of fixing issues in production.
Red Hat Trusted Software Supply Chain
Consistently code, build, and monitor for a trusted software supply chain across any environment, for faster time to value with automated security guardrails. Try out this service preview.
Red Hat Trusted Artifact Signer
Increase trustworthiness of your software artifacts moving through the supply chain with the use of digital signatures and validation that’s shared across a keyless certificate authority.
Red Hat Developer Hub
An enterprise-grade, open developer platform for building developer portals,
containing a supported and opinionated framework.
Featured resources
Red Hat Trusted Software Supply Chain
White paper: Tackling CI/CD Security Anti-Patterns
Analyst brief: Getting started with CI/CD Pipeline Security
A blueprint for supply chain security
Latest security articles
Supply Chain Security? Hey, I’m a developer—why should I care?
Apr 18, 2024
Red Hat Trusted Software Supply Chain is now available
Discover how Red Hat Trusted Software Supply Chain makes it easier to create,...
Apr 15, 2024
Red Hat build of Keycloak high availability: A simplified approach
Explore a highly available (or fault tolerant) Keycloak solution that you can...
Apr 01, 2024
Secure JBoss EAP apps with Microsoft Entra ID & OpenID Connect
Learn how to secure a simple JBoss EAP 8.0 web application with Microsoft...
